#DataProtectionTop10: Some holes that need to be plugged
In Part 9 of the #DataProtectionTop10, we analyse some miscellaneous provisions in the Personal Data Protection Bill, 2019 that require revision. Firstly, the Bill does not expressly acknowledge a natural person as the owner of their data. Secondly, the Bill does not have any provisions that give the data fiduciaries time to make a smooth transition into the new regime. Thirdly, the Bill has been given an overriding effect over other laws including the Right to Information Act, 2005. This provision may ultimately lead to undermining the RTI Act by stifling transparency. We, therefore, recommend that the Bill must acknowledge a natural person as the owner of her data, provide sound provisions for facilitating the transition to the new regime and give the RTI Act precedence over the Bill in case of inconsistency.
We are just a post away from the finale of this series. Last week we looked at two very important issues with the Personal Data Protection Bill, 2019 such as the overbroad exemptions granted to the State for engaging in surveillance (Part 7) and the provisions that affect the independence and accountability of the Data Protection Authority (Part 8). In today’s post, we discuss some of the issues with the Bill that, though, are not widely discussed, have very serious implications on the effectiveness of the Bill.
The Bill is silent on who is the owner of the personal data. And, this can naturally lead to a doubt whether the owner of the personal data is you (from whom this data originates), or is it the data fiduciaries (who collect, store and process your personal data). This post will discuss whether the Bill clears this doubt. This post will also look into the ramifications of giving the Bill an overriding effect over other laws in force, and whether the Bill facilitates the transition into the new data protection regime.
Undoubtedly, it is the natural persons or the users to whom the data pertains who should be the owners of their data. While the Bill grants certain rights and protections to the users, it does not expressly declare that natural persons are the owners of their personal data. Some data protection laws around the world give emphasis to the right of ownership of a natural person over their personal data, one such example is the General Data Protection Law, 2018 of Brazil which states in explicit terms that "every natural person is assured ownership of her/his personal data". The Bill has unfortunately failed to cement the foundation of our data protection law by not reiterating that natural persons are the rightful owners of their personal data.
It is very odd to notice that the Bill does not provide for any transition provision that would help the businesses in making a smooth transition to the new data protection regime. The Bill proposes to introduce a regime that is entirely new to the data fiduciaries and entails drastic changes to their existing data management practices. The data fiduciaries will be undergoing significant organisational changes. Even from the point of view of regulation, the State will have to augment its regulatory capacity by setting up an entirely new regulatory infrastructure for the enforcement of the Bill. This will require some time. It was for these reasons that the Report of the Committee of Experts under the Chairmanship of Justice B N Sri Krishna (‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’) recommended the inclusion of provisions for facilitating a seamless transition to the new data protection regime in the 2018 draft of the Bill.
The GDPR has been mindful of the need for facilitating such transition. GDPR came into force in the European Union (EU) after repealing its previous data protection regime: Directive 95/46/EC popularly known as the Data Protection Directive. Recital 171 of the GDPR states that ‘processing that is already underway on the date of application of the GDPR should be brought into conformity with GDPR within the period of two years after which the Regulation enters into force’. So, for a company that has been collecting and processing data as per the Data Protection Directive, a period of two years was given from the date on which the GDPR was entered into force to come in conformity with the GDPR. Furthermore, if the data was processed under the Data Protection Directive based on the consent of the users, then no further consent is required to be obtained under the GDPR if the manner in which consent was obtained under the Directive is in conformity with the consent standards under the GDPR: i.e. the consent is freely given, specific, informed and unambiguous.
Additionally, clause 96 confers an overriding effect to the Bill. This essentially means that whenever there is a conflict between the provisions of the Bill and any other laws, the provisions of the Bill will prevail. While this is essential to give the new data protection regime supremacy over the prevailing data protection practices, such a blanket clause affects the rights of citizens under the Right to Information Act, 2005 (RTI Act).
Citizens have the right to obtain information from public authorities under Chapter II of the RTI Act. Considering the privacy implications of such disclosure of information, the RTI Act, under section 8 provides an exception to the rule of disclosure if the disclosure of the information would cause unwarranted invasion of privacy of the public officials. Hence, the Act provides safeguards for balancing citizen's right to information and the right to privacy of public officials. The overriding clause under the Bill would make secrecy the rule and disclosure the exception, impeding the transparency guaranteed under the RTI Act.
The Bill must unequivocally acknowledge a natural person as owner of her data. A provision in this regard is necessary to entrench the control and the rights natural persons have over their personal data.
As stated above, a transition provision is essential for facilitating the transition into the new data protection regime. The Bill should give adequate time for the data fiduciaries to make the switch to a new data protection regime. Additionally, the Bill should make it clear that the Bill applies to the data collected prior to the coming into force of the Bill, if such data is continued to be stored and processed by the data fiduciary. For example, if a website collects your data before the data protection law comes into force and continues to retain it even after the law comes into force, the website will have to comply with the new law. Similarly, if the data collected prior to this law comes into force are inconsistent with the law, they must be destroyed if consent is withdrawn. The consent taken under the old regime will have to be obtained again, if the consent obtained was not free, informed, clear, and specific.
Principle 6 of the Indian Privacy Code acknowledges the importance of protecting and strengthening the right to information of individuals. The RTI Act, 2005 has been instrumental in ensuring accountability to the functioning of government and public authorities. Moreover, the RTI Act already provides adequate safeguards for the protection of privacy of the officials. The principle also addresses the need for safeguarding the independence of Information Commissioners under the RTI Act and hence states that the Information Commissioners must be exempted from interference or control by the data protection regulator.
The Srikrishna Committee Report observes that ‘to prevent privacy from becoming a stonewalling tactic to hinder transparency’ the data protection law should not apply to disclosure under the RTI Act. Therefore, the Bill needs to provide a carve-out for the RTI Act and specifically state that provisions of the RTI Act will have precedence over this law in case of inconsistency. This is essential for protecting the existing safeguards in place for ensuring accountability and transparency in a democratic society.
This is the eighth post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, part 3 here, part 4 here, part 5 here, part 6 here, part 7 here, and part 8 here.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.