The Union government released the draft of the Personal Data Protection Bill, 2018 on 27th July. The report was long-awaited for its insinuations on data handling and processing practices by Indian and foreign companies as well as government departments. Union Minister for Electronics and IT, Law and Justice, Ravi Shankar Prasad said that the government would consider the report and the draft bill submitted by the Srikrishna Committee.
In 2017, the Supreme Court passed a judgment that avowed a fundamental right to privacy for all Indians. Subsequently, the government formed a committee under retired Supreme Court judge Srikrishna in August 2017. This draft bill is likely to form the base of the government’s own draft, which, it informed the apex court, would most likely be instated in September. These recommendations are, however, not binding. One of the main purposes of the bill stems from data protection based on Aadhaar. Numerous businesses, inclusive of financial services, make use of consumer data for analysing sales patterns and buyer behaviour to capture the market, profiling so as to tap an appropriate target audience and craft effective marketing campaigns. Fintech companies heavily rely on data processing too.
The draft bill stresses on individual consent. It states that the consent should be free, informed, clear, specific and withdrawable. By ‘free’, the implication is that nobody should be forced into giving approval for data collection; ‘informed’ suggests that the individual ought to be provided with all the essential information beforehand; ‘specific’ means the individual can give information or data only specific to the requirement; ‘clear’ states that the consent given must not be unambiguous or dubious and lastly, consent can be rightfully withdrawn at any point in time. However, the government can be exempted from obtaining an individual’s consent, in certain cases. For example, Section 17 of the draft bill permits non-consensual data processing for public interest, prevention and detection of any unlawful activity, credit scoring or technical unfeasibility. Passwords, data pertaining to finances and health, official identifiers such as government issued identity cards, sex life and sexual orientation, biometric and genetic data, transgender status or intersex status, caste or tribe, religious or political beliefs have been identified as sensitive personal data under a data protection law.
Four rights have been granted to individuals encircling their data. Firstly, the ‘Right to confirmation access’ grants individuals the right to question the organisation collecting their personal data for confirmation, i.e. that their personal information is being processed or has been processed and a summary of the personal data collected. Secondly, the ‘Right to correction’ gives individuals the right to ask the organisation collecting their personal data to correct inaccurate or misleading personal information, update outdated information and complete the incomplete data. Once the organization has completed making the changes, it will have to notify the individuals about the update. Under the ‘Right to data portability’, individuals can direct the organisation or agency to send a copy of their data in a simplified format. Lastly, the ‘Right to be Forgotten’ empowers an individual to withdraw consent at any point and demand that the data provided by organisation may not be disclosed any further. However, this would depend upon the Adjudicating Officer, who will decide on the fairness of the demand.
If a citizen feels that his/her personal data has been compromised, he/she has the option to raise a grievance with the data protection officer of the entity dealing with the data. If the dispute is not satisfactorily resolved at this stage, the individual can escalate it to an appellate tribunal. Section 39 defines this process in the raft of the Personal Data Protection Bill. Section 32 outlines the process for entities to report a data breach in their systems. As of now, it does not provide a timeline regarding the reporting of the breach. The draft has suggested penalties from Rs. 5 crores or 2% of the total worldwide turnover of the company in the previous financial year, to Rs. 15 crore or 4% of the turnover. In the case that a complaint is raised by anyone with a data fiduciary or company, and the latter fails to comply or respond to any request for explanation, it could be liable to be penalized of Rs. 5000 per day, upto Rs.10 lakh. According to section 75 of the draft bill, a citizen can also claim compensation if he/she has suffered any harm as a result of any violation of any provision under the Act.
Formation of a Data Protection Authority (DPA) to oversee the implementation of this law is one of the recommendations given by the committee. This authority will constitute a chairperson and six full time members. The chairperson and the members would be appointed by the Central government based on the recommendations made by a selection committee comprising of the Chief Justice of India (CJI), the Cabinet Secretary and an expert nominated by the CJI. Section 32 (b) states that the authority will have the discretion to determine if the breach should also be reported to the consumers whose data has been breached. Thus, at the primary step itself the draft appears to be diluting individual rights.
The draft bill proposes certain amendments to the RTI Act- provisions which aim to strike a balance between transparency and privacy by permitting public officials to withhold details. However, the bill does not address Aadhaar at length. The only piece of information pertaining to Aadhaar is the way sensitive personal information is recorded and administered. Nonetheless, the draft bill does recommend certain modifications to the Aadhaar Act.
Picture Credits : Digit.in