[dropcap]T[/dropcap]he draft Personal Data Protection Bill, released along with the Srikrishna Committee Report is an insight into the law that is being contemplated for the country. The importance of this law cannot be overstated due to the fact that it governs the usage of personal information for almost a billion people getting online. This Bill should be read in the context of the Srkrishna Committee Report that will provide the context, background, and thought process behind the bare statutory provisions of this Bill.
Data Protection enough?
The draft Personal Data Protection Bill applies to personal data, and seeks to protect this data that is processed in Indian territory, the data processed by any company, person or body of persons, citizens, or the State, that is incorporated or created under Indian law, and foreign companies that offer goods and services in India or may be conducting any activity which involves profiling of Indian individuals. It creates a distinction between personal data, and sensitive personal data — which includes information such as health related data, financial data, genetic data, biometric information, sexual orientation and sex life related information, caste or tribe, intersex status, transgender status, religious political belief or affiliation, and is considered to be of a more sensitive nature and granted a higher level of protection in the Bill. These data also require explicit consent of the individual before processing of this data. The protection accorded to sensitive personal data existed in the Information Technology Act, 2000 and the Protection of Sensitive Personal Data Rules, 2011, but the list has been expanded under this Bill.
Scope of the Bill
The term “processing” is an umbrella term used to cover all the functions and operations of a data fiduciary (the entity that processes the data) such as — collection, organisation, storage, adaptation, indexing, disclosure, erasure or destruction of the personal data. The Bill grants certain rights to data principals, i.e. the persons whose personal data is being protected, such as the right to access, and rectify their data, the right to confirmation that a particular data fiduciary has processed their data, and the right to be forgotten, i.e. the right to prevent the continuing disclosure of personal data.
The notice framework that necessitates that certain information be given to the data principal before the collection of data extends to providing information, such as the purpose of the processing of such data, the categories of data being collected, the identity of the data fiduciary, the consequences of failure to provide this data, the entities with whom the data processed might be shared, or any cross-border transfer of such information.
The Bill envisages different grounds of processing of personal information. This includes a consent-based framework which requires that valid consent must be free, informed, specific, clear, and capable of being withdrawn. However, the consent framework is not applicable to other grounds of processing of personal data of individuals. These include — processing for functions of the State, for compliance with law or any order of a court, where such processing is necessary for prompt action, or for purposes related to employment. The category of functions of state is broad in its ambit and permits processing if “necessary for any function of Parliament or any State Legislature.” It further permits a non-consensual processing for a State provided benefit or service to the individual. It concludes that consent cannot be taken for State-based processing because it would defeat the purpose of a welfare state exercise, if an individual refuses to participate in it. As a corollary, the right to revoke consent for a particular processing of data is absent from any other form of processing as well. It would seem that the inclusion of this provision is an attempt to validate the mandatory provision of Aadhaar for availing multiple services. However, it is difficult to comprehend how this provision would legitimise the compulsion of Aadhaar currently being imposed by private entities as well.
Exemptions from data protection
The Bill provides for exemptions, where in certain conditions, whichhave a legal backing, the provisions of rights of a data principal, and children, the notice framework, and data protection obligations (except that of fair and reasonable processing), under the Bill will not apply. The exemptions include matters of security of state, for prevention, detection, investigation and prosecution of contraventions of law, processing for purposes of legal proceeding, research, archiving, or statistical purposes, personal or domestic purposes, journalistic purposes, or manual processing by small entities. The exemption of research and archiving purposes is qualified by conditions that the necessity of such exemption will be accepted if the compliance with the Data Protection Bill disproportionately diverts resources from the purposes of research and archiving; the data will not be processed in a manner that gives rise to a risk of significant harm to the data principal. The exemption of journalistic purpose has been defined as “any activity intended towards the dissemination through print, electronic or other media, or factual reports, analysis, opinions, views, or documentaries regarding, news recent or current events, or any other information which the data fiduciary believes the public or any significantly discernible class of the public to have an interest in”.
What comprises ‘data breach’
The obligations and duties of data fiduciaries include data audits, record keeping, notifying the data protection authority in case of a breach of personal data which has the likelihood of causing harm. It is interesting to note here that the harm contemplated is not the mere data breach in itself, but harm would have to be shown in the form of financial loss or loss of property, loss of reputation, or humiliation, loss of employment, any discriminatory treatment, loss, distortion or theft of identity, bodily or mental injury. However, the Bill fails to consider that the impact of a data breach is not always an immediate phenomenon. If data has been breached, the misuse of such breached data can happen at any point in time till the data exists with thatthird party. Furthermore, it is interesting to note that the breach in itself is not considered a harm, but still requires a harm to be proved, the evidence of which is in itself not always easily seen or can be gathered by a layman. Unfortunately, this is similar to the Section 43A in the Information Technology Act, 2000 that requires proof of wrongful loss or gain to seek damages for a data breach.
Administrating data fiduciaries
Furthermore, the Bill provides an administrative framework which consists of a Data Protection Authority established by the Central government and consisting of the Chief Justice of India, or a judge nominated by the Chief Justice, the Cabinet Secretary, and one expert. The data fiduciaries are also meant to appoint Data Protection Officers for their establishment. The functions of a DPO will include providing advice and information to the data fiduciary, monitoring the activities of the fiduciary to ensure it doesn’t violate the Act. The grievance redressal mechanism consists of the aggrieved party having the chance to approach the Data Protection Officer of the fiduciary.
The penalties against the data fiduciary can be applied in case ofnot taking prompt and appropriate action in response to a data security breach, or contravening the obligation to conduct a data audit, or failing to appoint a data protection officer. The liability may extend up to Rs 5 crore or two per cent of its total worldwide turnover of the preceding financial year. For contravention of violation of the provision of notice, or rights of the individual while processing of personal data, the penalty may extend to fifteen crore rupees or four per cent of its total worldwide turnover.
Consent and Rights
The consent framework in this Bill has been qualified by being an informed consent that is clear and specific; however, the purpose remains defeated when all state processing is put under the bracket of non-consensual processing of data. The BN Srikrishna Committee does provide some insight into this bifurcation where it begins with the lack of actual consent in the online world, and even states that “consent does not exist”. Their grievances regarding consent are formed on the basis that the relationship between the data principal and data fiduciary in the online sphere cannot be treated like a contract as there is no bargaining or negotiating power with the principal. It is more like an end product and consent is treated akin to being a thing, which binds product liability and hence can be used in case of a breach or if the terms and conditions are not followed by the data fiduciary. Therefore, in their opinion, consent should be treated as an end product in this relationship.
But it has to be understood that this Bill applies to not only an online collection of data but also data that may be collected offline. In this Bill, the purpose limitation fails to recognise the principle of collection limitation which would entail only collecting the necessary information required for that purpose. The practical ways of dealing with it is mandating certain information which is necessary. If an email list does not require your name, but just an email address, that is the application of collection limitation.
For state processing of data, their apprehension stems from the fact that in lawful exercises that require compliance or provision of welfare services, the denial of consent by some may lead to the failure of the entire exercise that might require an understanding of the levels from an entire citizenry.
The autonomy of the individuals at stake here, completely skews the balance of power in terms of state sponsored processing of data. To retain the autonomy of an individual, in case of a lawful exercise of power, the three-part test provided under KSPuttaswamy v. Union of India can be used to satisfy the condition of that law — it does not need a default way out under the statute itself. The test of KSPuttaswamy accepts the violation of privacy when there is a legal basis, and the said violation is intended for a legitimate purpose, and the method employed, to achieve the object is necessary and proportional. Without creating a sub-set of processing of personal data that completely disregards the need for consent of the individual, the same should be tested under the test provided by Puttaswamy and not given a default free pass for such matters.