<p>In the Age of Internet, you share your personal details with a wide variety of entities – from coffee shops to e-commerce companies to governments. And any of them can misused those details to cause you harm. A data protection law should seek to protect you against such harm.</p>.<p><strong>What is a data protection law?</strong></p>.<p>A data protection law protects the interests of individuals in personal data, or data that is about an individual who can be identified. For example, if a shoe shop only records that a pair of shoes of a particular size was purchased on a particular day, the personal data protection law wouldn’t cover it. But if the shop were to record these details along with unique information like the name, address or phone number of the person who made the purchase, the law would regulate how that data is processed, retained and used.</p>.<p><strong>Why do we need data protection?</strong></p>.<p>Personal data isn’t like other things we own or create. You can sell your car to someone and forget about it, but if you transfer your personal data to someone, it can affect you well into the future because the details can be used to bother, harass, target, or blackmail you, or even discriminate against you. In the Information Age, it can be used to decide what your options in life will be, what benefits you will have access to, and how society will treat you. The Supreme Court has ruled that privacy – including data privacy – is a fundamental right of citizens.</p>.<p>Also Read: <a href="https://www.deccanherald.com/specials/sunday-spotlight/data-protection-or-surveillance-811661.html" target="_blank">Data Protection or Surveillance?</a></p>.<p><strong>What are the elements of data protection?</strong></p>.<p>Data protection requires all entities that collect and use personal data to first specify why they are doing so and requires them to only collect and use data for the purpose they have specified. It further requires such entities to provide individuals with notice of this purpose, to put in place various transparency and data security measures, to delete data when the purpose is fulfilled, and to keep the data within the country unless certain conditions are met. As per data protection laws in most countries, individuals can consent to the collection and use of their data as well as withdraw such consent when they want to. Entities are, however, permitted to use personal data without consent in some situations, such as when another law requires such use, in the case of an emergency, or so as to prevent and detect unlawful activities, like fraud. On the other hand, individuals are empowered to access, correct, erase, transfer, or restrict the disclosure of their personal data being processed by these entities.</p>.<p><strong>How does the Personal Data Protection Bill, 2019, regulate the private sector and the government?</strong></p>.<p>The 2019 Bill makes the elements mentioned above equally applicable to both the private sector and the government. However, the government is additionally permitted to use personal data without consent when it is for a governmental function under a law, and it can be entirely exempted from the provisions of data protection for certain national security and law enforcement purposes. Other exemptions from the provisions of the Bill related to legal proceedings, journalism, research, and emerging technologies that would be beneficial to the private sector.</p>.<p>It is important to understand, however, that personal data is used in a wide variety of areas with rapidly evolving technology. As a result, the Bill only puts in place general principles and standards while leaving many details to be filled in by rules, regulations and “codes of practice” – all to be filled by the government and a proposed Data Protection Authority after the law is passed by Parliament.</p>.<p><strong>Will the Data Protection Authority be impartial?</strong></p>.<p>Given the crucial significance of the Data Protection Authority in both making detailed regulations and in enforcing the law fairly on the government, its members and its adjudicating officers must be independent from the government. A key area of concern is that the Bill hands the central government complete control in matters of appointment to and conditions of service at the Authority, raising issues regarding its impartiality.</p>.<p><strong>Some say the Bill creates a surveillance state. Is it true? What is the problem if the government has all data on me?</strong></p>.<p>Unchecked government surveillance limits the ability of individuals to speak and organise freely so as to develop alternative social and political views and movements. This is especially so in the age of the Internet. Surveillance law has long been an area in dire need of reform and, as a result of exemptions, the Bill fails to create adequate legal constraints for the government’s surveillance activities. These activities deserve to be regulated through legislative safeguards, such as independent judicial oversight and specification of procedures and limitations, but under the proposed law, they will continue to be within the complete control of the central government. Depending on what the government decides to do, the constitutionality of surveillance may come under question.</p>.<p><strong>Are there other areas of concern in the Bill?</strong></p>.<p>Other key issues of concern with the Bill include the legal burden placed on individuals when they seek to withdraw consent for processing, the lack of provision for direct notification to individuals when their personal data has been “breached”, and the inclusion of a power to require entities to share non-personal data with the government. It remains to be seen if the Joint Select Committee studying the PDP Bill, 2019, will rectify these issues.</p>.<p><em>(The writer is Research Fellow, Vidhi Centre for Legal Policy, New Delhi)</em></p>
<p>In the Age of Internet, you share your personal details with a wide variety of entities – from coffee shops to e-commerce companies to governments. And any of them can misused those details to cause you harm. A data protection law should seek to protect you against such harm.</p>.<p><strong>What is a data protection law?</strong></p>.<p>A data protection law protects the interests of individuals in personal data, or data that is about an individual who can be identified. For example, if a shoe shop only records that a pair of shoes of a particular size was purchased on a particular day, the personal data protection law wouldn’t cover it. But if the shop were to record these details along with unique information like the name, address or phone number of the person who made the purchase, the law would regulate how that data is processed, retained and used.</p>.<p><strong>Why do we need data protection?</strong></p>.<p>Personal data isn’t like other things we own or create. You can sell your car to someone and forget about it, but if you transfer your personal data to someone, it can affect you well into the future because the details can be used to bother, harass, target, or blackmail you, or even discriminate against you. In the Information Age, it can be used to decide what your options in life will be, what benefits you will have access to, and how society will treat you. The Supreme Court has ruled that privacy – including data privacy – is a fundamental right of citizens.</p>.<p>Also Read: <a href="https://www.deccanherald.com/specials/sunday-spotlight/data-protection-or-surveillance-811661.html" target="_blank">Data Protection or Surveillance?</a></p>.<p><strong>What are the elements of data protection?</strong></p>.<p>Data protection requires all entities that collect and use personal data to first specify why they are doing so and requires them to only collect and use data for the purpose they have specified. It further requires such entities to provide individuals with notice of this purpose, to put in place various transparency and data security measures, to delete data when the purpose is fulfilled, and to keep the data within the country unless certain conditions are met. As per data protection laws in most countries, individuals can consent to the collection and use of their data as well as withdraw such consent when they want to. Entities are, however, permitted to use personal data without consent in some situations, such as when another law requires such use, in the case of an emergency, or so as to prevent and detect unlawful activities, like fraud. On the other hand, individuals are empowered to access, correct, erase, transfer, or restrict the disclosure of their personal data being processed by these entities.</p>.<p><strong>How does the Personal Data Protection Bill, 2019, regulate the private sector and the government?</strong></p>.<p>The 2019 Bill makes the elements mentioned above equally applicable to both the private sector and the government. However, the government is additionally permitted to use personal data without consent when it is for a governmental function under a law, and it can be entirely exempted from the provisions of data protection for certain national security and law enforcement purposes. Other exemptions from the provisions of the Bill related to legal proceedings, journalism, research, and emerging technologies that would be beneficial to the private sector.</p>.<p>It is important to understand, however, that personal data is used in a wide variety of areas with rapidly evolving technology. As a result, the Bill only puts in place general principles and standards while leaving many details to be filled in by rules, regulations and “codes of practice” – all to be filled by the government and a proposed Data Protection Authority after the law is passed by Parliament.</p>.<p><strong>Will the Data Protection Authority be impartial?</strong></p>.<p>Given the crucial significance of the Data Protection Authority in both making detailed regulations and in enforcing the law fairly on the government, its members and its adjudicating officers must be independent from the government. A key area of concern is that the Bill hands the central government complete control in matters of appointment to and conditions of service at the Authority, raising issues regarding its impartiality.</p>.<p><strong>Some say the Bill creates a surveillance state. Is it true? What is the problem if the government has all data on me?</strong></p>.<p>Unchecked government surveillance limits the ability of individuals to speak and organise freely so as to develop alternative social and political views and movements. This is especially so in the age of the Internet. Surveillance law has long been an area in dire need of reform and, as a result of exemptions, the Bill fails to create adequate legal constraints for the government’s surveillance activities. These activities deserve to be regulated through legislative safeguards, such as independent judicial oversight and specification of procedures and limitations, but under the proposed law, they will continue to be within the complete control of the central government. Depending on what the government decides to do, the constitutionality of surveillance may come under question.</p>.<p><strong>Are there other areas of concern in the Bill?</strong></p>.<p>Other key issues of concern with the Bill include the legal burden placed on individuals when they seek to withdraw consent for processing, the lack of provision for direct notification to individuals when their personal data has been “breached”, and the inclusion of a power to require entities to share non-personal data with the government. It remains to be seen if the Joint Select Committee studying the PDP Bill, 2019, will rectify these issues.</p>.<p><em>(The writer is Research Fellow, Vidhi Centre for Legal Policy, New Delhi)</em></p>