NOVEMBER 08, 2021

By M G Kodandaram, IRS, Assistant Director (Retd) Advocate and Consultant

AS more and more Countries around the globe are guaranteeing the much-required privacy rights to their citizens through personal data protection laws, the largest democracy of the world is limping slowly towards achieving that goal. As per the latest reliable information, 128 countries ¹ have already put in place, the legislation and administration to secure the protection of personal data and privacy to their residents. Even though the Apex Court has been, assured by the Indian Government of India, over four years ago, to legislate suitable laws to protect privacy of individuals, it is yet to provide necessary legislative framework for the same. The reasons for the inordinate delay, though not expressly made known, from the reactions in the media, seems to be due to efforts to safeguard the Commercial Interests of the corporates, who are the instigators for prolonging the law-making process. Added to this, certain business groups are throwing their weight around the administration to dilute the privacy laws as recommended by the committee of experts under the Chairmanship of Justice B.N. Srikrishna ². Observing the developments happening around, one can forecast the outcome that as compared to similar mandates of other countries, Indian privacy law will be a diluted form of personal data protection law. In this situation, it is pertinent to examine the protection available to the citizens' personal information/data at present in India and the desired sui-generis legislation for protection of the privacy rights of the individuals solicited.

To protect oneself from unwarranted interference in life, privacy of certain personal information is essential as it gives one the required space to be comfortable within self and people around in the society. Every individual's desire to keep certain personal information protected from public, deserves to be honoured, unless the public interest demands. The 'Right to Privacy' of an individual is the basic requirement for preservation of reputation and for protection of oneself from the harm caused by others. Privacy is the foundation upon which many other human rights are built.

As on date, India does not have a dedicated law for personal data protection and enforcement of privacy rights. The Information Technology Act 2000 (ITA 2000), the primary legislation, enacted with an objective to promote e-commerce, included elementary provisions relating to Cyber Crime. The ITA 2000 was amended in 2008, in which more aspects relating to personal data protection were added. Section 43A contains issues pertaining to matters like Data Protection, definition of sensitive personal information, reasonable security practice and related issues. The said provision provides for compensation to the individual/victim in the event of any entity/person is negligent in using 'Reasonable Security Practices and Procedures' (RSPP) in protecting 'Sensitive Personal Data and Information' (SPDI) and this results in a wrongful gain or wrongful loss to that individual. The Section 79 had rules defining the responsibilities of an intermediary to protect privacy of individuals whose personal information is collected by the organization and Section 72A renders the personal data breach a punishable offence. The Section 67A related to data retention and sections 69/69A/69B/70B contained provisions relating to powers of agencies for surveillance etc. Therefore, we can conclude that the amended law had most of the features of a data protection in theory, but with no exclusive Data Protection Authority in place for implementation of the stated provisions.

However, the IT Act 2000/8 provides for appointment of an Adjudicating Authority to decide whether a person has contravened the IT Act, or its rules made thereof. In instances where the claim of injury or damage to the individual does not exceed 50 million rupees, the Secretary to the Ministry of Information Technology (MeitY) in each State has been appointed as the Adjudicating officer. The adjudication process mandated for obtaining fair relief to the victims failed miserably due to negligence and poor performance of the adjudicators. The author's observations on this derailed process of justice delivery system could be gathered on reading article titled 'In Quest of 'Person'- Challenge Caused by Cyber Law'. As the designated officer has always been occupied with more commercially centered matters, the entire adjudication process got totally dis-organized. Despite regular reporting of the shortcomings, the Governments, it appears, never took any proactive initiative to set right the matter. The MeitY has failed to provide a fair mechanism and time frame for deciding the complaints filed by the victims. The plight of the victims has gone unattended for long as little attention is given by the Ministry concerned towards refining the system. In fact, the victims have stopped using this route, as it never gave them any timely relief. Further the defendants are almost always large corporates and the delay in justice delivery added to their advantage as individuals lost interest in pursuing their claims. From the existing poor practices, we can certainly conclude that the legal remedy provided for protection of personal data in India has totally failed.

The Indian government woke up to the issue of providing legal and fair protection to the citizens' privacy and personal information/data only after the Honourable Supreme Court's verdict in the case of Justice K.S. Puttaswamy vs Union of India ³, affirming the same as a fundamental right assured in the Constitution. On 24th August 2017, the nine-judge bench of the Apex Court held that, "The Right to Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution". Since Privacy has been held to be a fundamental right, the Government cannot infringe on the privacy of a citizen except under "reasonable restrictions". The Supreme Court also clarified that like most other fundamental rights, the right to privacy is not an "absolute right". Majority of the judges have also endorsed the view that the European standard of proportionality shall be applied to test privacy infringements. However, any challenged action will continue to be tested on principles of "just, fair and reasonable" standard evolved under Article 21 of the Constitution.

The Indian Government informed the Apex Court about setting up an expert committee, headed by Justice (Retired) B N Srikrishna, to recommend a suitable data protection legal framework. After wide public consultations, the committee submitted its report along with a draft Personal Data Protection Bill 2018.  The opening part of the report ⁴ unequivocally states the purpose as, "if India is to shape the global digital landscape in the 21st century, it must formulate a legal framework relating to personal data that can work as a template for the developing world. Implicit in such a belief is the recognition that the protection of personal data holds the key to empowerment, progress, and innovation. Equally implicit is the need to devise a legal framework relating to personal data not only for India, but for Indians".

After certain modifications, The Union Government introduced the 'Personal Data Protection (PDP) Bill, 2019' in the Lok Sabha on December 11, 2019. The Bill ⁵ (Proposed Indian privacy law) proposes to provide a legitimate structure for protection of personal data of individuals and regulatory framework for collection and processing of such data by various agencies through establishment of a Data Protection Authority. The bill was referred to a joint parliamentary select committee for scrutiny and report, after consultation with all stakeholders concerned. The JPC held extensive discussions and submitted its report to the Cabinet committee for finalization. However, further developments in the form of some of the JPC members becoming Ministers, the new JPC demanded some more discussion of the final version. The submission of the modified version of the report by the new JPC is awaited.

In the meanwhile, the MeitY in 2019 formed a committee to make recommendations on the regulation of non-personal data (NPD) for the Government's consideration. The expert committee headed by Mr. Kris Gopalakrishnan ⁶ released its report on non-personal data governance on 12 July 2020.  The report on Non-Personal Data Governance (NPDG) contained recommendations for identifying "Data Business", setting up a marketplace for "Data Trading", recognizing Non-Personal Data ownership as "Anonymized PD"," Community NPD" "Private NPD" and "Public NPD" etc. The goals of the Non-Personal Data Governance Framework (NPDF) include creating a framework to unlock the economic, social and public value from using data; creating incentives for innovation and new products, services and startups in India; and addressing privacy concerns, including from re-identification of anonymized data. After receiving the feedbacks from concerned, the Committee of Experts issued a  revised report ⁷  on the Non-Personal Data Governance Framework for India on December 16, 2020.  The Committee observed that non-personal data should be regulated to: (i) enable a data-sharing framework to tap the economic, social, and public value of such data, and (ii) address concerns of harm arising from the use of such data. The NPD Governance Act which Kris Gopalakrishnan proposed, therefore, can focus entirely on the monetization of the NPD. The new governance framework is stated to be creating delay in passing of the PDP legislation.

There are moves to merge the Non-Personal Data governance realms with privacy laws as tabled through PDP Bill, 2019 to create common authority which is a move in wrong direction. By resorting to such a move, the privacy rights of individual go unheard again as the authority will be filled up with corporate commercial interests as is happening in the IT Act 2000/8 regime. Added to this, as the objective of both proposed laws are entirely different, merging them under one roof will result in downplaying with the fundamental rights of the citizen as held by the Apex court.

As per the bill placed before parliament, the Section 43A of ITA 2000/8 will be deleted and accordingly the responsibilities presently exercised by the Adjudicator gets shifted to the proposed Data Protection Authority. In view of the fact that an exclusive Authority is going to be formed to resolve the privacy issues, the victims who normally are individuals, may hope to receive a faster and fair treatment in obtaining damages for the caused harms.

The objective of PDP is primarily to protect the Privacy rights of the individuals whereas the NPDG intends at providing a governance mechanism suitable for monetization to the commercial entities in respect of non-commercial data. Any Breach of Personal data by a fiduciary affects the interest of the Individuals, who should be placed in a comfortable environment to seek the remedy for violations of the right to privacy. As against this, any breach in non-personal data impacts the Companies who are better placed than the individuals to seek redressal. Further, the personal data breach has consequences like subjective issues like loss of reputation in addition to monetary loss to an individual. It should be noted here that the individual is seeking relief as it is an unalienable right assured by the Constitution. The complaints will be normally against corporate entities who have breached privacy norms. As against this, the non-personal data breach, which are not treated as violations of the fundamental rights, has only commercial interests and consequences. Therefore, the laws intended for different purposes shall not be stringed together to create an uninvited eco-system, where justice to individuals will be a mirage again. If done, the privacy aspect of individual will certainly take a heavier beating as well as it results in diluting the fundamental rights guaranteed under the constitution. 'If the JPC takes the bait, it could be falling into a trap and it will find it difficult to get the PDPB 2019 passed or avoiding operational conflicts after it is passed which could delay its the notification of operating rules' opines Naavi ⁸, the veteran Cyber Law specialist. There will be no one to listen to the individual's cry of privacy as the corporates' heavy bugles always steal the show, as usual.

It is a pertinent to mention here that the same corporates are adhering to stricter privacy regimes in their working places in the developed and privacy law protected nations, without any remorse. At the same time, they do not want the Indian exclusive privacy law to take suitable shape enabling the rights of the individuals served, as desired by the Apex court, which is surprising.

In view of the above facts, it is expected that the proposed privacy law and administration will be in the exclusive domain where every Indian citizen can access, with simple procedures in place and obtain timely reliefs for the violations/breach of her/his fundamental rights as guaranteed by the Constitution of India.

[The views expressed are strictly personal.]

¹https://taxindiaonline.com/RC2/inside2.php3?filename=bnews_detail.php3&newsid=25274

²https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

³https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf

⁴https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

⁵https://taxindiaonline.com/RC2/inside2.php3?filename=bnews_detail.php3&newsid=39967

⁶https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf

⁷ https://ourgovdotin.files.wordpress.com/2020/12/revised-report-kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf

⁸https://www.naavi.org/wp/a-challenge-accepted-if-pdpb-is-converted-into-dpb/ visited on 06112021