Data:

Includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;[1]

Personal Data:

Means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling[2]

Origin And The Need For A Data Protection Law In India

The right to privacy has been established by the Supreme Court as a fundamental right under article 21 in its landmark judgement in the K.S Puttaswamy case.[3] This normative foundation of the proposed personal data protection framework is true to the ratio of the judgment of the Supreme Court of India in Puttaswamy[4]. In this judgement the supreme court has explicitly mentioned about a data protection framework which should be undertaken by the state, which encompasses the values of privacy coupled with other values.[5]

The instances of data leaks in India are rising day by day and all this information is being sold online.

Some of such famous leakages are:

• The Facebook Cambridge Analytic Scam [6]
• Personal information leaked on McDonalds delivery app [7].

In the backdrop of these circumstances, an expert panel headed by former Supreme Court judge Justice B.N. Srikrishna was set up as it was necessary to form a legal framework as suggested by the court to protect such data privacy of the users in India.

The existing framework for data privacy in India is the IT Act 2000. Even Though it contains a few provisions namely s 43A, 69, 72, and 72A for data protection, it is not completely robust for the present technological era and might not be enough to tackle such issues now and also in future. Although novel attempts for data protection at times were introduced, the pace of development of the digital economy has made it inevitable that some shortcomings have become apparent over time.[8]

So the personal data protection bill 2019, comes on the heels of similar legislation being introduced in other countries that seek to enshrine the right to privacy of citizens in a digital age where companies seek to track every parcel of information of citizens for their own gain.

What Does This Bill Cover
The Personal Data Protection Bill, 2019 restricts the transfer of Sensitive Personal Data outside India,[9] but gives an exemption where it can be stored outside India subject to the approval of the Data principal The conditions where the data could be transferred out side India are also given under the Bill.[10] This Bill aims to address the concern of data being transferred outside India by Localizing the data this move had stirred a debate and many corporates demanded that government needs to adopt a fine balance between commerce and privacy.

The current bill addresses this concern of data localization and relaxes the norms for cross border data transfer.[11] Data protection The data protection authority established under the act has the duty to monitor this cross border data transfer.[12]

Though the transfer of critical data is still primarily banned, exemptions in this clause for health and emergency service have been introduced, in addition to this central government may authorize such persons as in Section 34(2)(b) of the bill where the data may be transferred to if this data transfer is not prejudicial to the interests of state and is not a threat to national security.

The processing of personal data can be done only with the consent of the data principal, but here also there exist few exemptions in the bill that allow the personal data to be processed without consent.[13] Government can process the data with no consent from the data principal in 6 ways that, these include providing medical assistance, services in the time of disturbed public order, issuing any license, etc.

De Merits Of The Bill

The state in the mask of surveillance cannot prevent the citizens from acting or thinking freely. This position was settled in Puttaswamy and PUCL v. UOI judgments. The one part of the data protection Bill is making the state liable if any agency processes data without the consent of data fiduciary[14] but on the other hand, the act is entrusting the power on central govt to exempt its agencies from application of the act[15]. This shows the shifting of the principle from the king can do no wrong to King can be exempted (from liability) to do wrong.

It is very pertinent to look into Data Protection Bill in the wake of recent Pegasus allegations Central govt. The central govt desisted from submitting any details to SC which answers the question whether Pegasus spyware was acquired by Union of India just by citing national security.[16] Under Section 5(2) of Telegraph act, the central government is empowered to intercept the messages with the condition precedent of any public emergency[17] and Section 69 of Information Technology Act provides broad powers for central government to intercept the data.[18]

Now the question which can be raised here is not Whether Pegasus surveillance was in accordance with the principles of IT Act but whether central govt can empower a foreign entity like Israeli NSO to conduct surveillance on Indian Citizens. Under 69 of IT Act, the Indian government can issue directions to intermediaries to intercept, monitor or decrypt the information[19] and Section 2(w) of IT Act defines intermediary as the person who stores or receives the data like telecom providers, online payment sites etc but not foreign agencies like Israeli NSO. So clearly Israeli NSO does not fall within the ambit of Section 69 of IT Act, 2000. So the central govt is not empowered under the existing laws to direct foreign private entities who are not intermediaries to gain illegal access and to conduct surveillance.

But the central government under section 37[20] of Data Protection Bill, 2019, it can exempt the application of this act for any foreign company to conduct surveillance or to process the data. So the foreign companies like NSO can collect, store and use data[21] even without the consent of individuals as the foreign companies can be exempted from application of this act by the central government.

Also Section 35 gives unbridled powers to central govt agencies from the entire act by exempting certain agencies from application of this act. The grounds for exemption under Chapter VIII are Security of the state and Public order which are very broad in nature. BN Sri Krishna committee had just included the security of state as an exemption considering public order as very broad ground but the central government in the draft 2019 bill included public order as one of the ground for exempting state agencies and empowering foreign companies from application of this act.

The SC itself in Ramlila Maidan Incident Dt v. Home secretary case stated that the distinction between public order and Law & Order is nevertheless clear.[22] Providing exemption only on the ground of security of state meant that it could only be used when the country was under threat but providing an unambiguous ground like public order which may lead to misuse by the government in many cases.

Section 110 of UK Data Protection Act, 2018 is providing exemptions from the application of the Act only on the grounds of National Security.[23] and they haven't extended the grounds to public order. Even for National Security, a certificate need to be issued by a minister of the crown under Section 111[24] and they can also appeal to the tribunal against that certificate where the tribunal could monitor whether the granting of that certificate is in proportional to the need for that certificate which was laid down in Puttaswamy judgment but in India there was no such mechanism or regulation for exempting the government agencies.

As there exists unfettered power for the government to exempt to the government agencies from any provision of the act under Section 35.[25] There must be certain procedure or detailed reasons how and why the government wants to exempt such government agency. Section 12 of the bill is also on the same footing which needs to harmonize the privacy of the individuals and the powers of government to process the data with no consent.

End-Notes:

1. Personal Data Protection Bill, 2019, § 3(11).
2. Personal Data Protection Bill, 2019, § 3(28).
3. K.S Puttaswamy v. Union of India, (2017) 10 SCC 1.
4. B.N Srikrishna Committee Report, A Free and Fair Digital Economy Protecting Privacy, Empowering Indians" p.10.
5. K.S Puttaswamy v. Union of India, (2017) 10 SCC 1, Para 179.
   "Formulation of a regime for data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State"
6. Cambridge Analytica and Facebook: The scandal and the Fallout so far.
7. In India, in early 2017 it was reported that personal information(2.2 million users) from McDonald's delivery app was leaked due to inadequate security features, See McDonald's India delivery app ‗leaks users data', BBC News (20 March 2017) available at https://www.bbc.com/news/technology-39265282 (last accessed on 29 Nov, 2021).
8. B.N Srikrishna Committee Report, "A Free and Fair Digital Economy Protecting Privacy, Empowering Indians" p. 7. "For instance, the definition of sensitive personal data is unduly narrow, leaving out several categories of personal data from its protective remit; its obligations do not apply to the government and may, on a strict reading of Section 43A of the IT Act, be overridden by contract. The IT Act and SPD Rules have also suffered from problems of implementation due to delays in appointments to the adjudicatory mechanisms created under the IT Act"
9. Personal Data Protection Bill, 2019, § 33
10. Personal Data Protection Bill, 2019, § 34.
11. Reserve Bank Information Technology Pvt Ltd, Analysis of Personal Data Protection Bill (2019), 2, https://pub.rebit.org.in/inline-files/ReBIT_PDPBill2019_Analysis.pdf
12. Personal Data Protection Bill, 2019, § 19(2)(g)
13. Personal Data Protection Bill, 2019, § 12.
14. Personal Data Protection Bill, 2019, § 85.
15. Personal Data Protection Bill, 2019, § 35.
16. https://main.sci.gov.in/supremecourt/2021/16884/16884_2021_1_1501_30827_Judgement_27-Oct-2021.pdf Manohar Lal Sharma v. Union of India, MANU/0989/SC/2021.
17. The Telegraph Act, 1885, § 5(2).
18. The Information Technology Act, 2000, § 69.
19. The Information Technology Act, 2000, § 69(3).
20. Personal Data Protection Bill, 2019, § 37.
21. Personal Data Protection Bill, 2019, § 2(31).
22. Ramlila Maidan Incident v. Home Secretary, Union of India (2012) 5 SCC 1
23. The Data Protection Act (UK), 2018, § 110.
24. The Data Protection Act (UK), 2018, § 11.
25. Dissent by the Jairam Ramesh before the Joint parlamentary Committee.