WHY DOES INDIA NEED A DATA PROTECTION AUTHORITY?

THE CONTEXT: Data has become crucial for any country. After the Supreme Court Judgement in Puttaswamy Case in 2017, the debate about the privacy of users is on the floor every time. There is a demand for the proper setup for the protection of users’ data. Data protection Authority is an effective solution in this regard. This article analyses the importance of data protection authority in the securing of users’ data.

 WHAT IS DATA PROTECTION AUTHORITY AND WHY IS IT REQUIRED?

India’s data protection authority (DPA), as envisaged under the proposed Personal Data Protection (PDP) Bill, has been entrusted with the crucial responsibility of protecting and regulating the use of the personal data of citizens.

  • India has around 290 million social media users, 340 million messaging application users and around 400 million search engine users. These can easily be siphoned off to a foreign land and used for micro-targeting advertising.
  • In similar cases, the EU has the General Data Protection Regulation and the US laws dealing with issues of privacy with the help of such authorities.
  • In 2018, Srikrishna Committee also recommended Such Authorities for effective security of data.

PROTECTION FROM WHOM?

Basically, personal data is collected and processed by

  • State actors => central and state governments and their instrumentalities;
  • Non-state actors => private organisations providing services, social media intermediaries, e-commerce entities, big tech companies and employers
  • The central and state governments are one of the largest data fiduciaries (who collect, hold and process data) in a wide array of state activities such as national security, welfare administration, subsidies, provision of municipal services and employment benefits etc.
  • Similarly, in the age of big data, non-state data fiduciaries such as social media intermediaries like Facebook, Twitter, YouTube and giant e-commerce platforms also collect large amounts of personal data on a day-to-day basis.

WHY DATA PROTECTION IS REQUIRED?

Purpose

The purpose of personal data protection isn’t to just protect a person’s data, but to protect the fundamental rights and freedoms of persons that are related to that data.

Compliance Not complying with the personal data protection regulations can lead to even harsher situations, where it’s possible to extract all the money from a person’s bank account or even cause a life-threatening situation by manipulating health information.
Fairness

Data protection regulations are necessary for ensuring and fair and consumer-friendly commerce and provision of services. Personal data protection regulations cause a situation, where, for example, personal data can’t be sold freely which means that people have greater control over who makes them offers and what kind of offers they make.

  WHAT IS RIGHT TO PRIVACY AND WHY IT IS IMPORTANT?

  • A right to privacy is defined broadly as “the right to be let alone.”
  • It usually excludes personal matters or activities which may reasonably be of public interest.
  • The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, thoughts, feelings, secrets and identity.
  • The right to privacy gives us the ability to choose which parts in this domain can be accessed by others and to control the extent, manner and timing of the use of those parts we choose to disclose.

THE LANDMARK JUDGEMENTS
WHERE RIGHT TO PRIVACY HAS BEEN RECOGNISED AS A FUNDAMENTAL RIGHT
KHARAK SINGH V. THE STATE OF U.P. (1962) In this case, a minority opinion recognised the right to privacy as a fundamental right but this was not the majority opinion.

The minority Judges located the right to privacy under both the right to personal liberty as well as freedom of movement.

GOVIND V. STATE OF M.P. (1975) Confirmed that the right to privacy is a fundamental right.

The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child-rearing.

However, the right to privacy is subject to “compelling state interest”.

R. RAJAGOPAL V. UNION OF INDIA (1994) The right to privacy is a part of the right to personal liberty guaranteed under the constitution.

It recognized that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

UIDAI V/S CBI (2014) The Unique Identity Authority of India should not transfer any biometric information of any person who has been allotted an Aadhaar number to any other agency without the written consent of that person.
JUSTICE K.S. PUTTUSWAMY (RETD.) & ANR. V. UNION OF INDIA & ORS. (2017).

 

Privacy is to be an integral component of Part III of the Indian Constitution, which lays down the fundamental rights of the citizens.

The state must carefully balance the individual privacy and the legitimate aim, at any cost as fundamental rights cannot be given or taken away by law, and all laws and acts must abide by the constitution.

The right to privacy is not an absolute right and any invasion of privacy by state or non-state actor must satisfy the triple test i.e.

1.       Legitimate Aim

2.       Proportionality

3.       Legality

In the Puttaswamy case, the SC instructed the government to pass a law that would regulate informational privacy not only from non-state actors but also from the state parties and other individuals.

DEVELOPMENTS AFTER THE SUPREME COURT JUDGEMENT?

  • In August 2017, the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
  • In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India.
  • The Committee submitted its report, along with a draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.
  • In 2019, the Personal Data Protection Bill was introduced in Parliament that is not passed yet.

OBJECTIVE OF THE BILL

  • Its regulatory nature not only creates a safe environment for a data principal to get his/her data processed but also protects the right of data fiduciary to profess.
  • Gives both the partners in this relationship certain rights and liabilities for it to work effectively.
  • Makes sure that the judgement made by the Supreme Court and the rights under the Constitution is protected and safeguarded.
  • It attempts to create a secure mechanism for processing of data, establishing certain norms for social media intermediaries, cross-border transfer, liabilities of agencies processing personal data, remedies for illegal, unauthorized and harmful processing, and to lay down a framework of a Data Protection Authority for India for the above said purpose.
  • The need for the Bill is derived from the growth of the digital economy and the purpose of monitoring the valid use of data as a means of communication.

PROVISION REGARDING DATA PROTECTION AUTHORITIES

  • The Bill sets up a Data Protection Authority which may:
  1. 1. take steps to protect the interests of individuals,
  2. 2. prevent misuse of personal data, and
  • 3. ensure compliance with the Bill.
  • It will consist of a chairperson and six members, with at least 10 years of expertise in the field of data protection and information technology.  Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals from the Tribunal will go to the Supreme Court.

HOW DPA IS EMPOWERED TO PROTECT THE DATA?

  • The Chairperson of the authority will have the power of superintendence and to give direction for the affairs. The authority will itself appoint members and officers it deems necessary for discharging its duties under this act.
  • The most important function of the authority would be to protect the right to privacy that is to protect the interests of data privacy, prevent any misuse of the data, promote data security awareness and comply with the provisions of this act. Other responsibilities or the powers of the authority include formulating regulations and policies for all the purposes as stated above to regulate the data processing, inclusive of all such regulation required provisions.
  • The authority has the power to enact code for the practice in the good faith of the data processing companies and entities. The code of practice shall be formulated for an agency, association, or industry involving personal data processing. The authority has the role of maintaining the code and making necessary changes to adapt to the needful.
  • The Authority may, for the purpose of discharging of its functions under this Act, issue directions. From time to time as it may deem necessary directions can be issued to some data fiduciaries or data processors in general, or to a particular data fiduciary or a data processor. By the means of provisions of such order or directions, a data fiduciary could be bound to comply with the directions.
  • The authority has the power to call for information for discharging its functions as required by the Bill from data fiduciaries and data processors. The authorized officer in the authority has the power to seize any computer resource or any other document if it gives any doubt of misconduct or violation of regulations under the act.
  • The authorized officer in the authority has the power to seize any computer resource or any other document if it gives any doubt of misconduct or violation of regulations under the act.

 

WHAT ARE THE ISSUES: AN ANALYSIS?

MORE POWER TO THE CENTRAL GOVERNMENT

The current design of the Bill gives a wide range of powers to the central government. For instance, the members of the DPA are appointed by a committee comprising officers of the central government instead of a judicial or bipartisan parliamentary body. The design of the Bill effectively leads to central government regulating itself.

AFFECT THE FEDERAL STRUCTURE This design will adversely affect the federal structure of the Constitution. For example

(i)      A complaint filed against the Chief Minister’s Office for data breach will be decided by a body appointed by the central government as to whether such a breach took place or not.

(ii)    The Bill empowers the central government to decide if an event arising in a remote location in a state is an issue of ‘public order and therefore, requires ‘exemptions’ from the application of the various safeguard conditions. This cannot be allowed as it creates fertile grounds for data hegemony by the Centre and a massive concern for federalism.

PROCESSING OF DATA IN SPECIAL CASES

Processing of personal data is exempt from the provisions of the Bill in some cases.  For example, the central government can exempt any of its agencies in the interest of the security of the state, public order, sovereignty and integrity of India, and friendly relations with foreign states.  Personal data of individuals can be processed without their consent in certain circumstances such as:

(i)                  If required by the State for providing benefits to the individual,

(ii)                Legal proceedings,

(iii)              To respond to a medical emergency.

 

WHAT INDIA CAN LEARN FROM BEST PRACTICES

  1. EU MODEL
THE ROLE AND FUNCTION OF DATA PROTECTION AUTHORITIES ·         Handle reports of data breaches and provide monitoring reports of their own activities

·         Enforce data protection law at national level only

·         Mediate

·         Educate businesses on proper data protection protocols

·         Interpret EU law

·         Handle fines and other penalties

If you’re a company, it’s unlikely you’ll interact directly with a Data Protection Authority unless you:

·         Are subject to a complaint

·         Must report a data breach

·         Handle very high volumes of data

·         Directly approach the DPA for advice

ENFORCEMENT AND PENALTIES

 

·         Data Protection Authorities can bring legal action against companies who break the law. They can also investigate allegations of wrongdoing and impose penalties.

·         An Article sets out the conditions for imposing financial penalties on organizations. The fine must be proportionate, effective, and designed to discourage other companies from taking similar action.

·         Given the spirit of cooperation between the Member States, DPAs can look at fines imposed by other DPAs in similar circumstances to decide what’s fair and reasonable.

IMPARTIALITY

 

·         Data Protection Authorities must be free from all external influences, including government influence. This is set out in a separate Article.

·         Independence ensures that DPAs operate consistently across the EU and make fair decisions without chance of corruption.

HOW DPAs ARE CHOSEN?

 

According to Articles 53 and 54 of the GDPR, members of supervisory authorities must::

·         Be chosen in a clear and transparent manner

·         Have the qualifications and skills to perform the role

·         Be subject to proper secrecy and confidentiality

These guidelines ensure that only properly qualified individuals are chosen as DPAs and that the criteria are the same across the EU.

  1. CHINA MODEL

There is no single regulatory authority that deals exclusively with data protection/privacy matters. The Cyberspace Administration of China (CAC) is currently generally considered the primary data protection authority in the PRC, although various other legislative and administrative authorities have claimed jurisdiction over data protection matters, such as:

  • National People’s Congress Standing Committee
  • Ministry of Public Security
  • Ministry of Industry and Information Technology
  • State Administration for Market Regulation
  • Ministry of Science and Technology

Other sector-specific regulators, such as the People’s Bank of China or the China Banking and Insurance Regulatory Commission, can monitor and enforce data protection issues of regulated institutions within their sector.

WAY FORWARD:

  • The DPA must be established not as a regulatory body appointed by the central government but as a quasi-judicial independent body having judicial representation and should be subjected to only judicial oversight and monitoring and not executive supervision as envisaged in the current Bill.
  • Need for a decentralised DPA structure with state bodies and bodies at the district level like the Consumer Protection regime and to a certain extent, the Right to Information regime.
  • As DPA will be an umbrella regulator over the sectoral regulators, there is a greater need to make it not only independent and competent but also efficient and effective.
  • There is a need to set up an independent DPA, which can implement the Personal Data Protection Bill in an unbiased manner. It cannot appear to be under the direct command and control of the central government.

CONCLUSION: Maintaining a balance between informational privacy and the development of a strong digital economy is a truly challenging task, requiring a qualified and neutral body at the helm. India can unlock its true digital potential as a data market only with an independent DPA, and not by a regime that irreparably harms our constitutional values and citizens’ right to informational privacy.

Just add to your knowledge

HOW IS PERSONAL DATA REGULATED CURRENTLY?
·         It is regulated by the Information Technology Rules, 2011, under the IT Act, 2000.

·         It says that companies using the data are liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.

·         Issue:  IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of the digital economy has shown its shortcomings. For instance,

(i)                  the definition of sensitive personal data under the rules is narrow

(ii)                some of the provisions can be overridden by a contract.  Further, the IT Act applies only to companies, not to the government.