India Toda: New Delhi: Wednesday, August 01, 2018.
Data privacy
has been a topic of raging national debate in our country in recent times. Even
before Facebook rocked the world (and people in the homeland) with its
Cambridge Analytica scandal, there was Aadhaar the 12-digit number that was
introduced with the aim of giving an identity to billions of unnamed and
unidentified Indian citizens. That raised privacy issues and need was felt that
India required a data protection law.
As Aadhaar
spread, privacy advocates began raising their concerns about the safety of the
data that was being collected. Some even purported that the Unique
Identification Authority of India (UIDAI) number was being used by the
government as a surveillance state. And so a committee comprising of a group of
experts led by Justice BN Srikrishna was born on August 1, 2017, to identify
key issues related to data protection and recommend methods for addressing the
same.
The committee
came out with its white paper on data protection framework in India in November
last year. And now, nearly a year after it was formed, it has submitted its
report to the Ministry of Electronics and Information Technology along with a
draft of a bill which if approved in the monsoon session of the Parliament will
become the data protection law in India.
WHAT IS
INSIDE THE DRAFT BILL?
The draft
bill aims to protect the personal data of the individuals and specify where the
flow and usage of personal data is appropriate. It aims to define the rights of
the individuals whose personal data is being processed and lay down norms for
the cross-border transfer of data along with defining a structured method in
which organisations can process that data.
Technical
jargons aside, what this bill does is that it specifies the conditions under
which the personal data of individuals will be collected and how organisations
will process the data collected by them. Besides this, it also specifies how
the data can be collected and processed safely.
It also talks
about setting up of a Data Protection Authority that would oversee the
implementation of suggestions prescribed by the draft bill on a day-to-day
basis.
WHEN AND
WHO CAN COLLECT MY PERSONAL DATA?
The draft
bill lists out a set of conditions that allow agencies or organisations to
collect data. These conditions include:
If consent is
given: Individuals can give their consent to a person or an entity to process
their personal data as long as it is free, informed, specific, clear and
capable of being withdrawn.
If the state
demands it: Parliament or any State Legislature can collect personal data of
individuals if it is necessary for their functioning. Personal data may also be
collected if it is required for the issuance of a license or a permit for an
action or an activity by the state.
If the court
demands it: Personal data of individuals may be collected if it is required for
the compliance of a court judgment or if it is mandated by the law.
If there is
an emergency: Citizen's personal data can be collected if it is required in
case of a medical emergency or for providing medical treatment or health
services to an individual during the outbreak of a disease.
If recruiter
wants it: Personal data may be collected by the employer for purposes relating
to employment such as termination, verifying attendance or benefits sought by
the employee, and assessment of performance.
For other
reasonable purposes: Personal data may also be collected in public interest,
for prevention of fraud, mergers and acquisitions, recovery of debt, and
whistle blowing among other things.
The draft
bill prescribes a different set of conditions to be meted to collect
"sensitive personal data" which includes details such as individual's
passwords, financial information, health information, sex life, sexual
orientation, biometric data, genetic data, transgender status, intersex status,
caste and tribe, and religious and political affiliations.
As per the
draft bill, such information can be collected on the basis of "explicit
consent". While the state or the court can demand the collection of such
data, it can be protected with additional safeguards when repeated, continuous
or systematic profiling of such data is required.
BUT WHAT
IS CONSENT?
The draft
bill lays stress on the consent of the individuals for collecting their
personal data. As per the bill, the consent should be free-which means that a
person should not be forced into giving approval for data collection; informed-the
individual should be provided with all the necessary information about the data
collection prior to it; specific-an individual can give information specific to
the requirement; clear-the consent should be given in a way that it is clear
and leaves no room for doubt; lastly it can be withdrawn-an individual has the
right to withdraw his consent at any point.
DO I HAVE
RIGHTS OVER MY DATA? IF YES, WHAT?
The draft
bill gives four specific rights to the individuals over their data. The bill
has been drafted in way that would give greater control to the individuals to
access and modify their data. Here are the data principal rights that the
individuals have:
Right to
confirmation access: Individuals have the right to ask the organisation
collecting their personal data for following things-confirmation that their
personal information is being processed or has been processed, a summary of the
data collected, a summary of the use of the personal data. The agency will have
to respond to the request with information in an easily comprehensible manner.
Right to
correction:
Individuals can ask the organisation collecting their personal data to correct
inaccurate or misleading personal information, update outdated information and
complete the incomplete data. Once the information has been updated or
corrected, the organisation will have to notify the individuals about the
update.
Right to data
portability: Under this right, individuals can ask the organisation or agency
to send a copy of their collected data in an easy-to-ready structured
formation. The only exception in this list is when complying with the request
would reveal a trade secret of the organisation or would not be technically
feasible.
Right to
be forgotten: This
right empowers the individuals to withdraw their consent at any point and ask
that the data provided by organisation may not be disclosed further. However,
this would be possible only if the Adjudicating Officer, to whom the individual
will first have to make a request, decides if the demands are fair.
WHERE IS
ALL THE PERSONAL DATA STORED?
Many
countries including Russia have laws that mandate the tech companies operating
on their land to store the data collecting within the premise of their land to
be stored on servers within their national boundaries. The draft of the data
protection law proposes something similar.
The draft
proposes that the organisations should store at least one copy of the collected
personal data of individuals on servers or data centres within India. It
further specifies the conditions under which the personal can be transferred
outside the borders of the country.
Organisations
can transfer such information outside India if it has the individual's consent,
or has received approval of the Central government or the Data Protection
Authority.
WHO TAKES
CARE OF THIS?
As mentioned
earlier, the draft bill proposes the formation of a Data Protection Authority
(DPA) that would oversee the implementation of this law. DPA will constitute a
chairperson and six whole time members. The chairperson and the members will be
appointed by the Central government on the recommendations made by a selection
committee consisting of the Chief Justice of India (CJI), the Cabinet Secretary
and one expert nominated by the CJI.
WHAT
HAPPENS IF SOMEONE DOESN'T FOLLOW THE RULES?
The draft
bill proposes a range of penalties for various violations under the act. A data
breach can conjure a fine extending up to Rs 5 crore or two per cent of the
organisation's worldwide turnover of the preceding financial year, whichever is
higher. On the other hand, if the organisation contravenes the way in which
personal data is processed, it can be fined with a sum extending up to Rs 15
crore or four per cent worldwide turnover of the preceding financial year, whichever
is higher. Similarly, if an organisation fails to comply with a provision of
the act for which no separate penalty has been listed, it can be fined with an
amount valuing up to Rs 1 crore.
WHAT ABOUT
AADHAAR?
The draft
bill doesn't talk about Aadhaar at length. The only visible information
pertaining to Aadhaar is the way "sensitive personal information" is
recorded and processed. However, the draft bill does propose certain amendments
to the Aadhaar Act.
The draft
bill apart from tightening the grip of UIDAI over the civil and criminal cases
pertaining to Aadhaar, proposes to create an offline verification system of an
Aadhaar number, The Caravan pointed out. The offline verification system hopes
to solve some issues related with the online verifications by removing the
requirement of using or storing biometric information. However, it raises
another red flag as it fails to define what constitutes "offline"
verification.
WHAT IS
THE BUZZ ABOUT RTI?
The draft bill
also proposes some amendments to the RTI Act which aim to strike a balance
between transparency and privacy by allowing public officials to withhold
details. The existing law says that personal information has to be disclosed in
public interest. The proposed amendments, on the other hand, looks towards
balancing this if the individual concerned can be harmed by the disclosure.
WHEN WHAT
HAPPENS NEXT?
The draft
bill will first be examined by the IT Minister Ravi Shankar Prasad before it is
tabled in the Parliament for voting. To become a law, it will have to gain
approval by majority of the parliamentarians in both the upper and lower houses
of the parliament. At the same time, given that the draft has been made public
there could be some inputs from stakeholders, experts, privacy advocates on it.
It is not certain government will take into account the inputs and will modify
the draft bill, but at this stage possibilities of that happening are there.
.JPG)
.JPG)
