File Name: data privacy and protection bill 2017 .zip
Half of all Americans believe their personal information is less secure now than it was five years ago, and a sobering study from the Pew Research Center reveals how little faith the public has in organizations, whether governmental or private-sector, to protect their data—and with good reason. Individuals are left stymied about what action they can take, if any, to protect their digital assets and identity. Yet record-shattering data breaches and inadequate data-protection practices have produced only piecemeal legislative responses at the federal level, competing state laws, and a myriad of enforcement regimes. Most Western countries have already adopted comprehensive legal protections for personal data, but the United States—home to some of the most advanced, and largest, technology and data companies in the world—continues to lumber forward with a patchwork of sector-specific laws and regulations that fail to adequately protect data. United States.
The views expressed in this piece are solely those of the author. How should a legal framework for data protection balance the imperatives of protecting privacy and ensuring innovation and productivity growth? This paper examines the proposed data protection legislation in India from the perspective of whether it maintains this balance. In December , the government introduced the Personal Data Protection Bill, , in parliament, which would create the first cross-sectoral legal framework for data protection in India.
This paper argues that the bill does not correctly address privacy-related harms in the data economy in India. Instead, the bill proposes a preventive framework that oversupplies government intervention and strengthens the state. The paper argues that while the protection of privacy is an important objective, privacy also serves as a means to protecting other ends, such as free speech and sexual autonomy.
A framework for protecting personal data has to be designed on a more precise understanding of the role of privacy in society and of the harms that emanate from violations of individual privacy. The notion of informational privacy has become salient in the past decade but, as this paper illustrates, India has privacy jurisprudence going back several decades. Most of it focuses on privacy in the context of harms caused due to a violation of privacy.
This jurisprudence changed in , when the Supreme Court in Justice K. Puttaswamy v. Union of India held that the Indian Constitution included a fundamental right to privacy. The jurisprudence on privacy therefore changed—from being valued as a right that protected other ends to being an end in itself.
Along with holding that privacy is a fundamental right, the judgment also declared informational privacy to be a subset of the right to privacy. The bill aims to protect the informational privacy of individuals by creating a preventive framework that regulates how businesses collect and use personal data, as opposed to protecting informational privacy with a view to the consequent harms caused by the violation of such privacy.
In doing so, it focuses primarily on regulating practices related to the use of data. This is likely to have deleterious consequences for innovation in the economy while leaving unfulfilled the stated objective of protecting informational privacy. The first part of this paper provides a summary of the major developments that have led to the demand for a data protection law.
This paper argues that the bill follows this new conception of privacy and that in doing so it fails to create a precisely designed regulatory framework that adequately addresses market failures in the digital economy. The second, third, and fourth parts highlight three key reasons why the bill should be significantly modified. The first is that its reliance on strengthening consent-based mechanisms for protecting personal data is not likely to be effective.
A large body of academic work highlights that increased disclosure requirements to users about the use of their data is becoming ineffective in light of modern technological developments. A reliance on such mechanisms could be counterproductive and lead to individuals taking less responsibility while sharing their data. Second, the preventive framework proposed in the bill could lead to significant compliance costs for private businesses.
The bill will regulate data use in all sectors of economic activity and establishes significant new compliance requirements for the vast majority of affected businesses.
The costs of compliance will be borne across small and big businesses except those that are specifically exempt. This is problematic since most businesses in India are small. Such compliance requirements would be especially onerous for them. This bill also allows the government to compel businesses to share nonpersonal data with it. This, as the paper argues, could have deleterious consequences for innovation and economic growth in the long run.
This body will be tasked with regulating the provisions of the bill to frame regulations on issues such as mechanisms for taking consent, limitations on the use of data, and cross-border transfer of data. The supervisory mandate of the DPA is sweeping, given the fact that it has to regulate a wide array of preventive obligations, such as security safeguards and transparency requirements, that have to be implemented by businesses.
It is likely that the DPA, therefore, may not be able to either effectively implement the bill or effectively protect informational privacy. This paper argues that, given its cross-sectoral mandate, the DPA may struggle to build internal capacity, leading to either underregulation or overregulation.
The former would defeat the intent of the bill while the latter would add unnecessary burdens for compliant businesses. Additionally, the bill does not provide adequate checks and balances to ensure that the central government and the DPA exercise their vast supervisory powers in a reasonable manner. Lastly, the bill allows the government to exempt any of its agencies from the requirements of this legislation and also allows it to decide what safeguards would apply to their use of data.
This, as the paper argues, potentially constitutes a new source of power for national security agencies to conduct surveillance—and, paradoxically, could dilute privacy instead of strengthening it. The analysis set forth in this paper has been supported by inputs from structured consultations with stakeholders and an empirical analysis of regulatory frameworks in data protection, as well as academic literature on the subject.
Participants in roundtables organized by Carnegie India included academics working on privacy, representatives from technology companies and start-ups, and scientific experts. Most participants highlighted specific provisions of the bill that could lead to ineffective regulation or substantial compliance burdens due to the obligations proposed in it.
These inputs were corroborated by secondary research, survey reports, and academic literature that highlighted similar issues with data protection regulations in other jurisdictions. This paper concludes by proposing a framework for modifying the bill and addressing the issues highlighted.
In doing so, it argues that there are structural limits to what problems regulation can solve in the data sharing and data processing markets. This is especially true in India, given the extremely low capacity of regulators across sectors. Therefore, data protection legislation must be narrowly focused and designed toward protecting individuals and society against any injury resulting from data processing. A framework designed with this end in mind would achieve a better balance between privacy and innovation.
Though the constitution does not explicitly mention a right to privacy, Indian courts have held that a right to privacy exists under the right to life guaranteed under Article State of Uttar Pradesh , where the court held that a right to privacy did not exist under the constitution. The growth of the Indian information technology industry and the telecom revolution, which started in the late s, led to the proliferation of digital services in India.
This has had two significant consequences. First, the country is increasingly interconnected due to the growth of digital services and platforms. The second objective has been facilitated largely by the implementation of Aadhaar. However, the growing ubiquity of Aadhaar came under sustained criticism from various quarters.
One criticism was that Aadhaar was being used for purposes other than social-welfare delivery, such as customer onboarding by private firms. It was alleged that the storage of Aadhaar-related customer information, such as metadata about the place of authentication, constituted a serious breach of privacy.
This effort to create a comprehensive data protection regulation in the EU influenced the debate in India. The debate on the privacy concerns over Aadhaar resulted in a clutch of petitions before the Supreme Court that challenged the validity of the legislation that enabled the system: the Aadhaar Targeted Delivery of Financial and Other Subsidies, Benefits and Services Act, The five-judge bench of the Supreme Court that heard the petitions stated that, since the petitions claimed infringement of the right to privacy, it was first important to determine whether this right existed under the constitution.
It referred this issue to a bench of nine judges of the Supreme Court, which held in August that a right to privacy did exist under Article 21, that the Supreme Court had decided the question incorrectly in Kharak Singh , and that informational privacy was a part of this right to privacy.
First, it clearly and unambiguously stated that there was a fundamental right to privacy under the constitution. In the context of this paper, however, the more significant ground was that the right to privacy was conceptualized as a right in itself, irrespective of what privacy it helped protect in turn. In a long line of past cases, privacy was used to protect specific interests, such as privacy from nighttime police visits in the Kharak Singh case or privacy from telephone tapping in PUCL v.
Union of India. This arguably led to a focus away from the actual harm individuals would suffer from a violation of privacy. Importantly, as explained below, this conception of privacy also aligned with already existing regulatory frameworks in data protection in other jurisdictions. Meanwhile, in July , in response to demands for a comprehensive data protection legislation, the government formed a committee to study issues related to data protection and to propose legislation for it.
The committee, chaired by Justice B. Srikrishna, published a report laying out the rationale for a legal framework for data protection, as well as a Draft Personal Data Protection Bill, In , a report of the U. As early as , an academic, Kenneth C. Laudon, highlighted the limitations of the existing framework. He wrote:. The FIP [Fair Information Practices] doctrine was based on the technological reality of the s, where a small number of very large-scale mainframe databases operated by the Federal and State governments, or by large financial institutions, were the primary threats to privacy.
In this period it was conceivable that an individual could know all the databases in which he or she appeared. Large scale databases have become so ubiquitous that individuals have no possibility of knowing about all the database systems in which they appear.
If the technological developments of the early s placed the basic principles of data regulation out of sync with market realities, this gap is arguably wider now. The bill is, however, based on the same basic principles first set out in The bill provides a legal framework for the collection and use of personal information.
In addition to creating a set of rights and responsibilities for the processing of personal data, the bill proposes to create a DPA for making regulations and enforcing the legal framework.
The bill also vests substantive standard-setting powers with the central government and tasks the DPA with enforcing the same. An important feature of the bill is the wide scope of its applicability.
If implemented, it will apply to all enterprises across India other than those specifically exempted. This would include any enterprise that uses automated means to collect data. The DPA will have the power to define small entities based on turnover, volume of data handled, and the purposes of data collection. The bill makes consent a centerpiece of the proposed data protection framework. It proposes that personal data should only be processed on the basis of free, informed, and specific consent, with provisions that allow such consent to be withdrawn.
Any data processing without such consent would be a violation and could result in penalties. The data fiduciary will be required to ensure the data are accurate and stored only for the period necessary for satisfying the purposes of data collection.
It also will be accountable for all compliance requirements under the bill. Data fiduciaries have additional obligations, including to implement privacy by design which requires them to implement business practices that can anticipate, identify, and avoid harms to consumers ; 34 to comply with transparency requirements; 35 to create security safeguards—including methods for de-identifying personal data and encryption and steps for preventing misuse of data; and to create grievance-redress systems.
The bill exempts certain kinds of data collection and processing from specific requirements. The bill requires data fiduciaries to store certain data in India data localization and provides an escalating framework for the storage and processing of data based on its sensitivity. Personal data may be transferred freely. The bill does not allow critical personal data as may be defined by the central government to be transferred outside the country, except on limited grounds and after meeting certain specified conditions.
Monetary penalties are proposed if data fiduciaries fail to comply with certain provisions. This offense is cognizable—that is, an offense in which an arrest can be made without a warrant—and nonbailable. The proposed legislation, therefore, adopts a comprehensive preventive framework that applies to varied data collection and usage practices.
THE DATA PRIVACY AND PROTECTION BILL, By. DR. SHASHI THAROOR, M.P.. A. BILL to establish an effective regime to protect the.
November BGBl. Der Stand der deutschsprachigen Dokumentation kann aktueller sein. Translations may not be updated at the same time as the German legal provisions displayed on this website. For conditions governing use of this translation, please see the information provided under "Translations".
The Bill seeks to provide for protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose. In this blog, we provide a background to the Bill, and explain some of its key provisions. What is personal data and data protection?
You are using an outdated browser. Please upgrade your browser to improve your experience. Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network.
Highlights of the Bill. Key Issues and Analysis.