During the first two decades of this century, there has been a revolutionary change in the way 1.3 billion people of India conduct themselves be it communications and interaction with each other; executing sale and purchase transactions and carry out business and trading activity. The governments – both in the centre and states – too have brought about structural change in the manner they provide essential services viz. electricity, water, education, health etc and run schemes for the welfare of poor and disadvantaged including disbursement of a variety of subsidies.
The driving force behind these changes is ‘digital mode’ of collecting, storing, processing and dissemination of information which has been made possible by adoption and proliferation of digital-computers and digital record keeping. There are several companies in areas such as online retail commerce, retail brokering, food delivery, ride-hailing, aggregation of service providers such as plumbers, cleaners, painters etc whose bedrock is digital infrastructure only.
While, conducting their businesses, these so called ‘digital companies’ generate mammoth data on users/consumers. The government too collects huge data for providing services and implementing welfare schemes such as direct transfer of subsidy to beneficiaries using JAM [Jan Dhan – Aadhaar – mobile phone]; distributing digitally enabled soil health cards [SHCs] to farmers; making payments to rural workers under MGNREGA [Mahatma Gandhi National Rural Employment Guarantee Act] and assistance to 140 million farmers @ Rs 6000/- per annum to every farmer under PM – KISAN.
The access of data on tens of millions users/consumers to companies, state agencies, intermediaries, social media platforms etc [also known as fiduciaries in legal parlance] raises fundamental questions of (i) protection of data; (ii) rights of citizens to privacy and (iii) national security. Considering that the landscape is dominated by multinationals such as Amazon, Walmart, MasterCard etc, the concerns are heightened due to cross-border movement and sharing of ‘sensitive’ data with third parties [including foreign governments].
To address these concerns, the government introduced in the Lok Sabha in the just concluded winter session the Personal Data Protection Bill [ 2019] which would now be examined by a joint select committee before being taken up for passing. It seeks to protect the privacy of personal data, regulate the processing of “sensitive” and “critical” personal data and establish a Data Protection Authority of India [DPAI] for regulations.
The Statement of Objects and Reasons of the bill provides the backdrop for it: (a) the 2018 Supreme Court [SC] verdict declaring “privacy” as a fundamental right under Article 21 of the Constitution of India [protection of life and personal liberty] in the Justice KS Puttaswami vs Union of India case (b) a subsequent directive from the apex court to frame such a law and (c) the Srikrishna Committee’s recommendations and draft on privacy protection [2018].
The bill builds on concepts of ‘consent’, ‘purpose limitation’, ‘storage limitation’ and ‘data minimization’ etc; It lays down obligations on fiduciaries to collect only that data which is required for a ‘specific purpose’ and with the ‘express consent’ of the individual [data principal]; It confer rights on the individual to obtain personal data, correct inaccurate data, erase or update the data, port data to other fiduciaries and right to restrict or prevent disclosure.
It seeks to establish Data Protection Authority of India [DPAI] to protect the interests of individuals, prevent ‘misuse’ of personal data, ensure ‘compliance’ and promote ‘awareness’; It notifies “social media intermediary” as a significant fiduciary whose actions have a significant impact on electoral democracy, security of the state, public order or sovereignty and integrity of India. It empowers DPAI to specify the “code of practice” to promote good practices of data protection and ensure compliance.
The bill confers the “right of grievance” to individuals to complaint against the fiduciary. It provides for “Adjudicating Officer” to decide penalties and award compensation for violations and “Appellate Tribunal” to hear appeals against these.
It empowers the central government, in Section 35, to allow any of its agencies to bypass all the privacy safeguards (a) in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign states or public order and (b) for preventing any cognizable offence relating to the above (a).The only safeguards are: (i) a written order from the central government specifying the reasons for breaching privacy and (b) in a manner [procedures, safeguards and oversight mechanism] “as may be specified” in future.
In sharp contrast, the 2018 draft [Srikrishna Committee] had under Section 42, had restricted granting exemptions to the central government only for “the security of the State”. Further, it said the processing of personal data “shall not be permitted unless authorized pursuant to a law, and in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved”.
The bill classifies data broadly in three categories viz. (i) “Personal data”: this is defined to mean any characteristics, trait, attribute or other feature of the identity of a natural person; (ii) “sensitive personal data”: this relates to data concerning the finances, health, genetic, bio-metric caste, religion or political belief or affiliation etc; (iii) “Critical personal data”: this is not defined and left for the DPAI to do so.
Unlike the 2018 draft which provided for storage of one serving copy [or mirror copy as it is called in legal jargon] of all personal data in India, the bill dispenses with this requirement. As regards the other two categories, even as the former disallowed processing of “critical” personal data abroad and subjected “sensitive” personal data to a tight regulatory mechanism like explicit consent, contractual clause, approval of DPAI and central government permission, the latter subjects both types of data to similar regulatory regime.
Section 94 of the bill provides that the DPAI would make regulations, rules, safeguards for protection of privacy and restrictions on continuous or systematic collection of “sensitive” personal data etc., including even defining what is “critical” personal data.
The other crucial provision of the bill include the powers bestowed upon it to seek non-personal data from companies for the purpose of policy making and verification of social media users. The government is also considering amendment to the Intermediaries Guidelines Rules [IGR], which originally provided a legal shield to technology platforms against the content shared on their platforms.
The provisions in this bill are substantial dilution over what was initially contemplated viz. storage of all personal data including non-sensitive and non-critical in India [scaring terms such as ‘data localization’, ‘setting up local office’ and ‘handing over the data key to regulators’ were being used]. As per the bill, all non-sensitive and non-critical data can be kept abroad and there is no need to keep a mirror copy here. Even sensitive data can be stored and processed abroad subject to regulatory compliance; only a mirror copy can be kept locally [the government may consider waiving this requirement as law enforcement agencies can always have access to the data on request]. For critical data, it may consider storage and processing within India only.
Much ado is being made about the exemptions to state agencies from having to take consent of the data principal and other provisions of the law under specified situations [Section 35]. Considering that security of the State, friendly relations with foreign states, public order and sovereignty and integrity of India are solely the responsibility of sovereign government and can’t be compromised, this exemption is perfectly justified. In these matters, the state should have unfettered powers; no fetters can be put merely on the presumption that the provision would be misused.
There should be no objection to companies giving non-personal data [say, purchase of a given item, quantity, from where etc] to the government as this helps the latter formulate policies and make necessary changes to meet development needs. This will also be helpful in more effective implementation of welfare schemes and reaching out financial and other benefits to the poor.
The government needs to be very careful in dealing with data fiduciaries. While, regulating them, it should strike a balance between protecting privacy of data principals and ensuring national security on the one hand and pursuing development goals on the other. It may consider ‘pragmatic’ and ‘flexible’ arrangements to address the concerns on protection of ‘sensitive’ data. Its approach should be one of risk assessment, identification of misuse and timely preemptive action taken in collaboration with the foreign companies.
This approach guided by the philosophy of mutual trust and accommodation will also help in capturing all the digital transactions needed for garnering tax revenue – indirect and direct – from vendors as well as the market-place owners.