Want to become a writer at Eat My News? Here is an opportunity to join the Board of Young Leaders Program by Eat My News. Click here to know more: bit.ly/boardofyoungleaders
Data protection and privacy has been an issue of concern since the outbreak of digitalization and excessive use of smartphones and internet by individuals in the past decade.
The privacy of an individual is their human right, and it has been reiterated in the case of Justice K.S. Puttaswamy (Retd.) Vs Union of India, where the nine judge bench unanimously recognized the importance of Right to Privacy and it being an inherent part of the Article 21 of the constitution, i.e. right to life and personal liberty.
The concern about the data breach is a matter of national security since it can threaten the safety and security of an individual along with the nation. The sovereignty of the nation can be toyed with through data theft and can make a nation vulnerable.
Today information is one of the most powerful tools that any authority can use against an individual in case of any malpractices. In order to regulate any discrepancies in the processing of user data by any data fiduciary or data processor the Data Protection Bill was introduced in the parliament. Let’s observe its key features.
What is personal data?
Personal data is anything that contains the name, address or any sensitive information which can be taken advantage of if breached or misused and can put the security of an individual at risk.
Types of sensitive information as per the general and legal mandates are:
1. Personally Identifiable Information- Identity proof like aadhar card, contact information, location or data which can distinguish one person from another.2. Health Information- Medical insurance, history of check-ups, prescription, disease history, collected by healthcare providers.
3. Financial Information- Bank or credit card details.
4. Educational records - Fee transcripts, grades, degree, etc.
A data breach can expose such sensitive information and can severely impact the personal security and safety of an individual.
Key Highlights of The Data Protaction Bill, 2019:
2. Obligations of data fiduciary: Who is a data fiduciary? An authority, entity or individual who decides the processing of personal data and its transmission through various channels for the benefits of the data principal or the individual who entrusts that data to the data fiduciary. Certain limitations and guidelines for collection and storage of data are laid down. Like, the processing of personal and sensitive data for specific, and lawful purposes only. Additionally, certain transparency and accountability safeguards should be taken such as: (i) data encryption and preventing misuse of user data, and (ii) address complaints of individuals through redressal mechanisms.
3. Rights of the individual: An individual who entrusts his data to a data fiduciary is a data principal. The data principal has the right to: (i) authenticate their personal data processing from the data fiduciary, (ii) update personal data, (iii) have personal data transferred, and (iv) restrict disclosure of their personal data by a fiduciary without consent.
4. Social media: Information shared and used by the AI of social media intermediaries like facebook, instagram, whatsapp, are foreign companies dealing with the user data of Indians. So regulation of such intermediaries whose actions can have a huge influence on individuals behavior and impact electoral democracy or public order to be regulated as per the guidelines of the government.
5. Data Protection Authority: A regulatory data protection authority can be set up to: (i) to protect interests of individuals, (ii) prevent breach of data, and (iii) ensure compliance with the Data Protection Bill.
3. Rights of the individual: An individual who entrusts his data to a data fiduciary is a data principal. The data principal has the right to: (i) authenticate their personal data processing from the data fiduciary, (ii) update personal data, (iii) have personal data transferred, and (iv) restrict disclosure of their personal data by a fiduciary without consent.
4. Social media: Information shared and used by the AI of social media intermediaries like facebook, instagram, whatsapp, are foreign companies dealing with the user data of Indians. So regulation of such intermediaries whose actions can have a huge influence on individuals behavior and impact electoral democracy or public order to be regulated as per the guidelines of the government.
5. Data Protection Authority: A regulatory data protection authority can be set up to: (i) to protect interests of individuals, (ii) prevent breach of data, and (iii) ensure compliance with the Data Protection Bill.
6. Transfer of data outside India: If an individual explicitly consents for processing sensitive personal data then it may be transferred outside India, subject to certain conditions. However, the personal data of the individual would be stored in India, and also the data notified by the government as critical can only be processed in India.
7. Exemptions: Through the provisions of the bill the central government can exempt any of its agencies from liabilities as stated in the bill in cases where: (i) the public security, sovereignty and integrity of India is in question, and (ii) for preventing any act sedition through digital medium to incite hatred among the general public. Exemption of the bill is also in matters dealing with: (i) investigation, or prosecution of an offence, or (ii) journalistic purposes. However, the processing of data must be for a lawful purpose.
8. Non-personal data and its use by government: Data fiduciaries maybe directed by the government to furnish any anonymous or non-personal data (where the data principal identification is not possible) for providing better services.
9. Amendments in other laws: The Information Technology Act, 2000 amended which deleted the provisions for compensation for failure of protection of personal data by the authorized company or personnel.
In the recent case of Kerala Sprinklr issue where the question that popped up that whether the personal data like the heath care data be transferred without the consent of the individual to a foreign company? If this issue is taken into account with respect to the Data Protection bill, 2019 then some of the provisions of the proposed bill may be understood better.
The issue deals with the Kerala government sharing information as part of COVID-19 mitigation effort to a US based company Sprinklr. Now, the contention by Kerala government to the allegations of breach of privacy and data theft, is that the data has been physically stored within the borders of India and if a notice is sent to stop the services of the company, then all the data will be erased by them.
Now, the Data Protection Bill, 2019 is yet to become an act which brings into question as to what would have been the scenario if this situation would have occurred when the bill would have become an act.
According to the Sec. 12(1) (e) of the proposed bill, the government has the authority to process the personal data without the consent of the individual in order to take any measure to provide medical services in the course of an epidemic or any threat to the public tranquility. And also the data can be transferred to a third party for further processing as per Sec. 31.
As per the said provision, the information can be shared by the government in emergency situations where it can establish the necessity to process the data. Now as per the current situation of the global pandemic, which not only affect the healthcare system of India but also the globally easily satisfies the criteria of necessity in the current situation as to offer and share the information for processing. But the loophole here is that it does not specify as to whom the government can authorize to process the data explicitly.
Another issue in question i.e. if sharing information to a foreign company is legal? Well if the provision of the proposed bill i.e. Sec 33 read with Sec.34, legalizes the government to share its information to foreign companies.
Although it does require the approval of the central government before any such transaction, but if we compare the Sec.12 with Sec.33 we will find that there is a significant difference between both the sections since there is no such requirement of necessity in cross-border data transfer.
In the case of Kerala Sprinklr issue, the data fiduciary is Kerala government and the data processor is Sprinklr. Also, it can be noticed that the bill does not extent any statutory liabilities to the data processor but only to the fiduciary. That means that the liability of the processor is limited by only the contract signed with the fiduciary. The Section 33 just states that subject to the conditions laid down in Section 34(1), the personal data may be shared outside Indian borders with the storage of such data must continue to be in within India.
There should be statutory obligation on all who shall process and handle the data, guidelines should be established as to handling of data by third parties. The bill tends to present loopholes which are to be expected at the beginning stages of its drafting but that does not give room for any compromise to the welfare of the public and we shall also take into account the liability of the government to propose laws which shall be in compliance with the welfare of the general public.
Written by : Max Croson
Edited by : Arnav Mehra
%20(1).jpg)
0 Comments