With the advent in technology and the world becoming a global village, it is vital to maintain a balance between privacy and innovation to protect individuals and society against any kind of privacy leak without their consent. Personal data is generated and stored in a database, hard disk cloud, computer etc., an unending process as the records are collected consistently. The data is, therefore, classified as– External threats to information security such as ransomware, hackers, software attacks, theft of equipment, sabotage, etc. and Internal threats are often linked with data breaches, leaks and misuse of information. Hence, protection of database and maintaining the privacy is of paramount importance.
The dictionary meaning of Data Protection means legal control over access to and use of data stored in a computer. It refers to a series of continuous and routine process, rules and regulations to minimize the intrusion in one’s privacy.
The significance of the protection of personal data in India was highlighted in the landmark case, K.S. Puttaswamy and Anr. v. Union of India and Ors., by the Apex Court. On August 24, 2017, a nine-judge bench of the Supreme Court, comprising of Chief Justice Khehar and Justices J. Chelameswar, S.A. Bobde, R.K. Agrawal, A.M. Sapre, Rohinton Nariman, D.Y. Chandrachud, Sanjay Kishan Kaul and S. Abdul Nazeer, ruled “Privacy” as a Fundamental Right essential to life and liberty and thereby comes under the purview of Article 21 of the Constitution of India.
The Judgement, delivered by Justice D.Y. Chandrachud, stated “ Ours is an age of information. Information is knowledge. The adage that ‘knowledge is power’ has stark implication for the position of the individual where data is ubiquitous, an all-encompassing presence. The internet has become all-pervasive as individuals spend more and more time online each day of their lives. The internet is used to carry on business and to buy goods and services.”
Further, it stated, “ Informational privacy is a facet of the right to privacy. The dangers to privacy is an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”
Thereafter, the Srikrishna committee was constituted to draft the Personal Data Protection Bill and the constituted committee submitted the draft bill to the Ministry of Electronics and Information Technology(“MeitY”). On December 11, 2019, MeitY introduced, The Personal Data Protection Bill (“PDPB”), in the Lok Sabha. The Bill aims to provide the protection to the personal data of individuals, minimising the intrusion into one’s privacy and constitute a Data Protection Authority to monitor and take the appropriate measures for the same. The primary goal of the PDPB is to protect the Personal Data with regards to the identity, features, characteristics of an individual. Providing efficient and effective protection to the Sensitive Personal Data (passwords, health data, biometric data, financial data, religious or political beliefs) is the need of the hour.
The Personal Data Protection Bill, 2019
The Bill proposes, by deleting the provision related to the compensation payable by companies in case of failure to protect personal data, to supersede Section 43-A of the Information Technology Act, 2000. The Bill prescribes how personal data is to be collected, processed, utilized, stored and transferred.
The key features of PDPB, currently reviewed by the Joint Parliamentary Committee, are as follows :
- Right to the individual: The individual should be intimated to obtain his consent that his personal information is being processed, should be given sufficient time to modify the data, if the data is inaccurate, incomplete or is outdated, the individual shall have the right to transfer his data to any other data fiduciary in certain circumstances.
- Responsibilities of the Data Fiduciary: The Bill proposes certain duties on the entity who has access to the personal data such as data should be collected for the lawful purpose, maintaining transparency while processing the data, adhering to the policies to process the data, implement security safeguard measures like encrypting data, creating firewalls, secured passwords etc and create grievance redressal forum to address the grievances of the individuals. It is the duty of the fiduciary to take the consent of the individual to process and collect his data.
- Data Protection Authority: Data Protection Authority has to be established to take necessary steps to safeguard the interest of the individuals, prevent misuse of personal data and ensure compliance of the Bill. The Authority shall comprise of a Chairperson and six members, having at least 10 years expertise in the field of information technology having significant knowledge of data protection. An appeal can be filed in an Appellate Tribunal, established by the Central Government, challenging the order of the Authority. Appeals from the Tribunal are heard by the Supreme Court.
- Grounds for Processing Personal Data: The Bill allows the processing of data by fiduciaries only if the consent is obtained from the individual. However, in the below-mentioned situations, personal data can be processed without obtaining the consent:
- it is necessary for the functioning of the Parliament or State Legislature
- to provide the benefits to the individual
- to comply with any of the court judgement/ legal proceedings
- to respond to a medical emergency or for the safety of public health
- for any other reasonable reason as deemed fit by the Authority.
However, explicit consent of the individual is required to process sensitive personal data. The information should be obtained so that the Parliament or State Legislature can perform the necessary function or it is required by the state to provide benefits to the individual whereas fiduciaries are required to institute appropriate mechanisms for age verification and parental consent to process the sensitive personal data of the children.
- Transfer of Data outside India: Personal data, except sensitive personal data, may be transferred outside India wherein the Authority authenticates the transfer in a necessary situation or where Central Government has prescribed that transfer to a specific country as lawful.
- Exemptions: This Data regulation model also provides certain exemptions from the compliance of the provisions. The reasons for exemptions are as follows:
- Where the matter is of state security
- To prevent, investigate or prosecute any offence or
- For personal, domestic or journalistic purposes
- Offences and Penalties: The Bill provides punishment for the breach in performing their duties or violating of the Bill while processing the data and failure to comply with the directions issued by the Authority. The penalty for the failure to conduct a data audit is punishable with a fine of Rupees Five (5) crores or Two per cent (2%) of the annual turnover of the Fiduciary, whichever is higher. Whereas if there is any default in processing or transferring the data, it shall attract a penalty of Rupees Fifteen (15) crores or Four per cent (4%) of the annual turnover of the fiduciary, whichever is higher.
To conclude, the proposed Bill emphasizes the individual rights on data protection. The companies who want to use the data has to be clear and concise with regards to the purpose, method of collecting the data and the duration to retain the data. Further, additional responsibility is placed on private organisations on the volume of data to be collected and preserved. They will be held liable in case the default occurs by not reporting to any of the security breaches. The Bill if becomes a Law, with the restrictions put on the transfer of sensitive personal data, will create a significant impact in India as well as the overseas companies and cross-border trade. The proposed Bill is an unprecedented step for the nation towards creating the outstanding base of secured cyberspace and safe digital India.