New Delhi: "How private is your data?" This query, made at a recent conference attended by the who’s who of the tech-policy scene in India, was a remark that stuck with many. The small overturn from an enquiry into to the degree of privacy – from "is your data private" to "how private is your data" – amplified its effect.
It also set a new discourse on data privacy via data protection in India.
With the winter session of Parliament in progress, lawmakers are set to discuss The Personal Data Protection Bill, 2018. It seeks to regulate the processing of personal data of individuals by government and private entities and has been listed in the order of business in Parliament.
Transparency
While the Bill allows processing only if the individual consents to it, or in a situation of medical emergency, or by the government to provide welfare benefits, it is unclear who it actually is intended to protect.
According to the Bill, personal data is “directly or indirectly identifiable” to a principal or individual and is regulated by data fiduciaries like private companies and the government.
Seen within the purview of the draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 that require platforms like Facebook, Twitter, YouTube to prohibit users from hosting obscene content, the Bill is a step forward to protect ‘filtered’ data from any breach or wrong use.
On one hand, the draft Bill gives data principals several rights for their data, on the condition that certain personal data be solely stored within the territory of the country.
On the other hand, it holds data fiduciaries, incorporated in India or overseas (if they deal with principals within the country), accountable by building transparency. They must inform principals of the nature and purpose of their data being processed. There are penalties in the Bill in the event fiduciaries fail to follow rules.
Accountability
The establishment of a Data Protection Authority (DPA) is proposed in the Bill to build transparency among fiduciaries, and implement a strong Data Localisation Policy. This authority shall have the same powers as a civil court under the Code of Civil Procedure, thus empowering the data principal.
Action against data breach, maintaining ‘data trust score', rating fiduciaries on the ‘data trust’, creating data audit reports, categorisation and issuance of certificate of registration to fiduciaries etc are a few key functions of the DPA.
The DPA is also tasked to promote public awareness and understanding of the “risks, rules and safeguard and rights in respect of protection of personal data”.
As on September 2019, India has 451 million active internet users and 36 per cent internet penetration, only second to China, according to a report by Internet and Mobile Association of India (IAMAI). This lot, in terms of the government’s National e-Transaction Count across 3,516 integrated e-Services, tolled a massive 2,23,65,29, 319 since January 1, 2018 only.
The proposed Bill seeks to implement changes in how the country approaches data within 30 months after the Bill is passed. It has three milestones for its implementation: set up DPA on a notified date, establish DPA rules and allow its functioning within three months from notified date, and issue regulation of the scope and limitations of the Bill within 12 months from notified date.
Until this 30-month marathon is completed, the use of personal data will continue to be regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the information Technology Act, 2000.
Rights
The proposed Bill comes after a 2012 petition in the Supreme Court challenged the Aadhaar on the grounds that it violates privacy. The declaration of privacy as a fundamental right in India came after a committee of experts, in July that year, formed under Justice BN Srikrishna was tasked by the court to examine issues related to data protection and suggest a draft law. It was presented to the ministry of electronics and information technology (MeitY) in July 2018.
While recognising ‘sensitive personal data’ which includes passwords, financial data, biometric data, religious beliefs, caste and political beliefs and providing stricter grounds for its processing, the Bill, for the first time, extends the scope of privacy rights post the historic Aadhaar judgement.
The principal has the right to obtain, in summary, the data held with the fiduciary. In the case that principals witness errors or inaccurate data, the Bill provides the right to seek correction. In addition, the principal may also chose to transfer personal data to some other fiduciary under the proposed law.
The ‘right to be forgotten’ is the standout feature of the Bill as it allows the principal “the right to restrict or prevent continuing disclosure of personal data by a data fiduciary” when the data has served its purpose or is no longer necessary; the principal withdraws its consent; or the disclosure was made contrary to the Bill.
Fiduciaries, on the other hand, are restricted by the proposed law in the way they deal with personal data. For instance, it makes it mandatory for the state or private entities to process data in a fair and reasonable manner and inform of the nature of its processing and collections.
The Bill also limits data collection by declaring that only that much data be collected as required for the specified purpose. A hold on storing of data longer than necessary is also placed.
Comments
0 comment