Data Protection Bill, 2019
The Personal Data Protection Bill 2019 was tabled in the Indian Parliament by the Minister of Electronics and Information Technology (MeitY) on 11th December 2019. According to Ernst and Young, emerging technologies in India will create $1 trillion in economic value by 2025. Much of this value will be founded on the creation, use, and sale of data, and the DPB will have immense implications as firms scramble to meet new privacy regulations.
Under the Bill, a Data Principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as Data Fiduciary. The bill establishes a number of conditions for companies to follow, and for large international tech firms that wish to operate in Indian territory.
For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed. The Bill also proposes a Data Protection Authority of India which shall take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection. Orders of the Authority can be appealed to an Appellate Tribunal.
However in certain instances the central government has the power to exempt any agency of the Government from applicability of the Act if it is necessary for the interest of sovereignty and integrity of India, the security of the State, and friendly relations with foreign states.
Under the Bill, a Data Principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as Data Fiduciary. The bill establishes a number of conditions for companies to follow, and for large international tech firms that wish to operate in Indian territory.
For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed. The Bill also proposes a Data Protection Authority of India which shall take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection. Orders of the Authority can be appealed to an Appellate Tribunal.
However in certain instances the central government has the power to exempt any agency of the Government from applicability of the Act if it is necessary for the interest of sovereignty and integrity of India, the security of the State, and friendly relations with foreign states.
What is personal data and data protection?
Data can be broadly classified into two types: personal and non-personal data. Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. Non-personal data includes aggregated data through which individuals cannot be identified. For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data.
Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Processing of personal data is exempt from the provisions of the Bill in some cases. For example, the central government can exempt any of its agencies in the interest of security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or research and journalistic purposes.
Further, personal data of individuals can be processed without their consent in certain circumstances such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Processing of personal data is exempt from the provisions of the Bill in some cases. For example, the central government can exempt any of its agencies in the interest of security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or research and journalistic purposes.
Further, personal data of individuals can be processed without their consent in certain circumstances such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Non Personal Data
Non-personal data is any set of data which does not contain personally identifiable information. This means that no individual or living person can be identified by looking at such data. For example, order details collected by a food delivery service will have the name, age, gender, and other contact information of an individual, it will become non-personal data if the identifiers such as name and contact information are taken out. The government committee, which submitted its report in December 2020, has classified non-personal data into three main categories, namely public non-personal data, community non-personal data and private non-personal data.
Public non-personal data: It involves all the data collected by the government and its agencies during execution of all publicly funded works. e.g. census, data collected by municipal corporations on the total tax receipts.
Community non-personal data: It involves any data identifiers about a set of people who have either the same geographic location, religion, job, or other common social interests. e.g. The metadata collected by ride-hailing apps, telecom companies, electricity distribution companies.
Private non-personal data: It can be defined as those which are produced by individuals which can be derived from application of proprietary software or knowledge. e.g data generated by companies like Google, Amazon etc.
These data sets will help to map consumer biases and ensure targeted delivery of services. It will unlock the doors of economic value and innovation in the country.
Unlike personal data, non-personal data is more likely to be in an anonymised (without particulars or details) form. However, in certain categories such as data related to national security or strategic interests such as locations of government laboratories or research facilities, even if the data provided in anonymised form can be dangerous. Possibilities of such harm are obviously much higher if the original personal data is of a sensitive nature. Therefore, the non-personal data arising from sensitive personal data may be considered as sensitive non-personal data.
The contention here is that these data sets will heavily favour big tech companies. Only big tech companies possess the capital and infrastructure to create such large volumes of data. Others will find it difficult to match the capabilities of these technology giants.
Like many other countries, India too will have to define non-personal data in a manner that protects intellectual property rights, serves genuine public interest and promotes innovation. India can learn from France’s National Strategy on Artificial Intelligence policy, which encourages economic players to share and pool their data with the state acting as a trusted third party. France’s policy even empowers public authorities to impose openness on certain data because of its societal benefits. India can also look towards the European Union’s Regulation on the Free Flow of Non-Personal Data, which recognises the free flow of non-personal data as a prerequisite of a competitive economy.
Public non-personal data: It involves all the data collected by the government and its agencies during execution of all publicly funded works. e.g. census, data collected by municipal corporations on the total tax receipts.
Community non-personal data: It involves any data identifiers about a set of people who have either the same geographic location, religion, job, or other common social interests. e.g. The metadata collected by ride-hailing apps, telecom companies, electricity distribution companies.
Private non-personal data: It can be defined as those which are produced by individuals which can be derived from application of proprietary software or knowledge. e.g data generated by companies like Google, Amazon etc.
These data sets will help to map consumer biases and ensure targeted delivery of services. It will unlock the doors of economic value and innovation in the country.
Unlike personal data, non-personal data is more likely to be in an anonymised (without particulars or details) form. However, in certain categories such as data related to national security or strategic interests such as locations of government laboratories or research facilities, even if the data provided in anonymised form can be dangerous. Possibilities of such harm are obviously much higher if the original personal data is of a sensitive nature. Therefore, the non-personal data arising from sensitive personal data may be considered as sensitive non-personal data.
The contention here is that these data sets will heavily favour big tech companies. Only big tech companies possess the capital and infrastructure to create such large volumes of data. Others will find it difficult to match the capabilities of these technology giants.
Like many other countries, India too will have to define non-personal data in a manner that protects intellectual property rights, serves genuine public interest and promotes innovation. India can learn from France’s National Strategy on Artificial Intelligence policy, which encourages economic players to share and pool their data with the state acting as a trusted third party. France’s policy even empowers public authorities to impose openness on certain data because of its societal benefits. India can also look towards the European Union’s Regulation on the Free Flow of Non-Personal Data, which recognises the free flow of non-personal data as a prerequisite of a competitive economy.
Current Update on PDP Bill
The committee for selection of Data Protection Authority (DPA) will include the Cabinet Secretary, the Law Secretary and the IT Secretary.The latest version of the draft bill, said to contain about 98 clauses, was referred to the select committee headed by Meenakshi Lekhi in December 2019 and has had over 66 sittings till date.
The Personal Data Protection (PDP) Bill, is likely to introduce the concept of “digitally enabled consent” for personal data storage and management in real time, sources in the know of the matter said.
Digitally enabled consent or electronic consent framework gives users or data and content generators the option to grant and withdraw consent of their data usage in real time, instead of the one-time consent methodology currently in use.
The framework would also ensure that complete control over the ways in which the data will be used and processed by companies always remains with the user.
In a discussion paper on the technology specifications for electronic consent framework, the Ministry of Electronics and Information Tech (MeitY) had suggested that any company which intends to collect data must always ensure that the “scope of data sharing and purpose” is clearly and unequivocally shared with the user.
“Once the user agrees to the scope of sharing, he/she may be requested to sign the consent digitally, in which case the resulting artifact would contain the user’s digital signature,” the discussion paper had noted.
The Personal Data Protection (PDP) Bill, is likely to introduce the concept of “digitally enabled consent” for personal data storage and management in real time, sources in the know of the matter said.
Digitally enabled consent or electronic consent framework gives users or data and content generators the option to grant and withdraw consent of their data usage in real time, instead of the one-time consent methodology currently in use.
The framework would also ensure that complete control over the ways in which the data will be used and processed by companies always remains with the user.
In a discussion paper on the technology specifications for electronic consent framework, the Ministry of Electronics and Information Tech (MeitY) had suggested that any company which intends to collect data must always ensure that the “scope of data sharing and purpose” is clearly and unequivocally shared with the user.
“Once the user agrees to the scope of sharing, he/she may be requested to sign the consent digitally, in which case the resulting artifact would contain the user’s digital signature,” the discussion paper had noted.
