Introduction
In the year 2020, as a result of the pandemic all of us have been forced to accommodate drastic changes in our lifestyles. One shift all of us made was to become more digital than we ever were. Today we are doing everything online, from our jobs, shopping, meetings to social gatherings. With such a shift we have realised the importance of data and the data privacy. India is one of the largest generators of data over the last few years.
The State of Mobile 2021 report by App Annie, a mobile analytics firm, shows that Indians spent more than 650 million hours using mobile applications in 2020.1 Over the past few years, the collection, processing and sharing of personal data of individuals has become a vital issue in India with the implementation of government projects like unique biometric identification, e-governance systems and the Aadhaar Act, etc. In spite of such increased collection of information of citizens India is yet to have a comprehensive data protection law. There have been calls for India to have a nationalised data protection law.
-
Informational privacy was a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the State but also from non-State actors as well. Present Court commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the State.
— Dr D.Y. Chandrachud, J. in K.S. Puttaswamy v. Union of India.2
Owing to the digitisation Personal Data Protection Bill, 2019 (PDP)3 (the 2019 Bill) was introduced in the Lok Sabha on 11-12-2019 by the Ministry of Electronics and Information Technology with the main objective of protecting and securing the data of millions of users. The Bill is yet to be passed as a law regardless of being presented in Parliament for more than a year and a half today. In the absence of such a law, till date protection of privacy of Indian citizens is provided and achieved through the provisions under various statutes.
Statutes and provisions governing the privacy laws in India
- Information Technology Act, 20004.— (a) Section 43-A5 – Entities dealing with sensitive personal data or information are liable for damages for negligence in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person. (b) Section 72-A6 – Disclosure of materials containing personal information of any person by the service providers without the consent of the person or in breach of a lawful contract, is punishable.
- Telegraph Act, 18857 and Telegraph Rules, 1951
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 20118.— Rules provide for protection of personal information.
- Right to Information Act, 20059.— As per Section 8(1)(j)10, information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information.
- Post Office Act, 189811.— Section 2612 allows on the occurrence of any public emergency, or in the interest of the public safety or tranquillity interception of postal articles by the Central Government and the State Governments of India.
- Code of Criminal Procedure, 197313.— Section 9114 regulates targeted access to stored content.
Right to privacy: A fundamental right brought into existence with judicial activism
- Gobind v. State of M.P.15.— The right to privacy was declared by the Supreme Court to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing, subject to “compelling State interest”.
- People’s Union for Civil Liberties (PUCL) Union of India16.— Supreme Court extended the right to privacy to communications while considering the issue of telephone tapping and held that telephone tapping is a serious invasion of an individual’s privacy.
- Selvi v. State of Karnataka17.— Supreme Court acknowledged the distinction between bodily/physical privacy and mental privacy and held that subjecting a person to techniques such as narco-analysis, polygraph examination and the brain electrical activation profile (BEAP) test without his consent violates the subject’s mental privacy.
- Unique Identification Authority of India v. Central Bureau of Investigation18.— In this case, CBI sought access to the database of the Unique Identification Authority of India for investigating a criminal offence. The Supreme Court in an interim order held that Unique Identification Authority of India should not transfer any biometric information of any person who has been allotted an Aadhaar number to any other agency without the written consent of that person.
- S. Puttaswamy v. Union of India19.— While considering constitutional challenge to Aadhaar Card Scheme of Union Government noted in its earlier order that norms for and compilation of demographic biometric data by Government was questioned on ground that it violates right to privacy. The question before the Court was whether right to privacy is guaranteed under the Constitution, and if it is, what is the source of such right, as there is no express provision for privacy in Indian Constitution. Finally, the matter was decided by a Bench of the Supreme Court comprising of nine Judges, holding that there is a fundamental right to privacy in the Constitution of India.
The judgment overruled the decisions in M.P. Sharma v. Satish Chandra20 and Kharak Singh v. State of U.P.21 In M.P. Sharma v. Satish Chandra,22 an eight-Judge Bench of the Supreme Court of India held that right to privacy is not protected by the Constitution of India. In Kharak Singh v. State of U.P.23, the majority judgment in the matter held that right to privacy do not exist under the Constitution. Though the foundation for right to privacy as fundamental right was laid down by the minority judgment given by K. Subbarao, J. and K.C. Shah, J. in the present case. Where they recognised the right to privacy as a fundamental right under Articles 2124 and 19(1)(d)25 of the Constitution of India.
The minority opinion along with the judgment of K.S. Puttaswamy v. Union of India26 along is significant as “right to privacy” was explicated as a fundamental right in itself.
Applicability of the Bill27
It is applicable to the data processing by the following:
- The Government.
- Companies incorporated in India.
- Foreign companies dealing with personal data of individuals in India.
It is applicable to the following categories of information:
- Personal data.— Data about or relating to a natural person who is directly or indirectly, identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, with any other information. [Section 3(29)]
- Sensitive personal data.— It means personal data revealing, related to, or constituting to passwords, financial data, health data, sex life, etc. [Section 3(35)]
- Critical personal data.— A subset of personal data and will include such categories of personal data as may be notified by the Central Government.
Salient features of the PDP Bill28
- Obligations of data fiduciary.— A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data); and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
- Rights of the individual.—The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed; (ii) seek correction of inaccurate, incomplete, or out-of-date personal data; (iii) have personal data transferred to any other data fiduciary in certain circumstances; and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data.—The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual; (ii) legal proceedings; (iii) to respond to a medical emergency.
- Social media intermediaries.—The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
- Data Protection Authority.—The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals; (ii) prevent misuse of personal data; and (iii) ensure compliance with the Bill. It will consist of a Chairperson and six members, with at least 10 years’ expertise in the field of Data Potection and Information Technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
- Transfer of data outside India.—Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the Government can only be processed in India.
- Exemptions:The Central Government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of State, public order, sovereignty and integrity of India and friendly relations with foreign States; and (ii) for preventing incitement to Commission of any cognizable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence; or (ii) personal, domestic; or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
- —Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher; and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Reidentification and processing of deidentified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
- Sharing of non-personal data with Government.—The Central Government may direct data fiduciaries to provide it with any: (i) non-personal data; and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
- Amendments to other laws.— The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Status of the Bill
The Bill was introduced in Parliament in December 2019 afterwards it was referred to a Joint Parliamentary Committee for detailed examination, and the report was expected by the Budget Session, 202029. Many extensions were sought by the Committee and the final Bill was expected to be tabled in Parliament in the Budget Session, 2021 after incorporating the suggestions of the Committee.30 The Parliamentary Committee examining the Personal Data Protection Bill has recommended 89 amendments to the proposed legislation, including changing its title and schedule, the panel’s Chairperson Meenakshi Lekhi.31 The report including these recommendations is yet to be released.
Latest status of the Bill is that the panel’s Chairperson Meenakshi Lekhi moved a motion in Parliament during the Budget Session seeking extension up to the Monsoon Session of Parliament for the 30-member panel to submit its report. “That this House do extend up to the first week of Monsoon Session, 2021 of Parliament the time for presentation of the report of the Joint Committee on the Personal Data Protection Bill, 2019,” the motion read. It was passed by a voice vote32.
Conclusion
With the rise in usage of data and internet, the need to have a comprehensive law protecting people’s fundamental right to privacy has been realised, it is vital to have protective mechanism in order to deal with instances of data protection and privacy infringement in India. It is very crucial for the Government to stick with the proposed timeline in revising and passing the law. The legitimate aims of the State would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These were matters of policy to be considered by the Union Government while designing a carefully structured regime for the protection of the data33. PDP Bill is a step in the direction to achieve these goals.
† Associate at Seraphic Advisors, Advocates and Solicitors, authored on 20-4-2021.
1 <https://www.forbesindia.com/article/take-one-big-story-of-the-day/data-protection-bill-can-it-ensure-your-privacy-online/65815/1>.
2 (2017) 10 SCC 1, 509-510
3 <http://www.scconline.com/DocumentLink/A3yGRo3e>.
4 <http://www.scconline.com/DocumentLink/QFpg4Fi0>.
5 <http://www.scconline.com/DocumentLink/hyzHNFyG>.
6 <http://www.scconline.com/DocumentLink/d1eFdtzX>.
7 <http://www.scconline.com/DocumentLink/XiSCXTmY>.
8 <http://www.scconline.com/DocumentLink/V27Mnjwd>.
9 <http://www.scconline.com/DocumentLink/eGSS4AH0>.
10 <http://www.scconline.com/DocumentLink/9c1ux2GV>.
11 <http://www.scconline.com/DocumentLink/A2XAc4cm>.
12 <http://www.scconline.com/DocumentLink/XgAivy4p>.
13 <http://www.scconline.com/DocumentLink/Wk1w7Fnv>.
14 <http://www.scconline.com/DocumentLink/y587uE3Q>.
19 (2017) 10 SCC 1, 509-510
24 <http://www.scconline.com/DocumentLink/VN1u87S9>.
25 <http://www.scconline.com/DocumentLink/74roly04>.
26 <http://www.scconline.com/DocumentLink/A3yGRo3e>.
27 <https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf>.
28 <http://www.scconline.com/DocumentLink/A3yGRo3e>.
29 <https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know>.
30 <https://www.business-standard.com/budget/article/budget-2021-personal-data-protection-bill-likely-to-be-tabled-in-parl-120100400544_1.html>.
31 <https://economictimes.indiatimes.com/news/politics-and-nation/parliamentary-panel-examining-personal-data-protection-bill-recommends-89-changes/articleshow/80138488.cms>.
32 <https://economictimes.indiatimes.com/news/india/joint-committee-on-data-protection-bill-gets-another-extension-to-submit-report/articleshow/81686245.cms>.
33 <https://www.forbesindia.com/article/take-one-big-story-of-the-day/data-protection-bill-can-it-ensure-your-privacy-online/65815/1>