Digital Personal Data Protection Bill vs privacy of citizens? - The Core IAS

Digital Personal Data Protection Bill vs privacy of citizens?

Context:

  • The Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022), which pertains to data protection regulations, has recently been made available for public input.
  • The Digital Personal Data Protection Bill, 2022, holds significant importance as a fundamental component of the comprehensive structure of technology regulations being developed by the Centre.
  • This framework encompasses various legislative measures such as the Digital India Bill, intended to succeed the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy addressing the governance of non-personal data.
  • However, it is important to analyse whether the Digital Personal Data Protection Bill, 2022 acknowledges the importance of safeguarding an individual’s personal data rights even as it addresses the necessity of processing personal data for legitimate objectives.

Journey of Data Protection Bill: The story so far

  • At present, India lacks a comprehensive legislation specifically addressing the issue of data protection. The regulation of personal data usage falls under the purview of the Information Technology (IT) Act of 2000. The insufficiency of this framework in safeguarding personal data has been duly noted. In the year 2017, the central government established a Committee of Experts on Data Protection, which was led by Justice B. N. Srikrishna. The primary objective of this committee was to investigate and analyse matters pertaining to data protection within the country. The report was submitted by the Committee in July 2018.
  • The Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019 in accordance with the recommendations put forth by the Committee. The Bill underwent referral to a Joint Parliamentary Committee, which subsequently presented its report in December 2021 The Bill was withdrawn from Parliament in August 2022.
  • The draft Digital Personal Data Protection Bill, 2022 was made publicly available by the Ministry of Electronics and Information Technology in November 2022, with the intention of soliciting feedback from the general public. The Digital Personal Data Protection Bill, 2022, which was initially proposed in November, is anticipated to be presented during the Monsoon Session of Parliament commencing July 20. On July 5, the draft Bill was approved by the Union Cabinet.

Argument: Data protection Bill will not violate citizen’s privacy

  • “The draft legislation, as stated in its introduction, seeks to acknowledge the “entitlement of individuals to safeguard their digital personal information” while also acknowledging the necessity of processing personal data for legitimate objectives”.
  • Legal scholars say the Bill aligns with the objectives of the Digital India initiative, which seeks to convert the country into a digitally empowered society and knowledge-based economy. The Bill primarily addresses the handling of digital personal data, acknowledging the importance of safeguarding an individual’s personal information while also recognising the necessity of processing such data for legitimate reasons. The proposed legislation does not aim to prohibit the utilisation of personal data. The Statement acknowledges the significance of data in the expansion of the digital economy and endeavours to establish a harmonious equilibrium between the rights of individuals and the interests of businesses that may utilise and handle personal data. This is achieved through a sequence of obligations that companies are required to adhere to. Furthermore, the processing of data is contingent upon obtaining explicit consent from individuals or in situations where consent can be reasonably inferred. Alternatively, data processing may be mandated by law, thereby necessitating its execution. The proposed legislation grants individuals a range of entitlements to request information from applications and websites pertaining to their personal data.
  • Constitutional scholars are of the view that individuals are legitimately entitled to be informed about the processing or prior processing of their personal data by an organisation, as well as the manner in which such data is being handled. Understanding the company’s role in processing and exercising individual rights is contingent upon fulfilling this crucial prerequisite. Furthermore, individuals may also endeavour to obtain information regarding third-party entities with whom their personal data and specific categories of data have been shared. Upon becoming cognizant, individuals have the option to revoke their consent if they do not desire their data to be processed. The right in question holds significant importance for individuals. Individuals are entitled to rectify or delete their personal data. Individuals are also entitled to approach an office or authority designated by a company in order to formally register and address any grievances they may have regarding the handling of their personal data.
  • According to the Central Government, the preliminary version of the digital Personal Data Protection Bill has granted certain entities, as designated data fiduciaries by the government, exemptions from several obligations, such as the requirement to disclose information for the purpose of data aggregation. The exemptions outlined by the government pertain to various aspects, such as the requirement to inform individuals about the purpose of data collection, the collection of data pertaining to children, the assessment of risks related to public order, the appointment of a data auditor, and other related matters. The proposed legislation aims to grant government-designated data fiduciaries an exemption from the obligation to disclose information regarding data processing to data owners, as stipulated by the ‘Right to Information about Personal Data.’
  • The government’s access to personal data under the proposed data protection law will be limited to exceptional circumstances such as national security, pandemic, and natural disasters, thereby ensuring that the privacy of citizens is not infringed upon. The draft legislation, as stated in its introduction, seeks to acknowledge the “entitlement of individuals to safeguard their digital personal information” while also acknowledging the necessity of processing personal data for “legitimate objectives”. Suppose the government intends to infringe upon the privacy of its citizens through the implementation of this legislation. Is it feasible or attainable? This inquiry poses a fundamental question. The response is negative. The Bill and accompanying laws delineate with utmost clarity the specific circumstances that warrant the government’s access to the personal data of Indian citizens. These circumstances encompass national security concerns, pandemics, healthcare emergencies, and natural disasters.

Argument: Data protection Bill could be against right to privacy

  • “The Bill does not mandate government agencies to erase personal data once the processing purpose has been fulfilled”.
  • Some experts argue the Justice B N Srikrishna committee deliberately excluded surveillance reform when it published the initial version of the Personal Data Protection (PDP) bill in 2018. Nevertheless, it is worth noting that the current legal framework in India does not provide any provisions that authorise the unauthorised access to personal data or interception of personal communication without consent. The efficacy of a data protection law is questionable if it fails to encompass the regulation of mass surveillance initiatives such as the Crime and Criminal Tracking Network and Systems (CCTNS), the Central Monitoring System (CMS), or the National Intelligence Grid (NatGrid). The Data Protection Bill, 2021 not only failed to enhance the draft law proposed by Justice B N Srikrishna, but also exacerbated its shortcomings. This trend persists with the subsequent Data Protection Bill, 2022. The long title of the document includes the phrase “to ensure the interest and security of the state”. Therefore, the proposed legislation for data protection aims to safeguard individual privacy, with state security being one of its main goals.
  • As per the findings of PRS Legislative Research, the Supreme Court in the year 2017 has established that any violation of the right to privacy must be commensurate with the necessity for such encroachment. The inclusion of exemptions has the potential to result in an expansion of data collection, processing, and retention beyond the bounds of what is deemed essential. The potential lack of proportionality and potential infringement upon the fundamental right to privacy may be observed in this context.
  • According to the PRS Legislative Research, the Bill confers authority upon the central government to grant exemptions to government agencies from certain or all provisions, with the objective of safeguarding state security and upholding public order. In specific instances, certain exemptions may be granted where the rights of data principles and obligations of data fiduciaries, with the exception of data security, do not apply. These exemptions are typically applicable in cases involving the processing of data for the purposes of preventing, investigating, and prosecuting offences. The Bill does not mandate government agencies to erase personal data once the processing purpose has been fulfilled. Based on the aforementioned exemptions, a government agency has the authority to gather information pertaining to individuals on the basis of national security, with the intention of constructing a comprehensive profile for the purpose of surveillance. This objective can be achieved by leveraging data stored by diverse governmental entities. This prompts inquiry into whether these exemptions will satisfy the proportionality test.
  • Legal experts have also highlighted additional concerns regarding the interception of communication for reasons such as national security. In the case of PUCL vs Union of India (1996), the Supreme Court imposed several safeguards that must be adhered to, including the establishment of necessity, purpose limitation, and storage limitation. The obligations of data fiduciaries under the Bill, which have been exempted, bear resemblance to these. According to the recommendations put forth by the Srikrishna Committee in 2018, it was suggested that certain obligations, such as fair and reasonable processing and security safeguards, should not be applicable in situations where processing is carried out for reasons of national security and the prevention and prosecution of offences. It has been observed that obligations such as storage limitation and purpose specification, if deemed applicable, would be enacted through a distinct legislation, India currently lacks a comprehensive legal framework in this regard.
  • As per the findings of PRS Legislative Research, the aforementioned Bill mandates that all entities responsible for handling data must acquire verifiable consent from the lawful guardian prior to processing the personal data of a minor. In order to adhere to this stipulation, each data fiduciary will be required to authenticate the age of all individuals who register for its services. It will be necessary to ascertain the individual’s age in order to ascertain their status as a minor, and subsequently obtain consent from their legally recognised guardian. The potential consequences of this could have negative effects on maintaining anonymity within the digital realm. At present, various entities entrusted with data governance mandate that users provide a declaration affirming their attainment of an age surpassing the minimum threshold necessary to grant consent. Due to the absence of any form of verification beyond a mere declaration, it is possible for a child to provide a false declaration and gain access to the services. One potential solution for bridging this divide involves implementing a mandatory age verification process, which may inadvertently compromise an individual’s; anonymity and potentially infringe upon their right to privacy.
  • According to the findings of the Srikrishna Committee (2018), it was noted that a significant power disparity exists between the individual and the State when the State assumes the sole responsibility of providing a particular service or benefit. In situations where a data principal requires a benefit or service, they are not afforded the option to decline consent. In the given scenario, the concept of necessitating consent lacks significance. The rationale behind extending the exemption to encompass all services provided by the State, including commercial services, remains ambiguous. 
  • The Supreme Court of India, in the Justice K S Puttaswamy judgement, has established the Constitutional principle of a data protection law, thereby reaffirming the fundamental right to privacy. Justice D Y Chandrachud asserted that the establishment of such a system necessitates a meticulous and delicate equilibrium between the interests of individuals and the valid apprehensions of the state.