While addressing a virtual seminar on the impact of the PDP Bill on startups, the additional secretary of the IT Ministry Dr Rajendra Kumar said that the bill tabled in parliament will provide a boost to the country’s data and digital economy.
The additional secretary added that other similar laws around the world were studied and refined to come up with a bill that would suit the Indian context.
Earlier, R Chandrashekhar, the chairman of the Centre for Digital Future (CDF) which organised the seminar, said, “privacy in the digital world is a sine qua non (absolutely necessary) but preserving opportunities for innovation and growth of the digital and data economy needs close attention while formulating and implementing regulations to protect privacy,”.
The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha by the then IT Minister, Ravi Shankar Prasad in December 2019. The bill was then referred to a joint parliamentary committee that had postponed the submission of the report so far.
The bill governs the processing of personal data by the government, companies incorporated in India and foreign companies dealing with the personal data of Indian individuals. Here, personal data refers to data that pertains to characteristics, traits or attributes of identity which can be used to identify an individual.
The bill categorises some of this data as sensitive personal data. This includes financial data, biometric data, data pertaining to caste, religion or political beliefs among others.
Data Fiduciary, Social Media Intermediary and Data Processors
While addressing the seminar, Kumar also claimed that the concept of ‘significant data fiduciaries’ is likely to be beneficial to Indian startups.
According to the bill, a data fiduciary is an entity or individual who decides the purpose and methods of processing personal data. The processing will be subject to certain limitations— the idea being that personal data can only be processed for specific, clear and lawful purposes.
This could be companies like Google and Facebook which collects user data and decides what to do with it.
Additionally, the bill makes it mandatory for all data fiduciaries to take transparency and accountability measures like implementing security safeguards, instituting a grievance redressal mechanism to address individual complaints etc. They are also required to institute mechanisms for age verification and parental consent when processing children’s sensitive personal data.
A data processor is an entity that processes data on behalf of the data fiduciary. In the example of Facebook, the company could decide to send user data to a third party intelligence company to process the data.
The bill defines social media intermediaries as platforms that enable online interactions and information sharing between users. All intermediaries which have users above a certain threshold have certain obligations including providing a voluntary user verification mechanism for users in India.
Individual Rights And Grounds For Processing Data
The bill sets out certain rights for the individual (referred to as data principal). These rights include the right to obtain confirmation from the fiduciary about whether their personal data has been processed; the right to have personal data transferred to any other fiduciary under certain circumstances; and the right to restrict continuing disclosure of their personal data by a fiduciary once consent is withdrawn.
The bill allows fiduciaries to process data only if an individual provides consent. In certain circumstances, however, the data can be processed without consent including instances when the state asks for it, during legal proceedings or while responding to a medical emergency.
Data Protection Authority and Data Transfer
The PDP Bill sets up a data protection authority, which is an independent public authority that supervises the application of the bill through investigatory and corrective powers. It should consist of a chairperson and six members with at least 10 years of experience in the fields of data protection and IT. Orders made by the authority can be appealed at an appellate tribunal. Appeals from the tribunal will go to the Supreme Court.
The bill also outlaws the transfer of data outside India for processing unless the fiduciary receives explicit consent from the individual concerned. It also makes provisions for sensitive personal data and certain personal data notified as critical by the government to only be processed in India.
India is quite behind the curve when it comes to enacting laws and regulations that protect the personal data of its citizens. The General Data Protection Regulation (GDPR) went into effect in the European Union starting May 2018. All companies processing the data of individuals in the European Union are required to comply with the GDPR no matter where they are based out of. If a company fails to comply, it could face fines as high as €10 Mn, or up to 2% of its global turnover in the preceding year—whichever is higher.
The GDPR provides certain rights to EU citizens including complete control over their data and how it is managed as well as the right to be forgotten, and transparency about how their data is used and whether it has been compromised.
The California Consumer Privacy Act (CCPA) is a similar law applicable to the data of citizens living in the American State of California. It allows consumers to demand all information a company has on them, the list of third parties that have access to the data and how their data is used. The law allows California residents to sue companies in breach of the act.
Criticism of the PDP Bill
Justice BN Srikrishan, who led the committee that drafted the bill, said the fact that it allows the Union government to exempt its agencies from the bill’s provisions is dangerous and could turn India into an “Orwellian state”.
“They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications,” Srikrishna said during an interview with Economic Times.
Without safeguards in place to stop the government from misusing the provision of exemptions to the bill, it could legitimise the kind of state-sanctioned espionage on private citizens that the government was accused of conducting with the Pegasus software.