Shravani Nag Lanka, a 3rd year student of Dr. Ram Manohar Lohiya National Law University, Lucknow, scrutinizes The Personal Data Protection Bill (PDPB), 2019 and its implications on the society.

Introduction

The world has gone digital and this trend will continue to accelerate exponentially, especially in times of the COVID-19 pandemic. We are progressively going to rely more on digital technologies for myriad personal and professional activities. This digitalisation leads to the generation of ‘big data’, a term used for massive data sets generated by the users of various digital services. Users will be forced to share their data, willingly or unwillingly, knowingly or unknowingly. This data would be in the hands of the companies providing various digital services including, video conferencing, communications services, online education, online health consultations, entertainment, etc.

However, the process of digitalisation has to be regulated in a manner that would facilitate growth, innovation and not concentrate power in the hands of few mega corporations providing these digital services. India is possibly one of the last remaining significant democratic economies without an enacted Data protection law but has the second largest internet users of the world. The Personal Data Protection Bill (PDPB), 2019[1] was expected to be the bill that would have ushered in the regulation of personal data of individuals and setting up of Data Protection Authority. However, efforts in this regard were brought to a halt when instead of passing the bill, it was referred for further deliberations to the Joint Parliamentary Committee.[2] The 2019 version of the Personal Data Protection Bill (PDPB) has drawn criticism, the most significant one being that it is an instrument that gives the government immense power over the data of the people. Justice B.N Sri Krishna, the chief architect of the draft law stated how the government has removed the safeguards that had been placed in the draft bill and can now access personal data on the grounds of sovereignty and public order, and thus has the potential to turn India into an Orwellian state.[3]  

 The smoke screen for the rights of users  

The highlight of this bill is that it gives free rein to the government over the personal data of the users without the users having any right over their own data. Clause 91 of the bill permits the government to acquire data from any corporation without their consent for “reasonable purposes.”[4] The provision states that “the Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide” any anonymised data to “enable better targeting of delivery of services or formulation of evidence-based policies by the policies by the Central Government.”[5]

The same is the case with the ‘breach notification’ clause 25 where data principal whose data is being collected will not even know if their data has been leaked unless the authority decides that the data fiduciary which is an entity or individual who decides the means and purposes of processing personal data should inform the users or not.[6] The breach’s reporting will depend on the severity of the harm that may be caused to the data principal and the power for determining this threshold rests with the Authority. It is important to note that the government has given itself the power to determine when it becomes necessary to inform the users that their data has been leaked and it may so happen that they won’t inform at all. In this paradigm, the users have been snatched of their informational privacy as well as their privacy of choice enshrined in the right to privacy, as stated by Justice Nariman in the Puttaswamy Judgement of 2017.[7] By not informing, the companies are taking away the choice of people to determine whether they want to review the privacy policy and disengage with the services of that particular entity or not. 

The Data Breach notification system is meant to inform the data principals that their information has been compromised. The said system in the United States of America simultaneously informs the data principal as well as the regulatory agency responsible for such breaches about the compromise. Similarly, the General Data Protection Regulation (GDPR)[8] of the EU states that if data has been breached, the company will provide breach notification to the data principals including the amount of data loss and its consequences. If a failure to report such a data breach is observed in Europe, then it can lead to a fine on the corporations either of €10 million or 2% of worldwide turnover.[9] The Indian draft bill disregards the rights of the users in the breach notification system and they are left at the mercy of the government rather than making the data fiduciaries liable for the compromise of their systems.  

The biggest flaw in this entire bill is that the government agencies can be exempt from the provisions of the statute. But to connect the dots, one needs to go back and examine the Aadhar data leak of 2017.[10] This data leak revealed that several State departments and Central Ministries were found to be violating the Aadhar( Targeted Delivery of Financial And other Subsidies, Benefits and Services) Act[11] but the Unique Identification Authority of India (UIDAI) did not file a single case against anyone. Also, the provision in the Act states that only the UIDAI – not the affected person is authorised to file a FIR.[12] This raises questions as to why a private right of action is not allowed within this statute that thrives on user’s data. Why is there no space for individual choice of the data principal or control over their data? Does it mean that the government wants to protect the industry from any liability as they will be the catalysts for surveillance and this reiterates the nexus in the data driven world?  

Conclusion

The objective of the PDPB 2019, would lead one to believe that the government wants to have dominance over people’s data by disregarding rights enshrined by the Constitution. This may lead to abuse of power in a liberal democratic setup without any checks or balances violating the rights of privacy prescribed for individuals by accessing their data in the name of sovereignty and public order. If this bill is left to pass in its current avatar, it may give legitimacy to the government’s unbridled power to make laws in a manner that serves their purpose of turning India into a surveillance state.


Shravani Nag Lanka is a third year student of Dr. Ram Manohar Lohiya National Law University, Lucknow.


[1]The Personal Data Protection Bill, 2019, Bill No. 373 of 2019 (India). 

[2]Personal Data Proetction Bill referred to joint select panel, The Hindu ( December 11, 2019, 12:55 IST), https://www.thehindu.com/news/national/govt-proposes-to-send-personal-data-protection-bill-to-joint-select-committee/article30275186.ece.

[3]Regina Mihindukulasuriya, Safeguards removed, new data protection bill should be challenged in court: BN Srikrishna, The Print (December 15, 2019, 3:01 PM), https://theprint.in/india/safeguards-removed-new-data-protection-bill-should-be-challenged-in-court-bn-srikrishna/335537/

[4]Navya Singh, Know all about India’s Data Protection Bill and How it is a threat to Privacy, The Logical Indian (February 20, 2020), https://thelogicalindian.com/campaign/save-our-privacy/data-protection-bill-19804?infinitescroll=1

[5]The Personal Data Protection Bill, 2019, Bill No. 373 of 2019 (India), § 91.  

[6]The Personal Data Protection Bill, 2019, Bill No. 373 of 2019 (India), § 25. 

[7]Anirudh Burman, Will India’s proposed Data Protection Law Proetct Privacy and and Promote Growth?, Carnegie India ( March 9, 2020), https://carnegieindia.org/2020/03/09/will-india-s-proposed-data-protection-law-protect-privacy-and-promote-growth-pub-81217.

[8]General Data Protection Regulation, Regulation (EU) 2016/ 679 of the European Parliament and of the Council. 

[9]Danny Palmer, What is GDPR? Everything you need to know about the new general data protection regulation, ZDNet (May 17, 2019, 19:03 IST), https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/.

[10]Anumeha Yadav, Government Websites are leaking Aadhar numbers. Who will take action against the government?, Scroll.in (April 25, 2017, 09:00 AM), https://scroll.in/article/835546/the-centres-casual-response-to-aadhaar-data-breaches-spells-trouble.   

[11]The Aadhar (Targeted Delivery of Financial And other Subsidies, Benefits and Services) Act, 2016, No. 18, Acts of Parliament, 2016 (India).   

[12]Reetika Khera, The different ways in which Aadhar infringes on privacy, The Wire (July 19, 2017), https://thewire.in/government/privacy-aadhaar-supreme-court

IMPORTANT – Opinions expressed in this article are the sole responsibility of the author and do not necessarily reflect the views of IJOSLCA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s