Personal data of a citizen in India is critical for their existence. A data breach can jeopardize an individual’s livelihood permanently, leading to dire consequences not just to the person but also to their nearest and dear.
That’s why personal data protection is a fundamental right of every individual. Countries around the world have multiple laws around data protection such as GDPR, DPA, and other Privacy Laws, to protect the personal data of their citizens.
Following the suit, the Indian government has also taken initiative to ensure that data of all Indians and their companies have definitive protection.
The Privacy Data Protection (PDP) bill 2019 was passed with that very idea in mind. This bill is shortly going to be looked for revisions in the upcoming 2021 parliamentary sessions. However, it is certain that most parts of the bill will remain intact to be implemented.
It is important that we understand the current bill, how it came to pass, and the protection it will provide to Indian citizens.
History of Data Protection
Before we get into the details of the bill, let’s take a quick look at the history of data protection law in India and how the 2019 PDP bill came into existence.
We can see the original traces of data protection laws going back to 2000, 2008, and 2013, where the laws stated how data should be stored and used.
However, the initial days of the modern PDP bill started during the Aadhar case.
As we may very well know, the Aadhar program came to be challenged before the Supreme Court between 2012 and 2018, when the Supreme Court passed the final judgment upholding parts of the program and striking down some parts of the program.
While the Aadhar case was pending, the government proposed to the court a need for personal data protection, particularly when the fundamental right to privacy reference was made as it is not guaranteed under the Constitution.
So the Supreme Court had to constitute a nine-judge bench to rule on that issue. During the hearings, the government informed the Supreme Court that they also constituted a committee under the retired Supreme Court Judge with several governmental agencies and their heads participating in the committee’s proceedings to come up with what is a personal data protection bill.
Until this time, we know that there is much information asymmetry as well as power asymmetry with the relationship between a service provider and the user, or state and the citizen, where the service provider collects information from the user or the state collecting information from a citizen.
So, there was no legislative protection, statutory protection of the users or the citizen’s interests in that relationship, in the case of a service provider, and the user of the service.
This relationship was largely controlled by ordinary contract law. Moreover, there was no added statutory protection or legislative protection for this relationship, protecting the interests of the user, recognizing that there is power asymmetry between such a service provider and the user.
That power asymmetry comes largely because the user is unable to forecast the harms that are inflicted by the service provider by violating his privacy. For instance, personal data is collected without limitation of purpose without telling the user what purpose is needed.
This is something that we see in our everyday lives. You go to a supermarket, for no reason, your email address and your phone number are collected, that was not always the case.
When you go to a Kirana store, you just bought whatever you wanted, and when you returned home, you didn’t have to give the rest of your details to that store.
However, this is no longer the case, where collection and harvesting of personal data happen for the sake of data where every service provider has become data-hungry.
The reason is that with that personal data, there comes the power superiority wherein you are able to map and combine database databases and make sense of people’s behaviour.
This led to the profiling of people and all kinds of harm that ensued because of such data collection, indiscriminate data collection, storage and processing.
In this case, to fix this asymmetry of power, we need something in place that governs the entire process. So, several countries now have legislative protection in the form of data protection laws. The Government of India also promised a similar data protection law or data protection recognizing this need.
Now that we have understood the history, let’s understand the bill and its basics.
PDP Bill Explained
There are two primary purposes for the PDP bill 2019.
The First Purpose
The first purpose of this bill is to regulate the sharing, collection, storage, usage, transfer and processing of personal data.
In our daily life, we hold critical data such as our mobile numbers, biometrics, government identifications such as Aadhar card & Voter id, our home address, religion, sex, political inclination, insurance and financial transactions.
This is vital data which defines who we are as a person and portrays our personal choices. This data has to remain secure at all costs where we retain complete control. The same applies to businesses as well.
So it is important to know, as an individual, how your data is used and processed by companies as well as the government. Questions such as “is my data encrypted?” “is it safe?” or “Am I safe” are raised from the way data is used.
So, to protect data, to protect an individual, and regulate the data procession, the government of India has passed this PDP bill. That’s the first purpose.
The Second Purpose
The second purpose of the bill is to establish Data Protection Authority, commonly known as DPA. The government wants a centralized authority that can enforce the provision of the PDP bill. And so the bill puts forth DPA to enforce the provisions of this particular law.
Basically, the authority takes care of the regulation of data as well as handles the grievances of citizens who experience data breaches.
Definition of Personal Data
The bill further divides personal data into three segments such as personal data, sensitive personal data, and critical personal data.
Personal Data
The bill defines that any data related to a characteristic, trait, or attribute that can be used to identify a person is called personal data.
For example, with the help of the Aadhar card’s biometric data and image, we can clearly identify an individual. In the same way, through a credit card’s transactions and some manipulative techniques, it is easy to find the identity of a person.
Any information or data that can lead to identifying a person is called personal data.
The bill states that this personal data name, contact details, address, and educational details.
Sensitive Personal Data
Within the personal data, certain data points are categorized as sensitive personal data. Sensitive personal data is related to financial transactions, caste, religion, political inclination, and biometric data.
For example, let’s say you have a social media account and you find that social media platform is running different types of polls that pop up on your feed. Now, if you happen to participate in that poll and give your opinion, then it becomes sensitive personal data.
In the same way, the census that happens every 10 years where the government finds out multiple details about you is also extremely sensitive data. Another example is the data that banks contain our biometric data so which is also sensitive data.
Critical Personal Data
It is up to the central government to determine critical personal data.
A lot of criticism and controversy follows this clause of the PDP bill because, according to industry veterans, the government gets a lot of power through it.
But that is not for us to decide. Hopefully, it gets solved in the upcoming parliament sessions.
Data Localization
Along with defining personalized data, the government also defined data localization. According to the bill, there are certain conditions on how this data can be used within India and outside India.
Personal data can be stored outside India and it can also be transferred outside India. Sensitive personal should only be stored within India. However, data can be processed from a foreign location.
The transfer of sensitive personal data outside India is possible if:
- Explicit consent has been obtained
- A contract or intra-group scheme exists
- Permission has been given by the central government.
Critical personal data can neither be stored nor processed outside India. This data should only be processed within India. Transfer outside India is possible only under critical exceptions such as the provision of health or emergency services where a transfer is deemed permissible by the central government.
The Two Important Parties of the Bill
The bill defines 2 important parties
Data Principal
Data Principal is the person sharing the data. Basically, You!
Data Fiduciary
Data Fiduciary is the entity that is receiving/collecting the data. It could be government, companies incorporated in India, foreign companies, and social media platforms.
Just to make it clear, the word or the noun fiduciary refers to “trustee.”
What are the rights of the data principal?
Data principal can:
- Ask the status of data processing
- Ask the fiduciary to transfer the data to another fiduciary for certain purposes.
- Modify and correct data
- Revoke consent to share data
However, there is a loophole where a company can say that they have removed your data but still continue to store it. There is no way to prove it. This is one of the aspects that is being considered for revision.
What are the responsibilities of a Data Fiduciary?
Whenever a fiduciary is collecting data, it will define:
- The means and purpose for which data is being collected.
- The legality of the purpose is defined by law.
- Protection of data through encryption and other ways.
- Grievance redressal mechanism – related to data
- Age and data verification along with parental consent wherever children are involved.
Let’s consider some litigation here if personal data is breached.
Taking the example of census data once again, it is sensitive personal data and according to article 21 of the Indian constitution – we have a fundamental right to privacy.
If this information is leaked, then according to article 32 of the Indian constitution you can approach the supreme court. However, in the same way, let’s say Facebook’s data got leaked, you cannot go to the supreme court.
Article 21 gives us right only to the state (central and state government). But Facebook is not a state, it is a private entity. So, in this case, you can only go to a district court or a data protection authority or a high court.
So, what is the role of social media platforms in the bill?
According to the PDP bill, social media platforms are defined as platforms that connect people online. However, there are certain conditions to be met. If a portal or platform has to be called a social media platform then it should:
- Have a certain threshold of users (which will be confirmed by the central government)
- Have implication over democracy and public order
- Comply with certain obligations
- Provide voluntary verification of users.
Exceptions to the PDP Bill
There are few exceptions to this bill
- Your data can be used or processed without your consent on the grounds of state action (to deliver the benefit to the individual), legal action, and medical emergency. However, DPA will have jurisdiction in this situation.
- The central government may completely exempt any of its organizations from the provisions of the bill if the purpose is to prevent a crime related to the security of the state, unity and integrity, sovereignty, and friendly relations with foreign states. DPA will have no jurisdiction in this exemption.
- This bill gives limited exemptions for investigation and journalistic purposes, with certain safeguards and security measures.
- The central government may direct any data fiduciary to share data with the government. This is non-personal data and anonymized data (personal data which is modified so individuals cannot be identified). The purpose of this exception is for better targeting of services.
There are a few aspects which are not covered in the bill such as Forensic audits. Forensic auditors require data for their audit purposes. This has not been covered under the bill. This missing clause will be raised in the upcoming parliamentary session.
So, in a nutshell, this is how a data principal and data fiduciary are co-related with each other in the bill.
Now let’s have a quick look at the data protection authority (DPA).
Data Protection Authority (DPA)
As mentioned earlier data protection authority will be the enforcer of the PDP bill.
Along with that, they will also:
- Look into the implementation of the bill
- Pass orders on data protection
- Prevent misuse of personal data
The data protection authority comprises 1 chairperson and 6 members who will be selected by a panel of representatives formed by the central government.
All the 7 members should have at least 10 years of experience in the field of data protection to be eligible for the post.
Appellate Tribunal
Let’s say you raise a complaint against a fiduciary about a data breach with DPA, the fiduciary has the right to challenge this complaint at the appellate tribunal.
And if the fiduciary finds the decision at the appellate tribunal not satisfactory, they can be challenged again at the supreme court level.
These are some basic aspects of the PDP bill.
How will this affect the Indian citizen?
Indian citizens can now be assured that data is being protected and that they have a right to challenge any breaches that happen against their consent, according to the bill. To a certain degree, an average citizen will have control over their data.
How will this affect companies and institutions?
They have to take measures to ensure data is protected. Failing to do so will cost them dearly.
Here are some of the penalties that can be levied for non-compliance:
- Fines of up to INR 15 crore or 4% of the organization’s total annual worldwide turnover.
- Imprisonment for 3 years or a fine of INR 2 lakh or both for re-identification and processing of de-identified personal data
- The penalty of up to INR 10 lakh for failure to comply with data principal requests
So, it’s critical that they go the extra mile to meet the needs of the bill.
Why is TruScholar Talking About PDP?
Well, we are talking about it for two reasons.
1. We protect the data of institutions and students in India through digital encryption – digital encryption and digital credentials. As mentioned in the PDP bill, educational qualifications are considered as personal data and not sensitive or critical.
However, we understand the problem of fake credentials and how critical it has become. In fact, the Indian government has emphasized the need to protect India’s education system through blockchain and other advanced technologies.
So, as a blockchain-powered digital credentials platform, we want to help secure the data of institutions and students in line with the PDP bill.
A lot of data breaches happen online and offline when it comes to the education industry. So if you are an institution that wants to uphold data protection then we are here to help.
2. As we have seen, there are quite a few places where there are loopholes in the bill that attackers can take advantage of.
TruScholar’s robust digital identity and self-sovereign identity platform can help individuals protect their identity and also enable organizations in establishing digital identifiers (DIDs) which will make adherence simpler.
With these digital adoptions, individuals and organizations can directly & securely communicate with each other and share data.
Schedule a free demo with us today. We would love to show you how it works in reality.
