By Sujit Bhar
Among the many important bills to be considered in this winter session of Parliament, the Personal Data Protection Bill of 2019 will be critical. This will be an initiative of the Ministry of Law and Justice. The first time the Bill was tabled was on December 11, 2019, introduced in Lok Sabha by the Minister of Electronics and Information Technology, Ravi Shankar Prasad. This Bill, formulated with the help of recommendations from the Justice Srikrishna Committee report that was placed before Prasad in 2018, had been in virtual hibernation, moving around tables of the Joint Committee on the Personal Data Protection Bill. The first tabling of the bill was unsuccessful, as members wanted further debate and amendments to the draft. It was referred to the standing committee.
The object of this 57-page Bill is summarised as follows: “…to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.
“WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy…”
Hence the scope of the Bill is pretty wide. As per the Bill, its provisions,
“A) shall apply to—
(a) the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—
(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India.”
Before moving ahead, one has to remember that apart from personal data, there is another set of data in play: non-personal data. While we have a general idea of personal data, non-personal data is difficult to encapsulate within any Bill and more difficult to control. Data, such as Google Maps data, will be difficult to be able to bring under control. When an installation in India is declared being of strategic importance, it is possible to approach Google to block out that installation from its maps. However, when it is one’s personal house—this would be personal data in India, but general data for Google Maps—problems happen.
Secondly, when publicly available data (even personal) is sorted and processed, it can to an extent become intellectual property (IP). With India going global, it becomes important to note how the world perceives control of IP in India. So, how can such data, bearing IP rights, be controlled? According to a publication of the Intellectual Property Office of the UK, called “Intellectual Property Rights in India”, IP rights are enforceable in this country through several acts which govern copyright, patents, designs and trademarks. However, it is this process of enforcement that creates the biggest hurdle for foreign companies and organisations.
Says the study:
“A disadvantage of civil litigation is that you are unlikely to recover large damages, and punitive damages against an infringer are rare. However, if you have an identified infringer, it may be advisable to launch civil litigation, because if an interim injunction is granted the infringement can be halted pending the outcome of the case. Damages are routinely awarded in cases of copyright piracy and trade mark infringement (which come under criminal litigation); less so in patent cases.”
If this is the general international perception on IP, then it will soon be imperative to understand the extent of copyright and patent that can be distributed and hence protected while not contravening the provisions set out in the privacy Act, as well by other related Acts that are prevalent now. It might also create overlapping jurisdictions and there will be a need to specify and clearly demarcate the powers of each Act. It has to be seen how the Copyright Act of 1957 and the Patents Act of 1970 stand independently with the launch of the Privacy Act.
Here is an interesting example. The “Grounds for processing personal data” says that “The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.”
Let us consider a doctoral thesis, where, say, a typical section of society—basis can be religion, caste, ethnicity, sexual preference, etc—has been studied by the student, basing his/her research on data available from the Census Board or other published material, plus from interviews. This will represent a mixed data source, where specific permission may not have been acquired for published data (secondary data), but permission has been available for data from specific people. If those specific persons want their data removed from the thesis, the entire dissertation might fall short of expectations. So, when the student holds the copyright to his/her thesis (completed well before the advent of the privacy act), it contravenes certain positions of the privacy act. That is a complex situation.
To adjudicate and probably understand and iron out the kinks, a Data Protection Authority is also being established. What will be the powers of this authority and whether the Bill will also apply to non personal data will be issues that will be treated in detail later, but the fact that it will not be possible to enact a law as strong as the European data protection laws, is pretty evident.
As of now, this Bill (according to PRS) “governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.”
To get into that, it is essential to define personal data. As per the Bill, “personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.” Expectedly, the Bill categorises certain personal data as sensitive. They include financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
Hence, while one researcher is able to, today, access and process a certain type of data in a thesis that can yield a copyright, tomorrow this might not be true. Would the researcher be considered a “data fiduciary”?
What is a data fiduciary? A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. Personal data can be processed only for specific, clear and lawful purposes. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
While this becomes a bit confusing, rights of the individual, as defined in the Bill, have the following issues. The individual, or the data principal, has the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
Complications and clashes with copyright laws can ensue and the very static nature of processed and recorded data can be destroyed.
Hence, while the privacy Act will be a great move in the right direction, just the passing of a Bill may not ameliorate all the pains of the data principal in several instances, specifically in social media, where the issue of “social media intermediaries” remains work in progress.
The author writes on legal, economic and corporate issues, apart from social commentary. He is Executive Editor at India Legal.