Analysis of the draft Data Privacy and Protection Bill (2017)

79

Baijayant Panda, Member of Parliament from Orrisa introduced the Data Privacy and Protection Bill last month in the parliament as a private Bill. The Bill rather provides the much-needed impetus to the discussion and dialogue surrounding the right to privacy of individuals. This is in the backdrop of the case in the Supreme Court’s 9-judge constitutional bench regarding the right to privacy and by extension Aadhar (UIDAI). While the bench is looking at right to privacy at a larger context, this Bill is aimed at data privacy alone.
Precedents and History

The very first instance of legal Data Protection was introduced in the US, where the US Privacy Act 1974 was passed in the context of the federal government. 40 years later, Privacy International reported that over 100 plus countries have legislation on this matter in some form or the other. Among the most comprehensive ones is by the European Union, despite its lack of relevance in today’s technology driven world. In the case of the United Kingdom, data protection is legally recognised as a right under its national legislation, which itself is being reviewed to align with the European Union’s Framework.

Despite the Indian constitution not providing any significant guidelines or rules surrounding the matter, the judiciary has on numerous occasions interpreted the concept in many ways, clearly indicating that the right is not absolute and subject to national security considerations. These were ruled upon the basis of IT Act of 2002, Indian Telegraph Act 1885, which provided for extraction of data without consent in such matters. In cases of state surveillance or lawful interception of data, for national security or public good considerations, the only safeguard provided was that such an act of data interception would occur only after the approval of a senior officer as laid down by the respective acts. These acts have failed to synchronise with the modern-day advances in cyber security threats as well as processing of individually verifiable data without safeguards or consent of individual. IT Act (as amended on 2008) provides for protection against breech of sensitive data privacy (e.g. Voyeurism) as well as penalties for offenders. Beyond ensuring privacy, the IT Act 2008 does not clearly codify the processes behind data protection, transfer, data processing etc.

Right to Data Privacy Legislation, a necessity?

Despite the existence of other legislations that cover aspects of Telephones, Cellular Data, IT, etc. the natural question that needs answering is to identify if a new legislation is required. The precedent set by jurisprudence in India in cases surrounding the matter, the interpretation is highly subjective. Additionally, questions can be raised on the important judgements when a section of the bench have voiced different opinions on the matter, indicating divergence in interpretation. Despite varied interpretation, there is a common consensus from the judiciary in favour of a new legislation to concretely codify privacy. This is further reinforced by a study by United Nations Conference on Trade and Development, the results of which are shown in Figure.

DPR2

Beyond the impact of judgements, the economic cost of data loss/theft, lack of security measures is extremely high. Several Anti-Virus service providers have predicted a sharp rise in attacks originating from China and Nigeria in the last couple of years, which in turn cannot be easily prosecuted on Indian soil. Beyond fraud, the number of incidents of user data leakage have increased with every passing year. Beyond international leaks of Sony, Snapchat, Yahoo, etc., the incidents within India have also increased. The latest leaks include private entities like Zomato, Reliance Jio as well as Government’s UIDAI (Aadhar).
Objectives of the Proposed Bill
The Bill aims to define and protect the right to digital privacy and to constitute a Data Privacy Authority to protect personal data. This Bill is an attempt at empowering citizens with this right, which is already recognised by several other nations. So far, the massive user-base of social media platforms have only been protected by Privacy agreements signed with respective players in accordance with United States laws, grievance redressal for which remains a herculean task. It therefore becomes vital to define the extent of privacy as well as methods to identify data leakages, protection and monitoring mechanisms.
Establishing the Right to Privacy
The Bill empowers the citizen with the right to privacy. From making consent a necessity, it further provisions to determine the nature of data stored, altering or rectifying existing data. Additionally, it mandates that the data is stored in a secure form yet in universal standard to ensure portability across service providers.
Standard-Operating-Procedures(SOP) for Data Collection, Transfer & Storage
The onus of ensuring secure data storage as well receipt of consent from the user is on the data storage provider. Additional provisions are also well defined in the case of minors, the disabled as well as in the case of health and judicial matters. Also, the Bill places timelines during which data can be stored, apart from safeguards against sharing of data to a 3rd party, especially in the case of cross-border entities.
National Security Implications
Apart from merging the interests of national security as outlined in the other Bills, this Bill lays out provisions under which surveillance of individuals or groups could be undertaken legally, in cases of security, law enforcement, and other allied activities.
Safeguards & Constitutional Authority
This Bill overrides the existing penal conditions laid out in the IT Act, Telecom Regulatory Authority of India Act, 1997. Punishments and penalties are well defined for offences related to personal data, sensitive personal information, breach of confidentiality, apart from contravention of orders passed by the competent authority setup in accordance with the act.
Regulatory Structure proposed by the Bill
The setup of a Data Privacy and Protection Authority (DPPA) is proposed by this Bill, the constitution of which is similar to other code of civil procedure empowered tribunals but has equal representation between legal and technical experts to rule on the numerous cases that may be brought before its purview. As a matter of appeal, the disputes are referred to the Telecom Disputes Settlement Appellate Tribunal. Beyond ruling of disputes, the authority is also mandated with consultation on enhancing the concept of data privacy via consultations as well as inspection of data controllers and processors.

Way forward

While the likelihood of the Bill passing seem grim considering that it is not government backed, it still ensures enhanced public debate and understanding of the relevant issues, rights and direction for legislation of such a Bill.