Updated: Mar 14, 2021
The Personal Data Protection Bill 2018 , drafted by a committee headed by Justice BN Srikrishna ,a revised version was approved by the Cabinet Ministry in 2019 as the Personal Data Protection Bill ,2019 ,which was drastically critized from the purview of Right to Privacy.
Justice Srikrishna while discussing in a webinar organized by Shyam Padman Associates on the topic" The Challenges in Personal Data Protection in the absence of Data Protection Law in India" said that the alteration in the bill weakens the provision and allows the State to infringe the Fundamental Right to Privacy in the name of sovereignty and security.
Justice BN Srikrishna further stated that it can turn India into an Orwellian State.
He even said that a fine line distinguishes Right to Privacy and access to data, the data protection law shall always ensure that the data extracted should be limited by time and purpose accordingly.
"The legislative enactment must categorically explain the reason behind collection of data. A rational connection must be obtained between the collected data and the purpose of its acquisition. There should be no absurdity in the connection. There is also a need for proportionality. The law should abide by the requirements and not go beyond it", as referred him
"While contemplating circumstances like COVID-19 pandemic ,where data is necessary for statistical probability ,consent of people in regard to access of data will be presumed consent. This is when the aspect of "data anonymization" comes into light ,where only numbers and no personal information can be utilized", as pointed out by Srikrishna.
The state has the power to straight away take rights of an individual ,only if it can ensure it is in the favour of the public. The Aarogya Setu application was one of the easiest ways of localization of data and by not mandating it within the country, the ministry has taken a positive approach towards the protection of personal data of the citizens.
Justice BN Srikrishna has observed a hiatus in the revised version of the PDP Bill, he stated that there is a lack of a definite date of commencement and no data localization policy, it only ends up taking away provisions which are meant to emancipate the principle with remedies.
SIGNIFICANCE OF THIS DEVELOPMENT:
The Personal Data Protection Bill,2019 ("PDPB") was introduced in Lok Sabha by the Ministry of Electronics and Information Technology ,on December 11, 2019. The Bill is brought into consideration to bring a stability in India's global image and the national interests. The objective of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for serving the purposes and matters concerning the personal data of an individual. Data Protection Bill is an important pillar for the future development of Indian digital economy. The Bill can even be said as a shield to the Indian cyber sovereignty.
SALIENT FEATURES OF THE BILL:
The key features of the Personal Data Protection Bill,2019 are as follows:
Obligations of Data Fiduciary:
Enumerate measures to maintain transparency in processing personal data.
Prevention of misuse of data through implementing security safeguards.
Providing information to the Authority by notice breach of any personal data.
Institute Grievance Redressal Mechanisms are held to address complaints of individuals.
Significant data Fiduciary shall appoint a data protection officer for the purpose of advising and monitoring the activities of the data fiduciary.
Rights of the Individual :
Right to obtain confirmation from the fiduciary on whether their personal data has been
seek correction of inaccurate , incomplete , or update personal data;
restrict continuing disclosure of their personal data by a fiduciary;
Offences under the Bill include:
processing or transferring personal data in violation of the Bill, punishable with a fine of Rs.15 crore or 4% of the annual turnover of the fiduciary, whichever is higher and
failure to conduct a data audit , punishable with a fine of Rs.5 crore or 2% of the annual turnover of the fiduciary, whichever is higher .
Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years ,or fine, or both.
The PDP Bill,2019 represents a positive step towards finally accomplishing a data protection and privacy law for all Indians. It is a summation of principles of collection limitations, data retention and purpose retention. A more effective regulatory framework is needed in order for the effective implementation of the Personal Data Protection Bill. The details of the process of framing rules and regulations must be ensured and included in the bill. The revised PDP Bill ,2019 is exposed to various violations of laws due to the removal of safeguards on protection of personal data for usage of the State. Strict methodology should be imposed by the legislation in order to protect personal data.
The issues against the PDP Bill projects towards a need for a more pragmatic and modest approach to data protection and harms from misuse of personal data. The focus should be on preventing individuals and society from a breach of data privacy. Every company must educate their employees on data privacy in order to have an infrastructure to protect personal data. The Bill significantly strengthens the state without adequately protecting privacy, so designing a more precise regulatory framework can only be done through pragmatic assessment of the costs and benefits for data protection in India.
Author - Puja Dutta
Student of University of Burdwan