The Union government on released the draft Personal Data Protection Bill, 2018, submitted as part of the recommendations of the Justice Sri Krishna Committee on data security.

Background:

• A 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, Justice B.N. Sri Krishna.
• The committee was tasked to submit a report and recommendations on what India’s data protection regime should look like, especially in light of the Supreme Court’s 2017 judgment that asserted a fundamental right to privacy for all Indians.
• The panel has delivered a report that covers its views on the data protection landscape in India, as well as a draft bill, which is likely to form the core of the government’s own draft.

Need For Data Protection:

• The 21st century has witnessed such an explosive rise in the number of ways in which we use information, that it is widely referred to as ‘the information age’.
• Much of that new information will consist of personal details relating to individuals, including information relating to the products they have purchased, the places they have travelled to and data which is produced from “smart devices” connected to the Internet.
• Data is fundamentally transforming the way individuals do business, how they communicate, and how they make their decisions. Businesses are now building vast databases of consumer preferences and behaviour.
• While data can be put to beneficial use, the unregulated and arbitrary use of data, especially personal data, has raised concerns regarding the privacy and autonomy of an individual, centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.

Scope of data:

• For instance, the analysis of very large and complex sets of data is done today through Big Data analytics. Employing such analytics enables organisations and governments to gain remarkable insights into areas such as health, food security, intelligent transport systems, energy efficiency and urban planning.
• Data is valuable per se and more so, when it is shared, leading to creation of considerable efficiency. The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other.
• The Internet has given birth to entirely new markets: those dealing in the collection, organisation, and processing of personal information, whether directly, or as a critical component of their business.
• There are a large number of benefits to be gained by collecting and analysing personal data from individuals. Pooled datasets allow quicker detection of trends and accurate targeting

What is data protection:

• Data protection principles are designed to protect the personal information of individuals by restricting how such information can be collected, used and disclosed.
• The need for data protection thus arises out of the need to prevent harms, and hinges on the question of who should be permitted to use personal information and how privacy can be protected.
• The concept of data protection is primarily linked with the idea of informational privacy.
• Privacy is a complex concept that has been difficult to define.
• The harms that arise from violations of privacy are difficult to identify because very often they are intangible.
• Informational privacy is often understood as the freedom of individuals to determine for themselves when, how, and to what extent information about them is communicated to others and this freedom allows for individuals to protect themselves from harm.
• However, not all information about an individual is necessarily private and deserving of protection. It is for a legal framework to determine where affording such freedom is appropriate and where it is not.
• Different norms of privacy can exist in different spheres of life .
• Rules of data protection and privacy are designed in such a way that they allow individuals the freedom to determine how their personal information will be collected, used and disclosed.
• Privacy laws are not identical in form to any other existing fields of law like property, copyright law, though there are some similarities. For example, laws on defamation generally prohibit disclosure of personal information only if it is false. Privacy, on the other hand, would even protect against disclosure of truthful personal information.

Current framework:

• Legislative attempts have been made to secure informational privacy in various sectors in India. These includes the general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection ,the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).
• The SPDI Rules mandate certain requirements for the collection of information, and insist that it be done only for a lawful purpose connected with the function of the organisation.
• In addition, every organisation is required to have a detailed privacy Policy. The SPDI Rules also set out instructions for the period of time information can be retained, and gives individuals the right to correct their information. Disclosure is not permitted without consent of the provider of the individual, or unless such disclosure is contractually permitted.
• Section 43A, relates to “Compensation for Failure to Protect Data” and enables the enactment of “reasonable security practices and procedures” for the protection of sensitive personal data.
• When it comes to sharing information with Government agencies, then the consent of the provider is not required and such information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences.
• The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit.
• The absence of an effective enforcement machinery therefore raises concerns about the implementation of the SPDI Rules.
• The Aadhaar Act also provides for Aadhaar based authentication services wherein a requesting entity (government/public and private entities/agencies) can request the Unique Identification Authority of India (UIDAI) to verify/validate the correctness of the identity information submitted by individuals to be able to extend services to them.
• The requesting entity is required to obtain the consent of the individual before obtaining her identity information for the purpose of authentication and must use her identity information only for the purpose of authentication.
• Under the Aadhaar Act, collection, storage and use of personal data is a precondition for the receipt of a subsidy, benefit or service.
• The Aadhaar Act and its regulations recognise various data protection principles, to ensure the security of information and privacy of Aadhaar Number holder like the Aadhaar Act prohibits the sharing of core biometric information, and the use of it for a purpose other than the generation of Aadhaar Numbers and authentication.

In Telecom sector:

• Data protection norms in the telecom sector are primarily dictated by the Unified License Agreement (ULA) issued to Telecom Service Providers (TSP) by the Department of Telecommunications.
• The format in which, and the types of information that are to be collected from the individual is prescribed by the DoT.
• A TSP has an obligation to take necessary steps to safeguard the privacy and confidentiality of the information of individuals to whom it provides a service and from whom it has acquired such information by the virtue of the service provided.
• Customer information can be disclosed only if the individual has consented to such disclosure and the disclosure is in accord.
• TSP has to make efforts to comply with the Telegraph Act which imposes an obligation on it to facilitate the Government to carry out ‘interception’ of messages in case of emergencies – a privacy intrusion justified largely in the name of national security with the terms of consent.

In Health Sector:

• The Clinical Establishments (Central Government) Rules, 2012 (Clinical Establishments Rules) requires clinical establishments to maintain and provide Electronic Medical Records/Electronic Health Records, thus mandating the storage of health information in an electronic format.
• SPDI Rules apply only to the private sector thus leaving the whole of the public health sector outside its ambit.

Supreme Court Judgement:

• Supreme Court in Puttaswamy case, which recognised the right to privacy as a fundamental right Under Article 19.
• The Supreme Court stated that the “right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution and as a part of the freedoms guaranteed by Part III of the Constitution and in all fundamental rights in Part III which protect freedoms in general, and overruled the aforementioned judgments to this extent.
• It went on to recognise informational privacy as a facet of the right to privacy and directed the Union Government to put in place a robust data protection regime to ensure protection against the dangers posed to an individual’s privacy by state and non-state actors in the information age.

Reference Models:

India’s approach to data protection, it will be instructive to look at practices followed in other jurisdictions, particularly recent models that have emerged.

1. European Union model – rights based approach.
2. The American market place model has sector specific data protection laws.

European Union model:

• EU GDPR follows a rights based approach towards data protection, and places the individual at the centre of the law.
• As a consequence, it imposes extensive control over the processing of personal data both at the time of, and after the data has been collected.
• Collection of certain forms of personal data, known as sensitive personal data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health and sex life) is prohibited subject to certain exceptions.
• For processing to be lawful and fair, the entity collecting personal data must comply with an extensive range of principles such as that of purpose specification, data minimisation, data quality, security safeguards.
• An individual continues to exercise extensive control over her data post collection. This is enabled by a gamut of individual participation rights guaranteed under the law.

  These includes:
  1. The right to confirm if data about oneself is being collected
  2. The right to access data
  3. The right to rectification of data
  4. The right to data portability
  5. The right to restrict processing
  6. The right to object to processing
  7. The right to object to processing for the purpose of direct marketing
  8. The right to object to automated decisions

• The EU model also envisages an independent supervising authority (a regulator) who is armed with an array of functions and powers.
• Primarily, this body is responsible for monitoring and enforcing compliance with the law and for ensuring the protection of the fundamental rights in relation to processing and facilitating the free flow of data.
• Significant powers of imposing penalties are vested in the regulator to ensure effective compliance.

United States:

• On the contrary, in the US, privacy protection is essentially a “liberty protection” i.e. protection of the personal space from government. the US approach towards privacy and data protection varies from the EU in multiple respects.
• First, unlike the EU, there is no comprehensive set of privacy rights/principles that collectively address the use, collection and disclosure of data in the US. Instead, there is limited sector specific regulation.
• Second, the approach towards data protection varies for the public and private sector. The activities and powers of the Government vis-à-vis personal information are well defined and addressed by broad, sweeping legislations.
• For the private sector, which is not governed by these legislations, certain sector-specific norms exist.
• The Federal Trade Commission which has the responsibility to ensure consumer privacy enforcement. It does this by bringing enforcement actions against companies which violate consumer privacy.
• The US approach to data protection thus has two discernible trends— stringent norms for government processing of personal information; and notice and choice based models for private sector data processing.

Conclusion:

• In this light, in order to harness the benefits of the digital economy and mitigate the harms consequent to it, formulating a data protection law is the need of the hour for India.
• In an rapidly changing data landscape India want to update regularly its regulatory environment on data protection. A data protection law for India is not a greenfield exercise. Though piecemeal, several legislative developments and judicial pronouncements are relevant for determining the contours of such a law.
• A comprehensive data protection framework which applies to processing of personal data by any means, and to processing activities carried out by both the Government as well as the private entities, although there are certain exemptions such as national security, defence, public security, etc is an need of an hour.
• It was held that the Constitution of India must evolve with the circumstances of time to meet the challenges thrown up in a democratic order governed by the rule of law and that the meaning of the Constitution of India cannot be frozen on the perspectives present when it was adopted.