Joint Parliamentary Committee, which is responsible for reviewing the Data Protection Bill, 2021 issued a report on 22nd November 2021 to be reviewed in the Winter Session of the Indian Parliament. The intangible, invincible challenge of data protection has been vastly debated for the past four years in India post the Supreme Court decision that declared that ‘Right to Privacy’ is a fundamental right in the Puttaswamy Judgment.
Aims and Objectives of the Bill
JPC in its report articulated the expansion of the Indian digital economy and the economic prowess India will unleash as one of the fastest-growing data generating nations in the world. As we progress our economic interests it is essential to a robust mechanism to protect the informational privacy of its citizens. This is not the case with Data Protection Bill, 2021, as it has put sovereignty, integrity, and state interest, and security before the privacy of individuals. This undermines the rights and freedoms of individuals over economic interests.
Wider Scope of the Bill
It has been suggested by the report that the draft law will be called the ‘Data Protection Bill, 2021’ to widen the scope of the law and regulate ‘non-personal data’. As Data Protection Authority (DPA) handles various types of data and at different security levels, it would become an arduous task for DPA to distinguish between personal and non-personal data. Thus, until an additional framework is established, the Bill will apply to both types of data.
There has been a considerable alteration in the rights of the users. One of the formidable principles of data protection is the right to erasure and correction, which has been altered to serve the interests of the data fiduciaries, who have the right to reject erasure or correction in cases of disagreement. There is considerable ambiguity surrounding data portability in the Data Protection Bill, 2021, with no definition of what will encompass ‘technical infeasibility’ to refuse data portability. The Right to be Forgotten, another essential feature of data protection now includes the exemption clause “the right of the data fiduciary to retain, use and process such data”. This gravely limits the rights of individuals in cases of mass surveillance by big tech companies or governmental agencies.
Social Media and Verification
Social Media and liability of intermediaries were highlighted this year by Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. It finds its place even in the Data Protection Bill, 2021. The vast cyberspace has been creating considerable havoc on the security of individuals and organizations. Though the regulation of social media platforms which are essentially intermediaries will entail another framework, the Data Protection Bill, 2021, makes considerable alterations that pertain to verification by social media platforms that are not intermediaries for detection of fake accounts. This is inversely proportional to the principle of data minimization by companies or government agencies.
A significant portion of the JPC Report is dedicated to data localization. The reasons that data localization is essential that have been enumerated in the report are inconsistent with the whole idea of informational privacy of individuals, such as national security and law enforcement, employment generation, privacy, and bargaining power.
The government has the final call when there has to be a transfer of sensitive personal data.
With the increased risk of data breaches, and India is threatened by it more so due to the sheer amount of data that is produced and stored, the Data Protection Bill, 2021 recommends a 72 – Hour reporting period of a data breach, following the footsteps of GDPR.
But unlike the GDPR, the report recommends the fines to be set by the Central Government, rather than be based on the entity’s turnover. This gives more power in the hands of the government to understand the impact of the breach and come up with a number that will proportionately cater to the need of undoing the harm that may have been caused by a data breach.
The responsibility of the data breach will be borne by the data fiduciary if the complaint is not done within the stipulated time period. In tangent with the principle of data minimization, a data fiduciary shall not retain personal data for any longer than is necessary and delete it thereafter. In cases where the government is a data fiduciary, the concerned department will conduct an in-house investigation to ascertain who is responsible for that liability to be established.
Exemptions and Surveillance
The Bill that preceded Data Protection Bill, 2021, was heavily criticized as it gave extensive exemptions to the government. Clause 35 of the Data Protection Bill, 2021 gives a free pass to the government to access, retain and process data of individuals if it is ‘necessary’ and ‘expedient’ with no possible definition of what these words would mean. The Data Protection Bill, 2021does not regulate mass surveillance, thus such a blanket exemption impinges on the right of privacy of an individual.
The Data Protection Bill, 2021 has attracted quite a lot of dissent from the opposition, terming it Orwellian in Nature as the Bill gave sweeping powers to the Central government from the application of data protection of individuals.
The penultimate goal of a democratic nation is to understand and implement the rights and freedom of its citizens to safeguard and protect them from harm. Moving towards technological revolution with a paradigm shift in digital interaction of individuals the need for robust data protection legislation is essential. The multifaceted challenges from economic, social, cultural corners of the society will propel the need for balancing the risk and reward and obtain the pivotal juncture for legislation that servers the means to a democratic end.
The hurdles are worth acknowledging that go beyond the voice of dissent. It is essential to understand that the ultimate test of the pudding is in adherence, autonomy, implementation, and management of the law, and not a vicious cause of panopticon monitoring and surveillance of Indian citizens.
This article has been written by Srishti Tripathy.