A private member bill tabled recently ticks most of the boxes that one would expect from a strong data privacy law
Public discourse around data privacy is probably at its zenith in India today. In the Supreme Court, a nine-judge bench is hearing arguments to decide whether right to privacy is part of the right to life of an individual under Article 21 of the Constitution. Meanwhile, member of Parliament Baijayant “Jay" Panda tabled the Data (Privacy and Protection) Bill, 2017 in the Lok Sabha recently, proposing the right to privacy as a fundamental right for Indian citizens.
This is not the first time a Bill proposing such a right has been laid down in Parliament. As a matter of fact, Panda himself had presented a Bill dating back to 2009, titled The Prevention of Unsolicited Telephonic Calls and Protection of Privacy Bill, which aimed at prohibiting unsolicited telephone calls by business promoters or individuals to persons who didn’t want to receive such calls. It stated that every person shall have the right to privacy and freedom to lead and enjoy his life without any unwarranted infringement. Apart from Panda, Rajeev Chandrasekhar (2010), Vivek Gupta (2016) and Om Prakash Yadav (2016) have in the past introduced Bills pertaining to citizen data privacy.
Whether it will break the impasse among the legislators this time will be clear in due course, but the fact that it is already on the table would be heartening to data privacy activists as well as citizens. The Supreme Court previously interpreted that Article 21 does not contain the right to privacy. Keeping in light the need to secure private citizens’ data, Panda’s private member bill is a welcome step but one that will have to stand legal scrutiny.
One of the primary differentiators is that the Bill has defined terminologies as well as “processes" like data processing, and profiling of individuals. Clarity of definitions is one of the main areas of concern around laws in India, as definitions have often been misused for enforcing the state’s authority by encouraging sweeping generalizations. Section 66A of the Information Technology Act, which was repealed by the Supreme Court in 2015, is one of the most recent examples of this. This Bill, however, follows a rights-based approach and mandates the consent of an individual for collection and processing of personal data. It states that the final right to modify or remove personal data from any database, whether public or private, rests solely with the individual. More importantly, the “exceptions" against this right are defined narrowly, providing for a case-by-case consideration.
This Bill introduces two separate categories under the umbrella of data intermediaries as defined by the IT Act (2000). Data collectors and data processors have been differentiated and the Bill mandates that they shall collect, store or access personal data in a lawful and transparent manner. Placing the issue of data security due to breaches on a higher pedestal, it lays an obligation on data intermediaries to implement necessary security measures to ensure the security of data collected. Further, in case of a data breach, the Bill requires data intermediaries to inform individuals in a fixed time frame. It also mandates the creation of an end user-facing position of data protection officer for grievance redressal, with a provision for appeal to the Data Privacy and Protection Authority (DPPA). This is undoubtedly the most important aspect of the Bill, as it allows individuals to file grievances against private as well as government bodies against any breach of privacy.
A perpetual pain point in all proposed data privacy Bills till date—lawful interception and surveillance by the state for the purpose of national security—has been addressed in detail. It lays down the list of exceptions, identifies a competent authority to approve such an act and defines the responsibility of state institutions involved in such acts.
All such acts would be under the purview of DPPA and not under any ministry or judicial authority as seen under existing laws. The Bill authorizes the DPPA to penalize, imprison and order compensation for losses suffered by individuals against private as well as government institutions involved in data collection or processing. The DPPA will also actively engage in impact assessment, consultation and inspection. However, it would be prudent that such tasks are assigned to other agencies as it may lead to a conflict of interest.
While the Bill touches base with new technological developments, it skips the pressing issue of data sovereignty—the practice of subjecting information to the jurisdiction of data privacy laws on the basis of geographical boundaries. Today, data is moving seamlessly across continents, with no ownership over its storage. Unless explicitly specified, Indian IT laws are not applicable to data stored outside India and data intermediaries can claim immunity from provisions of this Bill by exploiting this loophole.
The larger issue, however, is that of abuse of such data by countries where it is stored. With the European Union planning to enforce its General Data Protection Regulation (GDPR) that defines data privacy requirements at a geographical level by May 2018, it would be in our national interests to address this aspect as well.
In its present form, the Bill ticks most of the boxes that one would expect from a strong data privacy protection law. The time for a data privacy law has definitely dawned upon us and one can only hope that this Bill—the poor past record of private member Bills notwithstanding—will become law.
Kazim Rizvi and Ranjeet Rane are with The Dialogue, an online public policy analysis portal.