The language of data protection
Some key terms:
Data means information that is presented in a form that is more appropriate for processing.
An operation or set of operations performed on personal data including collection, recording, organisation, structuring, storage, adaptation, indexing, eraser or destruction.
Any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interest of a data principal.
It is the person, company or entity whose information is being collected.
This can be a person, state, company or any entity that decides, why data should be processed and how it should be processed. Others sometimes refer to this as the “data controller”.
SIGNIFICANT DATA FIDUCIARIES
This is based on the volume and sensitivity of the data as well as the fiduciary’s revenue, risk of “harm” to the principal and type of technology use.
It relates harm to mental injury, identity theft, finances, reputation, employment, discrimination and service denial. It also includes any restrictions to individual action, because of the fear of surveillance and any surveillance that is not reasonably expected by the individual.
While the fiduciary controls how and why data is processed, the processing itself may be conducted by a third-party, the “data processor”. This is important to delineate responsibility as data moves from Group to Group. For example in USA, Facebook (the data controller) was hit by controversy over the actions of a third-party data processor, Cambridge Analytica.
PERSONAL DATA & PERSONAL SENSITIVE DATA
Personal data can identify the person associated with data. Sensitive personal data covers list of categories like passwords, finances, health, biometrics, caste and many more.
PURPOSE LIMITATION & COLLECTION LIMITATION
The collection of data is, what is needed for clear, specific and lawful purposes or for reasons that the data principal would reasonably expect. The DPA can determine these by taking into account the interests of the fiduciary, public interest, individual rights and the reasonable expectations of the individual.
DATA TRUST SCORE
The DPA can assign, register and manage data auditors, who then may give fiduciaries a Data Trust Score, after a data audit.
They will have the powers to call people for inquiry into fiduciaries, assess the compliance and determine the penalties on the fiduciary or compensation to the principal.
PERSONAL DATA BREACH
Any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of personal data that comprises the confidentiality, integrity or availability of personal data to a data principal.
RIGHT TO BE FORGOTTEN
- It born out of internet’s concept of extended memory.
- It has got historical roots in European Union Law.
- The right allows an individual to remove consent for data collection and disclosure.
- While in EU, the task for assessing requests for removal falls on the fiduciary, India’s draft asks the adjudicating officer to decide by balancing individual rights and the right to free speech and the right to information.
This is with regard to regulation of the transfer of data, outside national borders.It mandates every fiduciary to store at least one copy of personal data of India, with exceptions determined by the Central Government. If the data is critical personal data to be determined by the Central Govt., it is to be stored and processed in India. Sensitive personal data can be transferred in case of health emergency and with Central Govt. approval.
Often the markers of data that make an individual identifiable can be removed or masked in a process of “de-identification.”
PRIVACY BY DESIGN
This is the concept in which the de-identification process plays a role. The report conveys this to mean organisational practices that avoid harm to individuals and that process data in a transparent manner.
The draft grants individuals this right or the ability to access and transfer one’s own data. It specifies that the data should be received in a structured, commonly used and machine-readable format. Fiduciaries may charge fees for this process.
PERSONAL DATA PROTECTION BILL, 2018
- It restricts and imposes conditions on transfer of personal data.
- It suggests setting up of Data Protection Authority of India to prevent any misuse of personal information.
- It also provides the right to be forgotten and prescribed stiff penalties for violations.
- Penalties of Rs. 15 crore or 4% of total worldwide turnover of any data collection / data processing entity for violation of provisions.
- Failure to take prompt action on a security breach can attract a fine up to Rs. 5 Cr or 2% of turnover, whichever is higher.
- Right to Privacy is a fundamental right and it is necessary to protect personal data and essential facet of informational privacy.
FURTHER ASPECTS OF PERSONAL DATA PROTECTION BILL, 2018
- It allowed processing of personal data only for the purpose it is collected or for compliance of any law, employment and for any function of Parliament or any State Legislature.
- Personal data means data about or relating to a natural person, who is directly or indirectly identifiable.
- It means giving regard to any characteristic, trait, attribute or any other feature of the identity of such natural person.
- The sensitive personal data comprises of passwords, financial data, health data, sex life, sexual orientation and biometric data, genetic data, caste or tribe, religious or political belief or affiliation.
Processing of sensitive personal data should be on the basis of explicit consent.
CRITICAL PERSONAL DATA AND OTHER PERSONAL DATA
- Critical personal data should be processed in the centres located within the Country.
- It left it to the Government to notify the categories of personal data that will be considered “critical”.
- Other personal data may be transferred outside the territory of India with some riders. However, at least one copy of the data needs to be stored in India.
MORE ON THE DATA PROTECTION BILL
- It may be processed on the basis of the consent of the Data Principal, not later than at the commencement of the processing.
- It will not have retrospective application and will come into force in a structured and phased manner.
- It recognised privacy principles on how a notice should be sent to the individuals before data is collected.
- It says, the consent should be
- Clear and
- Capable of being withdrawn.
- It prescribes explicit consent for sensitive personal data.
SPECIAL PROVISIONS FOR PROTECTION OF DATA OF CHILDREN
- Companies should be barred from certain types of data processing such as
- Behavioral monitoring
- Targeted advertisements etc.
- This is because of the reason that children are unable to fully understand the consequences of their actions.
- The Committee recommended that the Data Protection Authority will have the power to designate websites or online services, that process large volumes of personal data of children as “guardian data fiduciaries”.
- The harm may be tangible in terms of physical or reputational harm and intangible in terms of loss of autonomy.
- Guardian data fiduciaries must be barred from these practices, in so far as it pertains to children. This approach of placing the onus of properly processing the data of a child on the company is preferable to the existing regulatory approach, which is based solely on the system of parental consent.
THE DATA PROTECTION AUTHORITY OF INDIA
- It will be sector agnostic.
- It will be governed by a Board consisting of six whole time members and a Chairperson appointed by the Union Government on the recommendations of a Selection Committee.
- The Selection Committee shall consist of Chief Justice of India or her nominee (who is the Supreme Court Judge), the Cabinet Secretary, GoI and one expert of repute, who has special knowledge of areas related to data protection / information technology.
- The members of DPA are to be individuals of integrity and ability with special knowledge and professional experience of not less than 10 years in areas related to data protection, information technology, data management, cyber and internet laws etc.
- DPA members will have a five year term subject to a suitable retirement age and their salaries will be prescribed by the Central Government.
- DPA will have four departments and related functions
- Monitoring and enforcement
- Legal affairs, policy and standards setting
- Research and awareness
- Enquires, grievance handling and adjudication
- The DPA will be stating codes of practice, conducting enquiries and issuing warnings and injunctions.
It also provides for setting up of an Appellate Tribunal.
- It recommended, processing of data for certain interests, such as security of the State, legal proceedings, research and journalistic purpose may be exempt from certain obligations of the proposed data protection law.
- It is because of State or societal interest.
- The law should guard against potential misuse.
- If it is in the interest of security of the State, it should be by an authority in accordance with the procedure established by the Law made by the Parliament.
Right to privacy judgment pronounced in the year 2017 by the Honorable Supreme Court of India gave individuals a beacon of hope with respect to safeguarding their inalienable right of autonomy and to check arbitrary actions of the government that seeks to make inroads into our privacy. The deontological approach adopted by the nine judge bench in Puttaswamy categorically gives primacy to the individual rights over collective rights, which is also enshrined in the the very structure of the Constitution as the chapter guaranteeing enforceable Fundamental rights precedes the one setting out unenforceable Directive Principles of State Policy.
In alignment with the Right to Privacy judgment, on July 31, 2017, the Government set up a five-member Committee chaired by former Supreme Court judge, Justice (Retd.) B.N. Srikrishna, to draw up a draft Data Protection Bill. It will be India’s first exclusive statute providing protection to online users’ personal data from breach by state and non-state players, once it becomes a law. The B.N. Srikrishna committee recently submitted the draft Data Protection Bill that imposed conditions on transfer of personal data but exempted the processing of personal data from being called a breach if it is processed for any function of Parliament or any State Legislature or for any welfare purpose. This provision of data protection bill indicates that the state has balancing role between the common good and the individual right of privacy.
But, how far is this provision in conformity with the right of privacy judgement?
The right of privacy judgement gave paramount importance to an individual’s right to privacy over the common good, as right to privacy is an essential facet of liberty of individuals. It also strengthens individuals right to equality, right to take informed decision, freedom from disproportionate influences, which are the prerequisites for a democracy to sustain. The current data protection bill makes state a facilitator of human progress and custodian of common good which puts the objective of achieving common good and the economic development first rather than individuals data privacy. This unchecked power may lead to disproportionate influence, which would put the institution of democracy at its peril.