Dichotomy between the IT Act and Personal Data Protection Bill

In April 2020, the Ministry of Electronics and Information Technology (“Ministry“) kicked off inter-departmental and industry consultations on amendments necessary to the Information Technology Act, 2000 (“IT Act“) to address shifts in technology in the last decade. While the Ministry delves upon this, the joint parliamentary committee is also examining the provisions of the Personal Data Protection Bill, 2019 (“Bill“) which is scheduled to be introduced in Parliament in the second week of the monsoon session.

Given that both the IT Act and the Bill fall within the purview of the Ministry, it would be pertinent to assess whether the IT Act and the Bill seek to regulate two halves of the same coin.

Objective of the IT Act and Bill

The IT Act was formulated with the objective to provide uniform legislation to regulate paper based methods of communication and storage of information in accordance with the United Nations General Assembly resolution A/RES/51/62 dated January 30, 1997. In essence, the IT Act regulates all facets of information technology, including privacy. Despite this, India has often been critiqued for failing to formulate specific legislation to protect data. To address these concerns in 2018, the Supreme Court in Justice K.S. Puttaswamy (Retd) vs Union Of India, emphasized that the right to privacy is a fundamental right enshrined within the constitution and the State would have to adhere to the principles of inter aliaconsent, purpose and storage limitation, data exception, data minimization, substantive and procedural fairness”, in order to restrict privacy rights of a citizen.

Although this decision is historic, it must be noted that Section 43A of the IT Act and the rules framed thereunder (i.e., the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011) (cumulatively, “Erstwhile Data Protection Rules“), have protected data basis the aforementioned principles. However, given the limited scope of the Erstwhile Data Protection Rules, the government ultimately introduced the Bill in order to foster a free and fair digital economy which respected privacy rights of an individual. However, the Bill in its present form fails to delineate its scope from the provisions of the IT Act.

Who governs Data?

For instance, the IT Act and the Bill, both, address harm caused due to inter alia unauthorized access, disclosure, alteration, destruction, etc. of data. Whilst the Bill seeks to govern consequences of a personal data breach, i.e., such breach that compromises confidentiality, integrity or availability of personal data to a data principal (i.e., the individual to whom such data belongs), the IT Act identifies consequences for real and suspected events that affect both public and private sectors due to a breach of a computer system or computer resource. At the onset, the distinction in scope of both the IT Act and the Bill seems clear – i.e., the Bill focuses on the individual, and the IT Act on the computer system/resource (i.e., not restricted to the individual).

This distinction in reality is problematic, since it is difficult to identify whether the breach was centred on the individual’s rights or on the computer system. In fact, this challenge is evident from the draft of the present Bill. Similar to the IT Act, which set up the Indian Computer Emergency Response Team (“CERT“) to address concerns regarding cyber security incidents/cyber incidents, the Bill seeks to constitute the Data Protection Authority (“DPA“), which would be empowered to address a personal data breach. Accordingly, in the event that there is a breach of a computer system that results in unauthorized disclosure of personal data, both the CERT and DPA would have concurrent jurisdictions.

In such case, the Bill mandates every data fiduciary (i.e., the entity to which/whom data is disclosed) to inform the DPA as soon as possible, in the prescribed form of any breach that is likely to cause harm to the data principal. Similarly, CERT also mandates the immediate reporting of a cyber security incident, which includes unauthorized access to data (and not just personal data) by an individual or entity affected by the cyber security incident. Failure to do so would attract penalties in the form of compensation under both the IT Act and the Bill. This not only increases compliance costs but also invites excessive interference on part of two regulators over the technological infrastructure of the entity/individual that was subject of such data breach.

Is there a distinction between personal and non personal data?

It is arguable that the aforementioned concerns could be addressed by revisiting the scope of operations of each of these regulators. However, from a practical perspective it is often difficult to distinguish between ‘personal data’ and ‘non personal data’, and thereby reductive for the Bill to regulate the former and the IT Act regulate the latter.

At present, the Bill merely repeals the Erstwhile Data Protection Rules, and retains or has revised provisions that were otherwise covered under the IT Act. For instance, the term ‘data’ in defined under the IT Act to mean a “representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.” The Bill on the other hand, defines it as a “representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.”

Similarly, the Bill defines personal data as “data about or relating to a natural person, who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identify of such natural person, whether online or offline, or in combination of such features with any other information…”. The Erstwhile Data Protection Rules provided for the same under personal information, i.e., “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely available with a body corporate, capable of identifying such person”.

Whilst both the Erstwhile Data Protection Rules and the Bill mandate consent and specification of purpose for its collection/processing, neither legislations leave scope for the definition to exclude such information that could be deemed ‘non-personal’. It is arguable that an individual would seek privacy over data such as his password, bank account details and health information, however, may not seek to protect details of the color of his shirt printed on an employee identification card. Accordingly, failure to obtain consent or process the latter information within the scope of the intended disclosure may not be problematic.

Nevertheless, the test of relevance and value of indirect information that identifies an individual is subjective and may vary from a case by case basis. Accordingly, the need for privacy over certain information is debatable. For instance, color of a shirt depicted in an identity card may be processed by artificial intelligence without consent of the individual to customize his online retail experience. Accordingly, this indirect information may be relevant to the organization operating the artificial intelligence/ or the retail outlet, but remains inconsequential to the individual itself. Similarly, in case of a data breach, loss of this information could affect the operations of the organization but not the individual. At present, the Bill requires a data breach to infringe the confidentiality, integrity or availability of this data to the individual and not the electronic information/systems/networks. Accordingly, the organization may seek refuge under the IT Act, despite the breach infringing upon ‘privacy’.

Basis the above, unless there is a clear distinction between personal and non personal data, along with an identification  of the scope of consent/purpose that may be necessary for personal and non personal data, any amendment to the IT Act or the enactment of the Bill would not effectively enforce the fundamental right to privacy.

Authors:

Rachana Rautray, Associate
Karthik Koragal. Associate

Date: July 15, 2020