Personal Data Protection (PDP) Bill

In News: ‘No data is permanently anonymised’: Experts warn of re-identification risks.

  • Non-Personalised Data like Browsing Pattern can also be used by fiduciaries to detect the behavioural patterns of individuals.
  • Thus even Non-personal data can be used for deducing personal traits and requirements.
  • It is in conflict with Right to Privacy.

Personal Data Protection Bill

  • It is India’s first attempt to domestically legislate on the issue of data protection.
  • The Bill derives its inspiration from a previous draft version prepared by a committee headed by retired Justice B N Srikrishna.
  • Data Fiduciaries: The 3 categories of Data created by the Bill are
    • Personal data: Data from which an individual can be identified like name, address etc.
      • No Data Mirroring is required.
      • Individual consent will suffice.
    • Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
      • To be stored only in India.
      •  It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
    • Critical personal data: Anything that the government at any time can deem critical, such as military or national security data
      • Critical personal data must be stored and processed in India.
    • Non Personal Data: The Bill mandates fiduciaries to provide the government any non-personal data when demanded.
      • The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services.
      • Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
      • The previous draft did not apply to this type of data, which many companies use to fund their business model.
  • Impact on Social Media Companies: Significant Data Fiduciaries (the fiduciaries with huge volume and processing sensitive data) have to develop their own user verification mechanism.
    • It will reduce anonymity of users and decrease trolling, fake news and cyberbullying.
  • Exemptions for Data Processing without consent: They have been provided for reasonable purposes like
    • Security of the state.
    • Detection of any unlawful activity or fraud.
    • Whistleblowing.
    • Medical emergencies.
    • Credit scoring.
    • Operation of search engines.
    • Processing of publicly available data.
  • Creation of Independent Regulator: The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making.
    • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
    • The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
  • Control Over Data: It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
    •  The right to be forgotten is also given.
    • With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
  • Penalty: The Bill stated the penalties as: Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
    • Also, the company’s executive-in-charge can also face jail terms of up to three years.

Need

  • Law Enforcement: Data localisation can help law-enforcement agencies access data for investigations and enforcement.
    • Cross-border data transfer of data  through individual bilateral “mutual legal assistance treaties” is a cumbersome process.
  • Cyber Security: Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
  • Curbing Fake News: Many instances like lynching, national security threats, etc can now be prevented in time.
  • Data Sovereignty: Data localisation will also increase the ability of the Indian government to tax Internet giants.

Criticism

  • No relevance of Localised Data: Few critics point out to the fact that even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • Open Ended Definitions: National security or reasonable purposes are open-ended terms, this may lead to intrusion of state into the private lives of citizens.
  • Criticism from Tech Giants: Facebook and Google have criticised protectionist policy on data protection (data localisation) on ground of Domino Effect.
  • Against Ethos of Free Market: Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
  • Difficulties for Indian Startups: Due to higher compliance cost, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.
  • Reidentification Risks: With growing technology, now browser data itself can be used to derive personal conclusions which is threatening Right to Privacy.

Way Forward

  • The prime challenge is to balance between the growth opportunities posed by Free Data and Right to Privacy as Fundamental Right as declared by Puttaswamy Judgement 2017.
    • In this context, India must promote Data Localisation with care and by more scientific and organic categorisations.
    • The open ended definitions must be clearly defined.
  • The Localised Data will also help new entrepreneurs to fill the digital infrastructure gap.

What is Data?

  • Data is a huge collection of information generated by different means and stored on digital platforms.
  • Data Collection and Processing are two aspects of Data.
    • Fiduciaries are the one who collect and handle the data whereas processing can be done by third parties too.
    • Eg. Facebook is fiduciary while Cambridge Analytica was the processor drawing meaningful conclusions from data.
  • Data is new Oil for new generation industries like advertising, machine learning, artificial intelligence, etc.
  • Japan, US and many developed nations want free flow of Data but India is tilted towards Data Localisation to protect it’s local industries and citizens.

Key Definitions

  • Data Principal: The individual whose data is being stored and processed is called the data principal in the PDP Bill.
  • Data Transfer: Data is transported across country borders in underwater cables.
  • Data localisation: It is the act of storing data on any device physically present within the borders of a country.

Source: IE

 
Previous article Janaushadhi
Next article Facts in News