The 2019 Data Protection Bill – An Intractable Balance

The Data Protection Bill, which was drafted in July 2018 by a 10-member team led by retd. Justice BN Srikrishna, will probably be tabled in the Winter session of Parliament. It proposes the creation of a Data Protection Authority in India to prevent personal information misuse and imposes frameworks for data localization [1]. Union Communications, Electronics and Information Technology Minister Ravi Shankar Prasad on Monday said the Data Protection Bill is ready and would be placed in Parliament soon. He said that the bill would offer a pragmatic view of all aspects of the Internet, like accessibility, availability, privacy, neutrality, commerce and local data warehousing. The bill also sets guidelines in place on “critical” or “sensitive data”, and mandates that such data is stored strictly within Indian data warehouses.

If data is the new oil, then this might sound like just the framework that we need to regulate the supply lines. However, the statements made thus far about this bill may have a certain degree of specificity towards its expectations from data handling that may not resonate perfectly with all the stakeholders involved. For instance, Minister Ravi Shankar Prasad also said that while the government is for free and fair accessibility of Internet through various gates and against any restriction, it cannot allow terrorists to make use of the privacy plea while regretting that some apps, like WhatsApp, are not doing enough to check the misuse of the medium by radicalists. He said the government should be able to know the origin of fake news and other misuse and it would bring in regulations to check abuse of the medium by these apps.

A similar concern was tabled by BJP leader Ashwini Kumar Upadhyay, who sought to link social media accounts of Indian citizens with their Aadhar, so as to add accountability to the content posted by users and curb fake news. However, this petition was not entertained by the Supreme Court, asking Upadhyay to move to the Madras High Court with this issue [2]. As per a Supreme court ruling, Aadhar is meant for availing government benefits, not for private usage.[3] While social media giants like Facebook and Twitter are being cajoled to take sterner measures towards regulating content that may instigate social unrest, this request is at odds with the very privacy that this bill seeks to enforce, which was declared as a fundamental right in 2017. Social media firms and legal bodies have their work cut out for them, carving out a robust middle ground between privacy and traceability. These cases are in strong resonance with the 2016 Apple encryption case, wherein Apple refused to provide a backdoor into their devices to the FBI. The outcome of the case suggests that any changes in the content regulation strategy on social media, be it instigated by the government, the courts, or the social media giants themselves, has to take the core values of the firm in question.

Similar bills have already been introduced in other countries over 2019, including Sri Lanka and Ecuador, both of whom take notes from the European General Data Protection Regulation GDPR draft. However, the Sri Lankan bill focuses more on data privacy protection and effective cross-border co-operation.[4] On the other hand, the Ecuador equivalent was designed in a rushed manner, in response to a massive data breach which left the personally identifiable information (PII) of over 20 million people on an unprotected server. Thus, the focus of the Ecuador data protection bill was towards data processing practices, data subject rights and data provisions to external entities.[5] The GDPR of the European Union is serves as a comprehensive data protection guideline. While much still remains speculative about the Indian Data Protection bill, there are certain unique features in the GDPR that can add value to it, as given below [6]:

·        Clear, straight-forward privacy policies

·        Silence is no consent. Clear user consent needed by a business to use their data.

·        Transfer of personal data, if any, needs to be clearly notified to the user

·        The occurrence of a harmful data breach should be notified to the user

·        User’s right to access their data that the business has

Based on the considerations made by other nations, it seems that the Indian data protection bill aims to resolve a rather unique conundrum, that is not only limited to protection of data, but also purposefully expands to responsible utilization of online data. Given what was mentioned by Mr. Ravi Shankar Prasad about data misuse, no data protection bill in any other geography thus far has tabled data monitoring in its charter. Either we’ve seen this problem at an early stage, or at a massive scale, given the population of the country. Therefore, India needs to achieve a future-proof balance between data protection and supervision with this bill. While this may seem like an intractable challenge, if solved, it would set the Indian Data Protection Bill as an iron-clad benchmark for future legislations focused on protecting the citizen in the digital ecosystem.

Written by:

Saransh Kejriwal

(b19043@astra.xlri.ac.in)

References

[1] NDTV Gadgets 360. (2019). New Data Protection Bill to Be Placed in Parliament Soon: Prasad. [online] Available at: https://gadgets.ndtv.com/internet/news/new-data-protection-bill-to-be-placed-in-parliament-soon-prasad-2116982 [Accessed 19 Oct. 2019].

[2] Times Of India. (2019). SC junks plea seeking to link Aadhaar with social media accounts | India News - Times of India. [online] The Times of India. Available at: https://timesofindia.indiatimes.com/india/sc-junks-plea-seeking-to-link-aadhaar-with-social-media-accounts/articleshow/71589042.cms [Accessed 19 Oct. 2019].

[3] DASGUPTA, D. (2019). India debates linking social media accounts to government IDs. [online] The Straits Times. Available at: https://www.straitstimes.com/asia/south-asia/india-debates-linking-social-media-accounts-to-government-ids [Accessed 19 Oct. 2019].

[4] Babele, A. (2019). Summary: Sri Lanka Personal Data Protection Bill - MediaNama. [online] MediaNama. Available at: https://www.medianama.com/2019/07/223-summary-sri-lanka-personal-data-protection-bill/ [Accessed 19 Oct. 2019].

[5]Financial Times(2019). Ecuador fast-tracks data privacy law after massive breach | Financial Times. [online] Available at: https://www.ft.com/content/35f9aea0-dbb0-11e9-8f9b-77216ebe1f17 [Accessed 19 Oct. 2019].

[6] European Commission - European Commission. (2019). EU data protection rules. [online] Available at: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules/eu-data-protection-rules_en [Accessed 19 Oct. 2019].