Data (Privacy and Protection) Bill, 2017: What To Expect

As digitization increases, large volumes of data are

generated and there are no measures to safeguard the

privacy of this data nor regulate data retention by the

platforms collecting it. Hence, we are in need

of a strong data protection law

In the new media age, privacy has become a fiercely

debated topic. In India, we observe that with the

ongoing Aadhaar case in the Supreme Court, a new

common discussion has started around the issue of

digital privacy and where the law currently stands on

this subject.

The debate on privacy and data protection has become a

burning issue as the constitutional bench of nine judges,

headed by the Chief Justice of India, is set to decide whether

the right to privacy is a fundamental right, and a committee

headed by Justice B. N. Srikrishna, former judge of the

Supreme Court, has been constituted to suggest a draft Bill

on data protection. It must be noted that it is this series of

important events that may contribute to India’s focus on

data protection and the Data (Privacy and Protection) Bill,

2017.

What is Data Privacy and Data Protection

A privilege to ensure one’s information online constitutes

information security. Such information could either be

about an individual, undertaking, or even a government.

Following the definition of personal data laid down by the

European Union’s data protection guidelines, “Information

concerning an identified and identifiable natural person”

covers the scope of personal data. Hence, if we follow this

definition, the personal information provided by individuals

during biometrics would be included. But data put out

through biometrics or for economic purposes remains at

risk in India since no legislation has been chalked out to

protect such personal data.

Where It All Started

Recently, in the Lok Sabha, Member of Parliament Baijayant

“Jay” Panda tabled the Data (Privacy and Protection) Bill,

2017, proposing the right to privacy as a fundamental right

for Indian citizens.

This is not the first time a Bill proposing such a right has

been laid down in Parliament. As a matter of fact, Panda

himself had presented a Bill in 2009 titled “The Prevention

of Unsolicited Telephonic Calls and Protection of Privacy

Bill”, which aimed at prohibiting unsolicited telephone calls

by business promoters or individuals to persons who didn’t

want to receive such calls. It stated that every person shall

have the right to privacy and freedom to lead and enjoy his/

her life without any unwarranted infringement. Apart from

Panda, Rajeev Chandrasekhar (2010), Vivek Gupta (2016),

and Om Prakash Yadav (2016) have in the past introduced

Bills pertaining to citizens’ data privacy.

What The Data (Privacy And Protection

Bill 2017) Portends

Data protection is a daily part of our lives. We come across

data protection issues at work, when browsing the Internet, while dealing with public authorities, when shopping, when

booking online tickets, etc. As digitization increases, more

and more data is being captured. How this data is used and

held is becoming increasingly important.

The Data (Privacy and Protection

Bill, 2017)

1. Proposes Right to Privacy as Fundamental Right of

citizens

2. Follows a right-based approach and demands the

consent of individuals for collection and processing of

personal data

3. Gives final right to modify or remove personal data from

any database, whether private or personal, solely to an

individual

4. Includes data collectors and data processors (defined)

who ensure that they collect and process data in a

lawful and transparent manner

5. Creates obligation on data intermediaries to implement

security measures to ensure the security of the data

collected

6. Lays down that in case of data breach, data

intermediaries are mandated to inform individuals in a

fixed time period

7. Promotes creation of an end user-facing position of

data protection officer for grievance redressal, with a

provision for appeal to the Data Privacy and Protection

Authority (DPPA)

8. Allows lawful interception and surveillance by the state

for the purpose of National Security

9. Authorizes DPPA to penalize, imprison, and order

compensation for losses suffered by private individuals

against the government or any other private institution

10. May also engage in impact assessment, consultation,

and inspection by the DPPA

Recent Developments

The Ministry of Electronics and Information Technology

released a white paper by a “committee of experts” led by

former Supreme Court judge, Justice B. N. Srikrishna, on a

data protection framework for India.

The government had sought public comments till December

31, 2017 on the white paper, which is aimed at securing

digital transactions and addressing customer and privacy

protection issues.

Public discourse around data privacy is probably at its

zenith in India today. As digitization increases, large

volumes of data are generated and there are no measures

that safeguard the privacy of this data nor regulate data

retention by the platforms collecting it. Hence, we are in

need of a strong data protection law.

Data Privacy Law Has To Be In Tandem With The Aadhaar Act LEGAL ERA MAGAZINE speaks to Advocate PRASHANT MALI, BOMBAY

HIGH COURT, about data privacy, data security and everything in between

LE: According to you, what is the basic meaning

and purpose of the Data Protection Bill, 2017?

This Bill grants a statutory Right to Privacy under Section 4.

However, this Right to Privacy is only pursuant to Articles 19

and 21. While a statutory recognition of the Right to Privacy

may be applauded for being a baby step in the right direction,

it will have to pass the test of reasonable restrictions when it is

codified. The Bill aims to define and protect the right to digital

privacy and to constitute a Data Privacy Authority to protect

personal data. This Bill is an attempt at empowering

citizens with this right.

LE: Do you feel that the Privacy

Bill is in favor of the masses or

do you think it is a political and

industrial gimmick? What is the

territorial scope of the Privacy

Bill, 2017? What about extraterritorial

application of data

protection laws in India as far

as the Bill is concerned? What

categories of exemption can

be incorporated into the data

protection law?

The law must have extra-territorial

effect with respect to data of

Indian residents, and must provide

appropriate redress mechanisms for

privacy violations outside India if the

infringer has a business presence in

India. The applicability of the law should be extra-territorial as it is as of now in the penalties and

liabilities prescribed under Section 43A and 72A of the IT Act,

have also been given extra-territorial applicability and would

apply to contraventions committed by non-Indian companies,

irrespective of the nationality of the data subject whose

information is collected, processed or transferred. While the

practical enforcement of penalties against a company is unlikely

where such company has no presence in India, authorities may

resort to other means, including blocking access to servers

or networks located in India in the event of repeated and

significant contraventions or failures by a company to comply

with obligations under the Privacy Rules. Data already in the

public domain, anonymous data, data on deceased persons,

journalistic data, research data, historical data, data related to

investigation, data related to national security etc. should be

exempt.

LE: What are your views on cross-border

transfer of data?

I feel that transfer can only be to countries with a similar

or comparative level of data protection laws or having

explicit treaties with India. The bill is silent on the issue of

data sovereignty, which has become a persistent issue in

the wake of technology enabling seamless moving of data

across international borders. Covering this lacuna along

with addressing the collateral issue of data storage only can

make it a comprehensive privacy bill. Well defined provisions

against the contractual determination of governing law,

jurisdiction and dispute resolution may be considered to ensure

that foreign entities comply with Indian law, and do not find ways

of working around it by way of contracts or by other means.

LE: Currently, there are a variety of laws in

India which deal with processing of data,

including personal data and sensitive personal

data. These laws operate in various sectors,

such as the financial sector, health sector and

the information technology sector. Should

these laws be inspected and suitably amended

before passage of the Data Protection Law,

2017?

All regulators currently have mandate for Privacy, in fact I have

written a whole research paper around it in the current issue

of NUJS, International Journal of Law & Privacy. I feel This Data

Protection Law, 2017 or 2018 or 2019 whenever it is incarnated

should supersede The IT Rules, The Telecom Act & all other

Regulatory Privacy rules of all sectors. I feel the Aadhaar Act

has more privacy provisions than any other laws, how will they

complement the new law is also to be seen.

LE: Do you think that the law will break the

impasse among legislators this time?

I am personally optimistic but the experience of legislators

legislating and the history of the same bill since 2006 is

disheartening. Even though PM Modi and the Law minister have

taken all the right steps towards formulation of public opinion for

the bill, I feel the intelligence agencies and opposition political

parties find no grounds for the Law being made. I also feel

defining Privacy would be a herculean task for parliamentarians,

moreover adding reasonable restrictions to the same would be

another issue. I wish the Hon. SC could have defined “Privacy”

in its last Right to Privacy Judgment then things could have been

easy. I personally feel Privacy would be like an obscenity which

gets defined differently in different decades.

LE: With Section 33(2) of the Aadhaar Act, the

state can cite 'national security' and access

identity information and authentication

records of citizens. Isn’t this a blurring of lines

between 'data security' and 'privacy'?

Yes! it is. Data Privacy law has to be in tandem with Aadhaar

Act and the state would take this stand. If you look today

as well, all states invade citizen’s privacy under the garb of

National Security. Section 33(2) of the Aadhaar Act is no

different. I feel, as India is drafting a brand new Law, it can take

precautions to balance between Privacy, National Security &

Criminality.

LE: What according to you should be the

safety guidelines for privacy and people? With

advancing technology and easy availability of

the data, how strict should be a privacy law in

the country to control disruption. Your opinion

please.

I strongly feel the last section of the Bill should have

mentioned about the state’s role in providing “Privacy literacy”

related awareness and education to Indian citizens. I feel until

any state doesn’t inculcate Privacy culture among data users

and make them aware about safeguards, they will remain

vulnerable. India is seriously late to protect its data. We may be

serious and may bring a law but are deficient and yet not ready

with technology to implement the same. The architecture must

address the following questions: how people give consent, how

their data is released, how it is stored and encrypted? When

that data is given to another party for use, what is the criteria

for usage? Implementation of the said law cannot be overnight,

it would need timelines and meticulous planning in the Indian

context.

Disclaimer – Statements and opinions expressed in this article are those from the editorial and are well researched from

various sources. The content in the article is purely informative in nature.