Data protection bill: Decoding the penalty clause
This is one piece of legislation that India should get right by all means, lest we legalise snooping and profiling by the government
In December 2021, the joint parliamentary committee on personal data protection re-introduced a recommendation of heavy penalties for serious data violations, with fines up to ₹15 crore, or 4% of global turnover, while lesser offenses will have a limit of ₹5 crore, or 2% turnover.
Recently, the United Kingdom proposed to deviate from the standards that apply in the European Union (EU) under the General Data Protection Regulation (the EU GDPR), and incorporated GDPR into domestic law by way of the Data Protection Act 2018 (the UK GDPR). The EU GDPR is widely accepted as the gold standard of data and privacy.
While the EU has its share of disputes over GDPR and the proposed Digital Services Act, India mimicks the EU. But it is turning out to be a “licence raj” version of GDPR.
The preamble of the personal data protection bill (PDPB) adheres to the International Covenant on Civil and Political Rights. This multilateral treaty commits states parties to respect the civil and political rights of individuals, including the right to life, freedom of religion, freedom of speech, freedom of assembly, electoral rights and rights to due process and a fair trial.
But in PDPB, this “freedom” is overshadowed by the list of do’s and don’ts for data controllers. Unsurprisingly, the industry has been opposing the various parts of the ill-fated bill, mooted in 2019. The criticism has been the heavy burden of localisation of the data and the lack of clarity on what constitutes personal data.
Technically, voluntarily provided data may cease to be personal data. However, the onus is on the data controllers to protect private data and localise such data storage.
The Indian Penal Code does not have extra-territorial application as a general principle. In short, the competent authority (government) would like to know what is being stored as data by the data controller. It would have discretion in the determination of what data is private and what is not.
This, by far, defeats the key principle of being citizen-oriented toward data protection as the government would like to decide on “sensitive data” and whether it should be stored or discarded. The construction of PDPB and the recommendations from the joint parliamentary committee suggest that effectively regulating “data” and, thereby, regulating “privacy” is the government’s job and cannot be left to data controllers.
This leads to an important question: Would the government have the capacity to handle requests on a minute-to-minute basis from the data controllers?
This arrangement also puts the data principal in a risk zone. While the data principal may think that certain data may be classified, the queuing at the government’s IT desk may jeopardise the benefit of the doubt to the data principal, hence making them susceptible to unauthorised data access by third parties.
Second, such legislation, rather than safeguarding the citizen, operates in a mechanism where the government has a transparent film to look at what is being entered in the data owner’s device as this information would be shared with the government until the issue of what private data is, effectively settled.
Last, this creates an arduous amount of burden on any company, which by any form or means is collecting data from a data owner to transition the compliance with the standards set out. While the transition is an overhaul, a step-by-step approach toward this transition would be worthwhile.
India has over a billion smartphones and thousands of applications that use and collect data. Therefore, all the companies must transition to the new norms immediately and provide opt-in or opt-out for the user. This effectively means that consumers or the data owners must decide to opt in or opt out about the data they intend to share with the application. The scenario is fatal for a user, who may share the data for quicker access but may realise the folly after the consequential effect. This is one piece of legislation that India should get right by all means, lest we legalise snooping and profiling by the government.
Srikant Parthasarathy and Amirthalakshmi R are professors of International Law. Parthasarathy is an alumnus of The Hague Academy. Amirthalakshmi R is a principal counsel at Chambers of Dr Srikant Parthasarathy
The views expressed are personal