Recognising 'She' in parliamentary jurisprudence

When will India frame exclusive legislation that protects the legitimate rights of data subjects and safeguard the privacy and security of their personal data was a much-deliberated issue for long. It was known to the Government and other stakeholders that the available provisions in the Information Technology Act are indeed scanty, inadequate and failing to serve any purpose. Finally, citizens’ long wait has come to an end with the Parliament passing Digital Personal Data Protection Bill, 2023 in its current session which received Presidential assent on Saturday. The Act will come into force, upon being notified by the Centre.

For the first time in the 76-year-old chequered history of parliamentary law-making and legislative jurisprudence in Independent India, the left-out “she” in legislation has found acceptance. The missing “she” in legislation has been identified, expressly acknowledged and given a unique reference in law-making. The Act explicitly refers to ‘she’ instead of the routine reference to ‘he’. Section 2(y) of the Act says “she” in relation to an individual includes the reference to such individual irrespective of gender. This novel feature of the legislation has to be generally applauded as an attempt to uphold and recognise gender equality in parliamentary law-making. But the other side of the legislation does not present a rosy picture. Exemptions envisaged in the Act are indeed exclusions in relation to the otherwise protected personal data and confer unqualified privilege, immunities and discretion to the Government and its functionaries while processing and handling the digital personal data of citizens.

Digital rights are the human and legal rights that allow individuals to access, use, create, and publish digital media. It also permits individuals to access and use computers, electronic devices and telecommunication networks. Digital Rights imply the right to privacy and data protection. It is beyond doubt that Internet access has an essential role in safeguarding freedom of expression, association, right to education, consumer rights, capacity building, and so on.

Several countries in the world have their own domestic laws that broadly recognise the rights of data subjects. The Internet has now become a global public good and as such it should be accessible to all and respectful to the rights of others. At a time when repressive regimes are restricting access to information and communications and keeping surveillance over the personal data of citizens, democratic governments are expected to work together to ensure that citizens’ personal data is well protected and guarantee access to the internet and adopt general principles to ensure that network use respects universal data rights.

Personal Data as peoples’ rights

Digital personal data implies the data by which a person may be identified. Digital personal data is the central theme of the new legislation and the comprehensive legislation ensures the processing of digital personal data for lawful purposes only and in a lawful manner recognising the rights of the data subjects. The obligations of the Data Fiduciaries such as Persons, Companies and Government entities who process data of individuals by collection, storage and other means is seen determined in the Act. The legislation stresses enhancing the ease of living and doing business and thereby enables a digital economy and innovation eco-system.

The new legislation permits only consented, lawful and transparent use of personal data alone, that too, for the specified purpose. Collection of personal data necessary for the purpose, data accuracy, and storage limited to necessity is also adumbrated. The Act ensures accountability through adjudication of data breaches and imposes reasonable security safeguards in the handling of personal data.

Digital subjects have been guaranteed specific rights in relation to personal data such as the right to access information about personal data processing, the right to correction and erasure, the right to grievance redressal and the right to nominate a person to exercise rights in case of death or incapacity. For enforcing the rights, an affected Data Principal may approach Data Fiduciary in the first instance and if dissatisfied, can complain to the Data Protection Board against the Data Fiduciary.

Making Fiduciaries accountable

Data Fiduciaries are obligated to provide necessary security safeguards to prevent personal data breaches. They have the duty to intimate personal data breaches to the Data Principal and Data Protection Board. Fiduciaries have to erase data no longer required and also to erase data upon withdrawal of consent. They have to provide a grievance redressal mechanism and in the case of Significant Data Fiduciaries, there is a need to appoint data auditors and conduct periodic data protection impact assessments to ensure a higher degree of protection.

The Act envisages provisions intended to safeguard the personal data of children and such data can be processed only with parental consent. It cannot be processed if detrimental to their well-being or if it involves tracking, behavioural monitoring or targeted advertising.

Controversial exemptions

The new legislation contemplates exemptions in the processing of personal data of digital principals. Such exemptions have been noted in respect of notified agencies in the interest of security, sovereignty and public order; for research, archiving and statistical purposes; for start-ups and other notified categories of Data Fiduciaries; for enforcing legal rights and claims; for performing judicial and regulatory functions; for preventing, detecting, investigating and prosecuting offences; for approved mergers and demergers; for locating defaulters and their financial assets. These broad arrays of exemptions are likely to be misused by the State and its agencies and thus may hamper the spirit and purpose of the legislation itself.

Given the exemptions, very little could be achieved towards data protection and the protected personal data of the citizens could be inappropriately dealt with. There is no periodical updating of the definition of personal data. Though there is the Data Protection Board envisaged for remediating and mitigating data breaches and for inquiring into breaches and complaints and imposing penalties for breaches, most of the public acts or governmental actions may not be taken cognizance of by the Board as they may fall within the protected net of exemptions.

The provision for referring complaints relating to data breaches to the alternate dispute resolution mechanisms may weaken the efficacy of the remedy available against breaches and result in violations being viewed lightly. The Board has also the power to advise the Government to block the website or app. of a fiduciary for repeatedly violating the provisions and this may also become a haven for the Government to act in tune with its wishes.

With individuals abusing the freedom of expression, with companies potentially exploiting computer users for financial gain and with repressive regimes blocking information from their citizens, what the world needs is a new charter of data rights, fixing responsibilities on Individuals, Companies and the Government for abuse.

Interventions on personal data must be lawful, specifically warranted and least privacy-invasive. Regulatory measures must protect encryption, and envisage independent oversight and scrutiny. Every country has some sort of data privacy and security laws regulating the collection, processing and transfer of personal information concerning its subjects. Its implications in the event of violation may vary from fines, lawsuits, to prohibition of the site’s use within local jurisdictions.

The American experience

In the United States, there is no comprehensive federal law that governs data privacy. The prevailing laws are sector-specific, and situation-specific that address areas such as telecommunication, health information, credit information, financial institutions and marketing. The earliest federal law that still has an application and bearing on data privacy in the US could be identified in The Federal Trade Commission Act 1914, which regulated commercial entities to prevent unfair or deceptive trade practices. Under this enactment, designated authorities can enforce privacy laws and take action to protect consumers. This law will not apply to members of the public generally but only applies when they come within the position of consumers.

The other US federal laws that govern the collection of online information include the Children’s Online Privacy Protection Act of 1998 which governs the collection of information about minors; the Health Insurance Portability and Accountability Act of 1996 which governs the collection of health information; the Gram-leach Bliley Act of 1999 which is also known as Financial Services Modelisation Act of 1999 that governs personal information collected by Banks and Financial Institutions; the Fair Credit Reporting Act of 1971 which regulates the collection and use of credit information of consumers.

State privacy llegislation in the US

In the United States, there is an attempt to put privacy legislation at the State level. US State Attorney Generals as part of the institutional framework oversee data privacy laws governing the collection, storage, safeguarding, disposal and use of personal data collected from their residents.

California Privacy Rights Act passed the ballot in November 2020. The newly introduced legislation recognises the right to rectification as a cardinal right available to the data subjects. This is a guarantee to the consumers to correct inaccurate personal information. The Act also recognises the right to restriction available to consumers to limit the use and disclosure of their sensitive personal information. A novel feature of the new legislation is that it envisages provision for periodical updating of the definition of ‘personal information’.

California Privacy Protection Agency has been established by the statute to act as the new privacy regulator also empowered to frame privacy guidelines. The privacy protection agency constituted for this purpose is a five-member Board empowered to fine transgressors. Strikingly, California Privacy Rights Act came into force on 01.07.2023.

Closely on its heels, Virginia State passed Virginia Consumer Data Protection Act on March 2, 2021. Under this State enactment, consumers have rights over their data. Companies can collect, treat and share data only in accordance with the provisions of the Act which envisages that the companies should obtain consent before processing consumers' sensitive data, disclosing when their data will be sold and allowing them to opt out of it. This legislation also becomes  effective in 2023. Colorado Privacy Act of 2020 grants Colorado residents rights over their data and places obligations on data controllers and processors.

New York State voted a model privacy legislation in the form of SHIELDS (Stop Hacks and Improve Electronic Data Security Act) in July 2019. This legislation creates more data security requirements for companies that collect information about New York residents. The Act has already come into force in March 2020 and it provides better protection for New York residents for data breaches of their personal information.

Data protection in Europe

At the international level, the presence of the General Data Protection Regulation (GDPR) codified in 2016 governs the collection, use, transmission, and security of data collected from the residents of any of the twenty-eight member countries of the European Union. The law applies to all European Union residents, regardless of the entity’s location that collects the personal data. Fines of up to Twenty Million Euros or Four percent of the total global turnover may be imposed on organisations that fail to comply with GDPR.

Under the GDPR requirements, Data subjects must be allowed to give consent before the collection of data. Information collected through the use of cookies is also treated as personal data. GDPR recognises a bundle of digital rights and entitlements such as the right to be informed, the right to access one’s data, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability and the right to object.

Brazil’s Data Protection Law: Model Measure

Brazil’s general law on protection of personal data came into force in 2020 and it addresses the genuine requirements of the data subjects. The law adumbrates provisions analogous to GDPR and regulates the processing and treatment of personal information of all individuals in Brazil. The good part of it is that even if your Company is not based in Brazil if you process the data of Brazilian residents, the law applies to you.

Defaulting companies may receive a fine such as two per cent of their sales revenue or even up to fifty million Brazilian Dollars (12 million USD).

Will India tune up?

In the ocean of data, personal data is life itself and must be treated with care and respect. Once it has leaked, there’s no getting it back. Protecting it is part of privacy right, an absolute pre-requisite for an individual and reaffirmed as integral to freedoms guaranteed across fundamental rights and an intrinsic aspect of dignity, autonomy and liberty by a Nine-Judge Bench of the Supreme Court in Puttaswamy’s case(2017).

India must learn from Europe and the US Federal States to mould its future in the digital landscape. The experiences of American States like Colorado, California, Virginia, New York and Brazil could provide valuable and impressive tips in the course of navigation. The supreme existence of GDPR as the sanctum sanctorum of digital rights and entitlements of the data subjects could be relied on in law-making and policy formulation.

The British Author, Adlin Sinclair once observed, “Without faith, hope and trust, there is no promise for the future, and without a promising future, life has no direction and no justification”. People of the country still share the faith, hope and trust in democracy and its Institutions and expect that their personal data would be protected from any form of invasion.

(Dr. Pauly Mathew Muricken is a lawyer, writer and academician based in Kochi)

Tags: