The government has withdrawn the Personal Data Protection Bill from the House of Commons.
GS Paper – 3: Cyber Security, IT & Computers, Government Policies & Interventions
Despite its numerous benefits, data localization may eventually cause more harm than good. Comment. (150 Words)
The 2019 Personal Data Protection Bill
- Known colloquially as the Privacy Bill, it was introduced in Lok Sabha in December 2019.
- Its goal was to protect individual rights by governing the collection, movement, and processing of personal data.
- The bill was then referred to the Joint Committee of Parliament (JCP), which issued recommendations by the end of 2021.
The Bill’s Key Provisions
- The Bill governs personal data processing by I the government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
- Data is classified into three categories.
- Personal Data – Information about an individual’s characteristics, traits, or attributes that can be used to identify them.
- Financial data, biometric data, caste, religious or political beliefs, and any other category of data specified by the government are examples of sensitive personal data.
- Critical personal data – The government has designated certain personal data as critical personal data, which can only be processed in India.
- Data fiduciary obligations
- A data fiduciary is an entity or individual who decides how to process personal data.
- Such processing will be subject to purpose, collection, and storage constraints.
- Grounds for processing personal data
- The Bill allows fiduciaries to process data only with the individual’s consent.
- Personal data can, however, be processed without consent in certain circumstances. These include: if the State is required to provide benefits to the individual, legal proceedings, and responding to a medical emergency.
- Social media intermediaries
- o The Bill defines these as intermediaries that enable online interaction between users and information sharing.
- All such intermediaries that have users above a notified threshold and whose actions have the potential to impact electoral democracy or public order are subject to certain obligations.
- This includes offering a voluntary user verification mechanism to Indian users.
- Data Protection Authority
- o The Bill establishes a Data Protection Authority, which may: take steps to protect individuals’ interests; prevent misuse of personal data; and ensure Bill compliance.
- It will be led by a chairperson and comprised of six members with at least ten years of experience in data protection and information technology.
- The Authority’s orders can be appealed to an Appellate Tribunal. The Supreme Court will hear Tribunal appeals.
- Data transfer outside of India
- Sensitive personal data may be transferred outside India for processing if the individual expressly consents and certain additional conditions are met.
- However, such sensitive personal data should be kept in India.
- The government has designated certain personal data as critical personal data, which can only be processed in India.
- Sharing of non-personal data with government
- o The central government may direct data fiduciaries to provide it with any: non-personal data and anonymised personal data (where the data principal cannot be identified) for better service targeting.
- The government has withdrawn the contentious and divisive Data Protection Bill 2019.
- It intends to develop a comprehensive legal framework for regulating the online space, which will include: o separate legislation on data privacy, the overall internet ecosystem, cybersecurity, telecom regulations, and o harnessing non-personal data to boost innovation in the country.
- Data localization can assist law enforcement agencies in gaining access to data for investigations and enforcement.
- Currently, much of cross-border data transfer is governed by bilateral “mutual legal assistance treaties.” Accessing data via this method is a time-consuming process.
- Cyber attacks and surveillance will be investigated.
- Many WhatsApp accounts were recently hacked by an Israeli software called Pegasus.
- Social media is being used to spread fake news, resulting in lynchings and national security threats that can now be tracked, checked, and prevented in real time.
- Data localisation will also improve the Indian government’s ability to tax Internet behemoths.
- A strong data protection law will also aid in enforcing data sovereignty.
- Many argue that in the cyber world, the physical location of the data is irrelevant. Even if the data is stored in the country, national agencies may not have access to the encryption keys.
- National security or reasonable purposes are broad terms that can lead to the state intruding into citizens’ private lives.
- Technology behemoths such as Facebook and Google have criticised protectionist data-protection policies (data localisation).
- They are concerned that the domino effect of protectionist policies will cause other countries to follow suit.
- Protectionist policies stifle the values of a globalised, competitive internet marketplace in which costs and speeds, rather than nationalistic borders, determine information flows.
- Furthermore, it may backfire on India’s own young startups attempting global expansion, or on larger firms processing foreign data in India.
Why was the bill withdrawn?
- The Joint Committee of Parliament (JCP) suggested major changes o The government felt that the major changes suggested by the JCP warranted a new Bill rather than a heavy patchwork on the existing one.
- Faced opposition from privacy activists
- Privacy advocates had criticised the bill for not being consistent with the Supreme Court’s landmark decision in 2017.
- In Justice K.S. Puttaswamy vs. Union of India, the Supreme Court declared privacy to be a fundamental right.
- They claimed that the bill gave the government the authority to determine what data constitutes critical personal data, resulting in abuse of power by the state.