A Robust Data Protection Framework - Need of the Hour
The author, Shalini S Menon, is a third year student at St. Joseph's College of Law, Bangalore.
India has a large data market in the world, owing to its vast population. But at present, there is no single integrated data protection law in India. All grievances related to technology and data are addressed through the Information Technology Act 2000 (IT Act). The pandemic has instigated a digital trend around the world, from e-commerce, e-education to online media consumption. The paradigm shift towards a digitized economy calls for strict data protection laws. But is the government equipped for it? The recent notification on the change of Whatsapp’s privacy policy put the Indians in a situation of panic. The Indian government calls it discriminatory as Whatsapp allows the users in Europe to opt-out of the policy, not giving the Indian users, who form the majority (390.1 million users), a choice. As long as India does not have a data protection law like the General Data Protection Regulation (GDPR) in Europe the flow of data is at stake. The proposed Personal Data Protection Bill 2019 (PDPB), calls for an overall restructuring of the data protection framework, from storage, collection, processing, collection, usage, and transfer of personal data of Indian residents. Under this article we shall analyze certain areas of the proposed bill.
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The first holistic approach for a data protection law in India.
CATEGORISATION OF DATA
The PDPB, 2019 categorises data into:
1. Personal data - data about or relating to a natural person who is directly or indirectly identifiable[1]
2. Sensitive personal data -such personal data, which may, reveal, be related to, or constitute— (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under section 15.[2]
3. Critical personal data - means such personal data as may be notified by the Central Government to be the critical personal data.[3]
The bill not only does define what falls under the category critical personal data but also provides wide discretion to the government and provides a blanket protection to government agencies which is in a way a violation of the right to privacy of the citizens. There are risks of the government agencies misusing the data of the citizens. There is no accountability on the side of government.
USER CONSENT
The existing notice and consent privacy approach has been criticised for placing the onus of privacy protection on individuals.[4] These notices present the terms and conditions in lengthy and jargonised legal language incomprehensible to common man. The PDPB is designed as a data principal-centred model. The Bill states that any organization obtaining personal data must obtain explicit permission from the user and must state its extent of usage. This can be a problematic approach in few ways. Firstly, digital companies not only procure data, it creates new information from the original user. This is typically done by building user profiles through customer data, such as expense history or repayment instalments. Based on this profile, other products/ services are offered to an existing customer by the same company or a group company[5]. This process is called cross-selling and it is a tool used to enhance user experience. If user consent is a mandate to process any personal data, then cross-selling becomes a tedious business. Secondly PDPB necessitates consent of a guardian for minors to access online services where minors are the larger chunk of digital users today. This will mandate companies to verify age of each user, however the bill does not talk about how it is to be done. Thirdly the bill talks on achieving consent and notifying the extent of usage of the data clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable but the [6] bill is mum on visual and audio representation of notices for users who cannot read or see.
DATA LOCALISATION
Data that are not categorized as ‘sensitive’ or ‘critical’ could be moved out of India freely. Data which qualify as ‘sensitive’ personal data could be taken out of India if certain conditions are met but must be stored in India. ‘Critical’ personal data could not be taken out of India except under very limited circumstances. Countries have tried simultaneously to regulate flow of data by the way of international framework. Countries enter bilateral and multilateral agreements to adhere to similar standards of data protection. Such agreements allow signatory countries to lower the data localization requirements for each other.[7]
India follows a sectorial localization of data, i.e., the telecommunication sector and the RBI stores and process their data in India. However, the bill proposes that the localization measures be adopted across all sectors in India. India is not adequately equipped with such local data storage infrastructure which can discourage start-ups in India because of the exorbitant cost for setting up a local storage system. Start-ups are an integral part of India’s vision of a trillion-dollar digital economy and a highly restrictive data protection regime may prevent India from realizing it.[8] Moreover a total localization of data calls for complete restructuring of various businesses across India. Companies that collect data are not mere data collectors but data fiduciaries that assume responsibility for collecting, processing and storing the data.
CONCLUSION
In this era of information, data is the most valuable asset. Cases of data breach in 2020 in India have increased by 37% compared to the first quarter of 2019.[9] Personal data of about 4.5 million passengers of Air India was leaked in a cyber-attack on the airline’s data processor and similar cases with big basket, dominos and other big companies.10 India is struggling to meet the ends with a single cyber law, the Information Technology Act. The proposed Personal Data Protection Bill is a great first step to establish a secure data protection framework and it is high time we take an action.
[1] Clause 3(28) of PDPB, 2019
[2] Clause 3(36) of PDPB, 2019
[3] Clause 33(2) of PDBP, 2019
[4] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf
[5] https://www.ikigailaw.com/impact-of-indias-upcoming-data-protection-law-on-payments-businesses/ 6 Clause 7(2) of PDPB, 2019
[7] https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
[8] https://www.ikigailaw.com/why-should-indian-start-ups-care-about-indias-ne w-data-protection-law/
[9] http://www.businessworld.in/article/India-Struggles-To-Safeguard-Data-Recurring-Cases-Of-Data-Breach/31- 03-2021-385235/
[10] https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers 2021-05-21/
Image Credits: https://www.forbesindia.com/article/leaderboard/the-personal-data-protection-bill-could-be-a-serious-threat-to-indians-privacy/56623/1