- It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance.
- This unsettling query arises on the basis of reports emerging from a collaborative investigation by journalists from around the world, including from India’s The Wire, titled the ‘Pegasus Project’.
- Reports say that over “300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others”, were targeted using spyware made by the Israeli firm, NSO Group.
- GS Paper 3: Challenges to Internal Security through Communication Networks, Role of Media and Social Networking Sites in Internal Security Challenges, Basics of Cyber Security.
- The proposed legislation related to the personal data protection of citizens fails to consider surveillance. Critically examine. 15 Marks
Dimensions of the Article:
- About Data Protection
- Data protection and India
- Key features of Data protection framework as provided by Sri Krishna Committee:
- Key provisions of Draft Personal Data Protection Bill 2018
- Positive impact of the bill
- Issues with the bill
- Way Forward
About Data Protection
- Data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology.
- It aims to strike a balance between individual privacy rights while still allowing data to be used for myriad purposes.
- It is required as the volume of data on internet is expanding exponentially and the spread of new technologies like artificial intelligence internet of things big data poses a threat of abuse and misuse of data.
- Any data protection framework should secure data in its entire life cycle – Data Collection, Data Processing, Data Use, Data Sharing, Data Destruction.
- Several countries have dedicated law for data protection like Japan’s Act on Protection of Personal Information. Recently European Union has adopted General Data Protection Regulation 2018.
Data protection and India:
- India has around 40 cr internet users and 25cr social media users who spend significant time online. The average cost for data breach in India has gone up to Rs. 11.9 crore, an increase of 7.9% from 2017.
- Supreme Court in K.S. Puttaswamy case has declared Right to Privacy is a Fundamental right. Hence protecting individual privacy is constitutional duty of the state.
- India does not have any dedicated legal framework for data protection. Presently some acts cover the data protection in general.
- Sec 43 A of Information technology act 2000 protects user data from misuse but it is applicable to only corporate entities and not on government agency. Also the rules are restricted to sensitive personal data only — medical history, biometric information among other things.
- Other acts like consumer protection Act 2015, copyrights act 1957 among others also attempt to protect the personal information.
- Various attempts at data protection include:
- In 2011 justice A. P. Shah Panel on data privacy recommended principles for data protection.
- In 2017, a data privacy and protection bill was tabled in parliament.
- Recently Telecom regulatory authority of India (TRAI) has given its guidelines for data security.
- Constitution of Justice B. N. Sri Krishna Committee to prepare framework for data protection and a draft bill, which submitted its report recently. Based on the framework, the committee has also prepared a Draft Personal Data Protection Bill 2018
Key features of Data protection framework as provided by Sri Krishna Committee:
- Fiduciary relationship: The relationship between the individual and the service provider must be viewed as a fiduciary relationship. Therefore, the service provider processing the data is under an obligation to deal fairly with the individual’s personal data, and use it for the authorised purposes only.
- Definition of personal data: It defined what constituted personal data as data from which an individual may be identified or identifiable, either directly or indirectly. It sought to distinguish personal data protection from the protection of sensitive personal data (e.g., caste, religion, and sexual orientation of the individual), since its processing could result in greater harm to the individual.
- Consent-based data processing: except these four cases: o where processing is relevant for the state to discharge its welfare functions o to comply with the law or with court orders in India o when necessitated by the requirement to act promptly (to save a life, for instance) o in employment contracts, in limited situations (such, as where giving the consent requires an unreasonable effort for the employer)
- Ownership of personal data: through rights such as right to access, confirm & correct data, right to object data processing and right to be forgotten.
- Regulatory authority: to inquire into and take action against any violations of the data protection regime. It may also categorise certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to individuals which will then be required to undertake additional obligations.
- Amendments to other laws: Minimum data protection standards should be adhered to for all data processing in the country authorized under various laws such as Information Technology Act, Census Act etc.
Key provisions of Draft Personal Data Protection Bill 2018
- Objective: To balance the growth of the digital economy and use of data as a means of communication between persons with a statutory regime that will protect the autonomy of individuals from encroachments by the state and private entities.
- Rights of the individual: The Bill sets out certain rights of the individual. These include: right to obtain confirmation from the fiduciary on whether its personal data has been processed, right to seek correction of inaccurate, incomplete, or out-of-date personal data, and right to have personal data transferred to any other data fiduciary in certain circumstances.
- Obligations of the data fiduciary: include implementation of policies with regard to processing of data, maintaining transparency with regard to its practices on processing data, implementing security safeguards (such, as encryption of data), and instituting grievance redressal mechanisms to address complaints of individuals.
- Data Protection Authority: to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill.
- Data localization: It mandates Data localization of at least one copy in India by data fiduciary.
- Grounds for processing personal data: The Bill allows processing of data by fiduciaries if consent is provided except certain circumstances as provided in the framework.
- Grounds for processing sensitive personal data: explicit consent of the individual is required for Processing of sensitive personal data except if necessary for any function of Parliament or state legislature, for providing benefits to the individual, or for the compliance of any court judgement.
- Define Sensitive personal data: It includes passwords, financial data, genetic data, caste, religious or political beliefs, or any other category of data specified by the Authority.
- Transfer of data outside India: Personal data (except sensitive personal data) may be transferred outside India only where the central government has prescribed that transfers to a particular country are permissible, or where the Authority approves the transfer.
- Exemptions from compliance: It also gives exemptions for processing of personal data for certain purposes, such as journalistic activities, law enforcement, security of state.
- Offences and Penalties: The Authority may levy penalties for various offences by the fiduciary including failure to perform its duties, data processing in violation of the Bill, and failure to comply with directions by the Authority. For example, under the Bill, the fiduciary is required to notify the Authority of any personal data breach which is likely to cause harm to the individual failing which can attract a penalty of the higher of Rs 5 crore or 2% of the worldwide turnover of the fiduciary.
- Amendments to other laws: The Bill makes consequential amendments to the Information Technology Act, 2000 and RTI Act to permit nondisclosure of personal information where harm to the individual outweighs public good.
- Recognises privacy as a fundamental right: It has provisions to protect personal data as an essential facet of information privacy.
- Monitoring provisions: Requirements of conducting Data Protection Impact Assessments, audits and appointing a Data Protection Officer are also included in the bill. There should be a periodic review to check if continued storage of data is necessary.
Positive impact of the bill
- The law will create the balance between the rights of the individual and the public good that comes from the digital economy.
- So far there is no dedicated framework for data protection across country. The proposed law will help create data security architecture and protection of personal information of citizens.
- The bill will put a check on state surveillance of citizens and help them against being victimized by state.
Issues with the bill
- There is no clarity on what kind of security standards should be followed by the data fiduciary.
- There are multiple standards being followed as of now. For example, payment companies which deal with financial data follow PCI-DSS (Payment Card Industry Data Security Standard), health firms follow HIPPA (Health Insurance Portability and Accountability Act) globally etc.
- The regulation may discourage people from using internet and social media as reflected in case of (EU’s) General Data Protection Regulation (GDPR) which mandates that every EU citizen’s data be stored within the EU. The Facebook and Twitter has noted drop in their revenue and visitors’ numbers.
- It does not clearly define the government’s accountability when it processes personal data of users without their consent.
- The bill also does not define the time frame for periodic review and frequency of data security audit of companies as well as for reporting of personal data breach at the fiduciary’s end.
- Issues with data localization:
- There is no evidence that data localization leads to better privacy and security of data.
- The industry will have to incur the additional costs given the bill proposes that companies ensure the storage, on a server or data centre located in India, of at least one copy of personal data.
- Keeping a copy in India does not really guarantee against breach of security or privacy. There have been cases of government beneficiaries’ data residing on servers in India being published, going against Aadhaar Act.
- The bill asks to replace sec 8(1) (j) of RTI act 2005 which may pose a threat to denial of information on the vague grounds of loss of reputation, mental injuries and will render the Act ineffective in securing access to public records pertaining to public servants.
- The exemption on the ground of security of state may be too broad and may lead to surveillance and systematic access to citizens’ data by the state.
- Surveillance reform is the need of the hour in India. Not only are existing protections weak but the proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities.
- When spyware is expensive and interception is inefficient, the individuals surveilled will be shortlisted by priority and perceived threat level to the existing regime.
- But as spyware becomes more affordable and interception becomes more efficient, there will no longer be a need to shortlist individuals. Everyone will be potentially subject to state-sponsored mass surveillance. The only solution is immediate and far-reaching surveillance reform.