- The Personal Data Protection Bill, 2019, now under scrutiny by a Joint Parliamentary Committee, could play a big role in providing robust protections to users and their personal data.
- The proposed regime under the Bill seeks to be different from the existing regime which does not adequately protect users’ data.
NEED FOR ROBUST DATA REGIME
- The pandemic has forced more people to participate in the digital economy.
- More people have taken to digital channels to fulfill a variety of needs like purchasing groceries and accessing health services.
- Unfortunately, the number of personal data breaches from major digital service providers has increased worryingly in the same period.
- The recent alleged data breach at MobiKwik could stand to be India’s biggest breach with the data of 9.9 crore users at risk.
- Hence, robust data protection regimes are necessary to prevent such events and protect users’ interests.
- Unfortunately, the existing data protection regime in India does not meet this standard.
LOOPHOLES IN THE EXISTING REGIME
How different entities collect and process users’ personal data in India is mainly governed by the Information Technology Act, 2000, and various other sectoral regulations. However, this data protection regime falls short of providing effective protection to users and their personal data, as:
- Entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions.
- This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
- Further, the frameworks emphasise data security but do not place enough emphasis on data privacy.
- Hence, while entities must employ technical measures to protect personal data, they have weaker obligations to respect users’ preferences in how personal data can be processed.
- Also, entities could use the data for purposes different to those that the user consented to.
- The data protection provisions under the IT Act also do not apply to government agencies. This creates a large vacuum for data protection when governments are collecting and processing large amounts of personal data.
- Finally, the regime seems to have become outdated and inadequate in addressing risks emerging from new developments in data processing technology.
EVOLUTION OF PERSONAL DATA PROTECTION BILL, 2019
- The need for a more robust data protection legislation came to the fore in 2017 post the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd) v. Union of India that established the Right to Privacy as a fundamental right.
- In the judgment, the Court called for a data protection law that can effectively protect users’ privacy over their personal data.
- Consequently, the Ministry of Electronics and Information Technology formed a Committee of Experts under the Chairmanship of Justice (Retd) B.N. Srikrishna suggested a draft data protection law.
- The Bill, in its current form, is a revised version of the draft legislative document proposed by the Committee.
HOW IS THE BILL DIFFERENT FROM THE EXISTING REGIME?
- The proposed regime under the Bill seeks to be different from the existing regime in some prominent ways.
- First, the Bill seeks to apply the data protection regime to both government and private entities across all sectors.
- Second, the Bill seeks to emphasise data security and data privacy. While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations, transparency and accountability measures that govern how entities can process personal data to uphold users’ privacy and interests.
- Third, the Bill seeks to give users a set of rights over their personal data and means to exercise those rights. For instance, a user will be able to obtain information about the different kinds of personal data that an entity has about them and how the entity is processing that data.
- Fourth, the Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA). The DPA will monitor and regulate data processing activities to ensure their compliance with the regime. Also, it will give users a channel to seek redress when entities do not comply with their obligations under the regime.
CONCERNS RELATED TO THE BILL
- The proposed Bill seeks to bring a massive and meaningful change to personal data protection in India through this regime. However, there are several provisions in the Bill created that causes concern about the regime’s effectiveness.
- These provisions of the Bill give wide exemptions to government agencies and diluting user protection safeguards. For instance, under clause 35, the Central government can exempt any government agency from complying with the Bill.
- Similarly, users could find it difficult to enforce various user protection safeguards (such as rights and remedies) in the Bill. For instance, the Bill threatens legal consequences for users who withdraw their consent for a data processing activity.
- Hence, this could discourage users from withdrawing consent for processing activities they want to opt out of.
- Also additional concerns emerge for the DPA as an independent effective regulator that can uphold users’ interests.
- India needs to have a robust data protection regime.
- The Personal Data Protection Bill, 2019 could play a vital role in providing robust protections to users and their personal data by addressing the related concerns. Thus, ensuring a stronger and more effective data protection regime.