Context:
The number of personal data breaches from major digital service providers has increased worryingly in the same period as the pandemic has forced more people to participate in the digital economy.
The Personal Data Protection Bill, 2019, now under scrutiny by a Joint Parliamentary Committee, could play a big role in providing robust protections to users and their personal data.
Relevance:
GS-III: Internal Security Challenges (Cyber Security, Government Policies & Interventions, Internal security challenges through communication networks)
Mains Questions:
What is need for India to have a robust data protection regime? To what extent does the Personal Data Protection Bill, 2019 address the issues? Critically examine. (15 Marks)
Dimensions of the Article:
- Significance of Data
- Personal Data Protection Bill 2019
- Advantages of the changes
- Issues with the bill
- Data Protection Authority (DPA): The solution?
- Broad Mandate of the DPA, a problem
Significance of Data
- Data is the large collection of information that is stored in a computer or on a network.
- Data is collected and handled by entities called data fiduciaries.
- While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
- This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
- The processing of this data (based on one’s online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations.
- Apart from it, this has become a potential avenue for invasion of privacy, as it can reveal extremely personal aspects.
- Also, it is now clear that much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
- The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows. Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.
Personal Data Protection Bill 2019
- The Personal Data Protection Bill 2019 (PDP Bill 2019) is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders.
- The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority (DPA) of India for the same.
- Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not, such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included.
- The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
- It also grants individuals the right to data portability and the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
- Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
The Bill trifurcates data as follows:
- Personal data: Data from which an individual can be identified like name, address etc.
- Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
- Critical personal data: Anything that the government at any time can deem critical, such as military or national security data.
Advantages of the changes
- Data localisation can help law-enforcement agencies access data for investigations and enforcement.
- As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
- Accessing data through this route is a cumbersome process and also instances of cyber-attacks and surveillance can be checked easily.
- Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
- Data localisation will also increase the ability of the Indian government to tax Internet giants.
- A strong data protection legislation will also help to enforce data sovereignty.
Issues with the bill
- The current draft requires the DPA to maintain a cadre of adjudicating officers and specifies their desired areas of expertise.
- All other important details, like the terms of appointment, jurisdictional scope, and procedure for hearings, are, however, left to be decided by the central government.
- The Bill doesn’t even specify whether the adjudication process can, or should, be preceded by mediation, which could help in the amicable settlement of many complaints.
- Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
- National security or reasonable purposes are an open-ended terms, this may lead to intrusion of state into the private lives of citizens.
- Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
- Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
- Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.
Data Protection Authority (DPA): The solution?
- One of the many important duties cast on the Data Protection Authority (DPA) that is to be created under the Bill is to adjudicate complaints received from data principals — individuals whose personal data is processed by others.
- The DPA is set to function as what the Financial Sector Legislative Reforms Commission (FSLRC) termed as a “mini-state”. This refers to an agency that is entrusted with a mix of quasi-legislative (regulation-making), executive (supervision and enforcement), and quasi-judicial (adjudication) functions.
- It comes with the risk that, absent structural safeguards, the agency might end up abusing or, conversely, neglecting some of its functions. A carefully-crafted regulatory design and robust accountability mechanisms are, therefore, essential.
Broad Mandate of the DPA, a problem
- Unlike other sectoral regulators that oversee specific businesses, the DPA’s authority will extend to anyone who deals with personal data.
- This may include individuals, private entities or any department or agency of the state.
- Further, since each data principal is party to multiple online and offline relationships, the universe of regulated transactions becomes even larger.
- Even a miniscule 0.5% rate of complaints out of the total shares of personal data will result in more than 10 million cases in a year. A caseload of this sort would be daunting for any agency.
- As a consequence, the DPA may either be overwhelmed by the volume of complaints or may grossly under-prioritise this aspect, resulting in delays, erosion of trust and poorer outcomes.
-Source: The Hindu