Global negotiations today revolve around debates about the transfer and security of data. In this context, the Personal Data Protection (PDP) Bill, 2019 is the India’s first attempt to domestically legislate on the issue of data protection.
The Bill derives its inspiration from a previous draft version prepared by a committee headed by retired Justice B N Srikrishna.
Significance of Data in today’s digitalised world
- Data is the large collection of information that is stored in a computer or on a network.
- Data is collected and handled by entities called data fiduciaries. While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
- This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
- The processing of this data (based on one’s online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations like Facebook, google, Instagram, etc
- Targeted advertising:Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
- Apart from it, this has become a potential avenue for invasion of privacy, as it can reveal extremely personal aspects.
- It is now clear that much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data. Digital Data is the NEW OIL and needs to be regulated by governments.
- The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.
- The Bill removes the requirement of data mirroring(in case of personal data). Only individual consent for data transfer abroad is required.
- Data mirroring: The act of copying data from one location to a storage device in real time. The Bill requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA). This purpose deals with privacy concerns that is tosafeguard the constitutional guarantee of privacy for Indian citizens
- Critical Personal Data:Critical personal data must be stored and processed in India.
- Non-Personal Data:The Bill mandates fiduciaries to provide the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data. This type of data is used by companies to fund their business model.
- The Bill also requires social media companies,which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data, to develop their own user verification mechanism. This intends to decrease the anonymity of users and prevent trolling.
Other important provisions of the bill
- The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”,including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
- The Bill calls for the creation of an independent regulator Data Protection Authority,which will oversee assessments and audits and definition making.
- Each company will have a Data Protection Officer (DPO)who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
- The Bill proposes “Purpose limitation”and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
- It also grants individuals the right to data portabilityand the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
- Anonymised data and issues with it – One of the provisions enables the central government to direct the regulated entity under the act to provide anonymised personal data. The government wants to use this anonymised personal data to enable the targeted delivery of services or evidence-based policymaking
- Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
- The Bill stated the penaltiesas: Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
- Also, the company’s executive-in-charge can also face jail terms of up to three years.
- Data localisation can help law-enforcement agencies access data for investigations and enforcement.
As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”. Accessing data through this route is a cumbersome process.
- Instances of cyber-attacks and surveillance will be checked.
Recently, many WhatsApp accounts were hacked by an Israeli software called
- Social media is being used to spread fake news, which has resulted in lynching, national security threats, which can now be monitored, checked and prevented in time.
- Data localisation will also increase the ability of the Indian government to taxInternet giants.
- A strong data protection legislation will also help to enforce data sovereignty.
- Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
- National security or reasonable purposes are an open-ended term, this may lead to intrusion of state into the private lives of citizens.
- Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation). They fear that the domino effect of protectionist policy will lead to other countries following suit.
- Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
- Also, it may backfire on India’s own young start-ups that are attempting global growth, or on larger firms that process foreign data in India.
Use of big data and AI in governance
- The government also plans to use big data and artificial intelligence within governance and planning systems.
- The use of these techniques has the potential to increase government capacity and transparency.
- It can also help in making an informed decision about economic and social planning.
- However, the provision ignores the multiplicity of existing and inchoate rights like IPRs (Intellectual Property Rights), copyrights and trade secret protections.
Consequences of the conflicting provision
- While the government wants the data to be open for acquisition similar to the power of “eminent domain” over land, but it comes in conflict with existing laws.
- It comes in conflict with the copyright acts, intellectual property rights, and trade secret laws.
- Databases are commercially significant for commercial companies.
- Overlap of these existing rights within the government system can jeopardise accountability and transparency.
Problems with Big data and AI in governance
- Unregulated use of the database in governance could have consequences for the people and communities who are being made visible or being invisible by this data.
- A shift from a qualitative method like census to the quantitative method like big data which is collected in a different context and used for a different purpose may not be smooth.
- Such data will be incomplete for governance.
- The data could also be replete with biases of the private entity collecting the data.
- So, the use of this unregulated data for policymaking or targeting beneficiaries could be disastrous.
- According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacyis a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also essential to open new vistas of socio-economic growth.
- In this context, the government policy on data protection must not deter framing any policy for the growth of the digital economy, to the extent that it doesn’t impinge on personal data privacy.