Think the draft bill by Srikrishna committee got things right? Or does more need to be done to plug loopholes like Aadhaar leaks? Share your views with us.
Last week, the Centre published its draft Personal Data Protection Bill, 2018, which follows from the recommendations put forward by the Justice Srikrishna Committee on data security.
Data is the new gold. With multiple cases of Aadhaar leaks, fears that the ‘Big Brother’ (government) is constantly monitoring us and the unauthorised collection of data by private companies, the Srikrishna committee was tasked with delivering a model law on how India will regulate data.
This bill takes further precedence because of the apex court’s historic judgement last year, which said privacy is a fundamental right. The committee has delivered both a report on India’s data landscape and a consequent draft bill which would regulate it.
However, the committee’s recommendations are not binding. IT Minister Ravi Shankar Prasad told the press last week that the Bill will undergo extensive consultations in the Parliament before it is put up for a vote. In other words, the final bill deliberated on in Parliament could be very different from what you read in this commission’s draft bill and report.
Before getting into its analysis, it is imperative to understand a few definitions the bill has set out. Personal data, for example, refers to any information specific to a particular citizen or “data about or relating to a natural person who is directly or indirectly identifiable”.
What the bill seeks to regulate is the “processing” of that personal data which includes how it is recorded, collected, adapted, indexed and disclosed.
Going a step further, the bill also elaborates on what it means by “sensitive personal data.”
Among other things, it includes passwords, financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political beliefs and affiliations.
A fundamental underpinning of this entire exercise is to establish how personal data is utilised in such a way that a person’s individual privacy is protected.
The bill then goes on to spell out how this exercise is to be done and who has the necessary authority to perform it.
The bill lists out six grounds under which your personal data can be processed. (Read CHAPTER III: GROUNDS FOR PROCESSING OF PERSONAL DATA – Page 14)
If you give your explicit, informed, specific and clear consent to a person or an entity like the government or company. However, you are capable of withdrawing your consent.
This is where the bill gets a touch problematic as the scope for how and when the government can collect or use that information with or without consent is very broad. Let’s take the example of Section 13 of the Bill under Chapter III, which exempts the government from acquiring consent for certain types of data processing. The provision reads:
“Processing of personal data for functions of the State:
(1) Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.
(2) Personal data may be processed if such processing is necessary for the exercise of any function of the State authorised by law for:
(a) the provision of any service or benefit to the data principal from the State; or
(b) the issuance of any certification, license or permit for any action or activity of the data principal by the State.”
These provisions are exceedingly vague and open to a whole host of interpretations. The government might as well process my personal data without my consent for any reason it damn pleases. One hopes that the final bill tabled in the Parliament brings in a lot more clarity.
Other circumstances in which authorities can process your data are:
For legal cases: Any court or tribunal can demand access to your personal data without your consent. However, there is no clarity on whether the data it seeks is germane to the case or not.
In emergency situations: Authorities can collect your data without consent if your life is under threat from a medical emergency, natural disaster or an outbreak of a serious disease.
Your employers: They can access and use your personal data without consent for recruitment or firing, benefits, attendance, and work performance. Here, there is one safeguard that has been put in place. They can access your personal data only if the process of acquiring your consent is proving to be cumbersome or your job contract states otherwise.
It also specifies a few other “special reasons” that the Data Protection Authority of India (DPAI), a statutory body that will monitor these regulations, will list out including prevention of unlawful activity and whistleblowing, among others.
On the subject of processing sensitive personal data, the bill lists out some important criteria:
(1) Sensitive personal data may be processed on the basis of explicit consent.
(2) For the purposes of sub-section (1), consent shall be considered explicit only if it is valid
as per section 12 (read processing of personal data) and is additionally:
(a) informed, having regard to whether the attention of the data principal has been
drawn to purposes of or operations in processing that may have significant consequences for the data principal;
(b) clear, having regard to whether it is meaningful without recourse to inference from conduct in a context; and
(c) specific, having regard to whether the data principal is given the choice of separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.
Moreover, you can withdraw your consent. The exception on requiring consent is more or less the same here as well.
However, one major difference with the reasons listed out for personal data is that consent has to be explicit, which in other words states the person understand the implications of giving up his/her data and what it means.
In the chapter titled, Data Principal Rights, the bill lists out the number of rights that in theory, every citizen has on how they want to control his/her data:
1) Right to confirmation and access: Where every citizen has the right to find out what’s being done with their data.
2) Right to correction: Where you can correct or update your data. It is imperative on the organisation which collects your data to update the said information and pass that onto other entities that drew from it.
3) Right to data portability: This right “Allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.”
However, the bill lists out some exceptions.
1) Right to be forgotten: Unlike the European Union interpretation of this principle which allows people to withdraw consent and demand their data be completely erased, the bill requires citizens to issue a claim to an Adjudicating Officer, who will then decide whether it is fair or not.
One essential facet of this bill is the establishment of the Data Protection Authority of India; a statutory body made up of seven members including a chairperson, who will oversee data processing regulations in India and inquiries into specific cases, including the power to search and seize.
These committee members will be selected by Chief Justice of India or a judge nominated by him/her, the Cabinet Secretary and one expert nominated by the Chief Justice or the nominated judge.
The bill has also listed out punishments for various violations committed by those holding your data. A data security breach, for example, could entail a fine of “up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.”
On more serious charges, the said entity faces “a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher.” Those wronged by an agency collecting their data can approach the DPAI for compensation.
However, there is very little conversation on the Aadhaar, which comes under a person’s “sensitive personal data.” Moreover, the matter is currently sub-judice in the Supreme Court. There are other concerns as listed in this tweet.
— Nikhil Pahwa (@nixxin) July 27, 2018
(Edited by Gayatri Mishra)