Data Protection Bill,2019

Question 1

When was data protection bill introduced?

Answer 1

The Personal Data Protection Bill 2019 (PDP Bill 2019) was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology on 11 December 2019.
The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India for the same. Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not, such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included.
Introduced by Ravi Shankar Prasad (Minister of Electronics and Information).

Question 2

What is JPC?

Answer 2

AS of 2020, the Bill is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders. The JPC, which was set up in December, 2019, is headed by BJP Member of Parliament (MP) Meenakshi Lekhi. While the JPC was tasked with a short deadline to finalize the draft law before the Budget Session of 2020, it has sought more time to study the Bill and consult stakeholders.

Question 3

Who is the current minister of electronics and information tech.?

Answer 3

Shri Ashwini Vaishnaw.

Question 4

How was the draft of Data Protection introduced?

Answer 4

In July 2017, the Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft Personal Data Protection Bill, 2018 in July 2018. After further deliberations the Bill was approved by the cabinet ministry of India on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11 December 2019.

Question 5

Provisions under the BILL. (IMP)

Answer 5

To provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.

Question 6

Criticism related to the bill. Who criticized the bill?( IMP statement based question).

Answer 6

The revised 2019 Bill was criticized by Justice B. N. Srikrishna, the drafter of the original Bill, as having the ability to turn India into an “Orwellian State”( a state used to describe a political system in which the government tries to control every part of people’s lives)

Forbes India reports that “there are concerns that the Bill […] gives the government blanket powers to access citizens’ data.”

Jaiveer Shergill, a prominent Supreme Court Lawyer has shared the pitfalls and gaps of the current version of the draft bill. There are serious loopholes of how the bill is unable to identify the scope of governmental bodies in distinguishing who has access to the personal data of the citizens and missing state bodies to monitor the personal data.

Question 7

Recent updates.

Answer 7

Recently the Ministry of Electronics and Information Technology (MeitY) released its Draft India Data Accessibility and Use Policy 2022 for public consultation. This is a continuation of earlier efforts to encourage better utilisation of large-scale data collected by the government machinery.

The draft policy is a step forward in realising the potential of this large volume of data. However, any data accessibility-and-use policy is incomplete without adequate public safeguards provided through a comprehensive data protection framework.

Question 8

Provisions of the Draft policy 2022.

Answer 8

The policy aims to radically transform India’s ability to harness public sector data.
It proposes the establishment of an India Data Office (IDO) to streamline and unify data access and sharing among government and other stakeholders.
It covers all data and information generated, created, collected, or stored by the central government and authorised agencies.
The measures can also be adopted by state governments.
All government data will be open and shareable unless it falls under a negative list of data sets.
Data categorised under the negative list of datasets will be shared only with trusted users under the controlled environment.
Data shall remain the property of the agency/ department/ ministry/ entity which generated/collected it.
Access to data under this policy shall not be in violation of any acts and rules of the government of India in force.
Despite the demands of academia and other stakeholders, large volumes of such data have remained unutilized.
The policy will take advantage of data generated through routine administrative processes for the better delivery of public services.
What are the Concerns Regarding the Policy?
Lack of Data Protection Law: Any data accessibility-and-use policy is incomplete without adequate public safeguards provided through a comprehensive data protection framework. Unfortunately, the progress on that front has been slow.
The urgency of such a framework is all the more acute because the proposed policy suggests licensing of public-sector data on citizens to private entities.
Misuse of Data: There are also issues of conflict of interest and misuse of such data for commercial or political purposes.
At a time when data is “the new oil”, monetization of valuable public sector data without adequate safeguards can be counter-productive, with implications for governance of public services and the privacy of individuals.
Citizens’ Attempts to Obtain Public Data: Administrative control over data has also been used to thwart attempts by users and citizens to obtain data for public use.
A good example of this is the Right to Information (RTI) Act, which has been diluted to a large extent over the past decade. Citizens’ attempts to obtain public data has even led to many RTI activists losing their lives.
Disregards Reliable Independent Surveys: Public data has often been used to discredit independent credible surveys, rather than complement them. Such records are often used to suit a political narrative.
Data from the Employee Provident Fund Organisation (EPFO) and E-Shram portal have been used to argue that jobs are being generated, as against separate evidence from the PLFS of the National Statistical Office (NSO).
Impact of Commercial Interests in Data: Given that more data means more money, commercial interests will prompt the government to collect granular personal details through greater capture and increased retention periods.
Tying government policy determinations with a fiscal potential may also lead to distortion of the aims of data collection — the welfare of farmers, healthcare, unorganised labourers or even schoolchildren.
Over time, the original objectives for which databases are built will get diluted in favour of commercial interests.
Federalism: The policy, even though it notes that State governments will be, “free to adopt portions of the policy,” does not specify how such freedom will be achieved.
It becomes relevant, if specific standards are prescribed by the Central government for data sharing, or as a precondition to financial assistance.
There is also the absence of any comment on whether data gathered from States may be sold by the Central government and whether the proceeds from it will be shared with the States.

Question 9

Significance of the bill 2019.

Answer 9

Data is the large collection of information that is stored in a computer or on a network.
Data is collected and handled by entities called data fiduciaries.
While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor.
The processing of this data (based on one’s online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations.
Targeted advertising: Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
Apart from it, this has become a potential avenue for invasion of privacy, as it can reveal extremely personal aspects.
Also, it is now clear that much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows. Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.

Question 10

What does the PDP bill propose?

Answer 10

The B N Srikrishna committee draft had required all fiduciaries to store a copy of all personal data in India, which was criticised by foreign technology companies that store most of Indians’ data abroad.

Question 11

What does the bill trifurcates i.e; divides into three branches or parts..?

Answer 11

PERSONAL DATA: Data from which an individual can be identified like name, address etc.. The Bill requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).

SENSITIVE PERSONAL DATA (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.

CRITICAL PERSONAL DATA: Anything that the government at any time can deem critical, such as military or national security data. Critical personal data must be stored and processed in India.

The Bill removes the requirement of data mirroring (in case of personal data). Only individual consent for data transfer abroad is required.

Personal Data: The Bill requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
Critical Personal Data: Critical personal data must be stored and processed in India.
Non Personal Data: The Bill mandates fiduciaries to provide the government any non-personal data when demanded.
Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
The previous draft did not apply to this type of data, which many companies use to fund their business model.

Question 12

Advantages of the bill.

Answer 12

Data localisation can help law-enforcement agencies access data for investigations and enforcement.
As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
Accessing data through this route is a cumbersome process.
Instances of cyber attacks and surveillance will be checked.
Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
Data localisation will also increase the ability of the Indian government to tax Internet giants.
A strong data protection legislation will also help to enforce data sovereignty.

Question 13

disadvantages.

Answer 13

National security or reasonable purposes are an open-ended terms, this may lead to intrusion of state into the private lives of citizens.
Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
They fear that the domino effect of protectionist policy will lead to other countries following suit.
Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.

Question 14

Conclusion on the basis of the facts..

Answer 14

According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also essential to open new vistas of socio-economic growth.
In this context, the government policy on data protection must not deter framing any policy for the growth of the digital economy, to the extent that it doesn’t impinge on personal data privacy.

Question 15

Applicability of the bill.

Answer 15

The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.

Question 16

Obligations of Data fiduciaries..

Answer 16

all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.

Question 17

Rights of the individuals..

Answer 17

The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.

Question 18

Grounds for processing personal data..

Answer 18

The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.

Question 19

Social media intermediaries..

Answer 19

The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.

Question 20

What is the DPA( Data protection authority)?

Answer 20

The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.

Question 21

Transfer of data outside INDIA…

Answer 21

Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.

Question 22

EXEMPTIONS ….

Answer 22

The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards..

Question 23

Offences under the bill..

Answer 23

Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.

Question 24

Sharing of non-personal data with govt.

Answer 24

The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.

Question 25

Amendments to other LAWS…

Answer 25

The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

Question 26

SPECIAL 301.

Answer 26

Under the latest SPECIAL 301 report the U.S. trade representative (USTR) kept INDIA on the priority watch list, maintaining the country remains one of the most challenging major economics with respect to protection and enforcement of intellectual property..

Question 27

Head of joint parliamentary committee on the data protection..

Answer 27

P.P. CHAUDHARY..

Question 28

WHAT IS PEGASUS? ( VERY IMPORTANT)

Answer 28

Pegasus is a spyware developed by a private company of ISRAEL.

Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. Pegasus is able to exploit iOS versions up to 14.7, through a zero-click exploit. As of 2022, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps. The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent “flying through the air” to infect cell phones.

Question 29

First official use of pegasus?

Answer 29

Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the “most sophisticated” smartphone attack ever, and was the first time that a malicious remote exploit used jailbreaking to gain unrestricted access to an iPhone.

Question 30

What is pegasus used for…

Answer 30

The spyware has been used for surveillance of anti-regime activists, journalists, and political leaders from several nations around the world. In July 2021, the investigation initiative Pegasus Project, along with an in-depth analysis by human rights group Amnesty International, reported that Pegasus was still being widely used against high-profile targets.

Question 31

when was PEGASUS developed?

Answer 31

NSO Group developed its first iteration of Pegasus spyware in 2011. The company states that it provides “authorized governments with technology that helps them combat terror and crime.” NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.

Question 32

PEGASUS iOS exploitation discovered?

Answer 32

Pegasus’s iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising “secrets” about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering

Question 33

First known use of PEGASUS in INDIA?

Answer 33

First known use in India that we know about was in Bhima Koregaon spying, allegedly by Indian govt.

Question 34

Some points of consideration..

Answer 34

1. A govt has used it to spy: Pegasus is sold only to govts. So it would follow that it has been used by a govt against ministers, journalists, opposition leaders, supreme court judges, and many others. This is essentially an attack on our freedoms in india.

2.Pegasus, once installed on our phones, is used to extract all communications (iMessage, WhatsApp, Gmail, Viber, Facebook, Skype) and locations. Remember that content on your phone itself is not secure.

3.Apps can log your keystrokes, screenshot your screen, take control of your apps. All this is easy once in. End to end encryption only protects messages in transit, not on device. Messages and files are typically unencrypted on device.

4.Pegasus can be installed on a targets phone in many ways: by sending infected links (spear phishing), social engineering etc. This malware is designed to evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators.

5.The solution to government surveillance, was also alleged in the Bhima Koregaon case, is not the privacy bill, because it exempts the Indian government from accountability. We need surveillance reform. A law to bring accountability to surveillance.

Question 35

Abilities of latest version of PEGASUS..

Answer 35

PEGASUS(named after pegasus-winged horse of greek mythology).

Infects the device through -
(i) ONE-LINK VECTOR
(ii) ZERO-LINK VECTOR