Data Privacy Breach laws
A few weeks back it was shared with us that our COWIN or vaccination data has been compromised. Then some people in circle were discussing that personal data protection bill will help. I share with you excerpts of what is happening as written by Mr. Mohanty. We need LC manager to ensure this is escalated.
The new Digital Personal Data Protection Bill of 2022 does little to protect privacy.
It does mention the "right to free consent" but this is meaningless because it (i) grants wholesale exemptions to government agencies to breach privacy without any checks and balances (ii) a breach is declared non-criminal, attracting only monetary penalty (iii) takes away compensation for victims of data breach provided under the IT Act of 2000 (iv) allows cross-border data transfers, though limited to specific countries and territories under specific "terms and conditions" but to be spelt out later and (v) provides for a regulatory mechanism without spelling out its composition, eligibility and selection process – all critical to its functional independence – while vesting all this power with the executive – to be decided in future. In fact, (vi) it puts privacy on par with the "need" to process private data and (vii) does away with the need to classify personal data as "sensitive" and "critical" which were prohibited from processing outside India in the 2019 version. It is more of a concept note rather than a piece of legislation.
Instead, the previous version, the Bill of 2019 (which was withdrawn), declared privacy a fundamental right but came with two notional and vague safeguards: (a) prior written order specifying the reasons for exemptions from privacy and (b) procedures, safeguards and oversight for such exemptions to be laid out in future. That is why, a Joint Parliamentary Committee (JPC), which examined it, had suggested 93 amendments and asked the government to abide by the three tests for allowing any infringement on privacy: (i) tests of necessity (ii) proportionality (iii) legitimate state action. These have been ignored in the Bill of 2022.
Such is the idea of protecting privacy that while assuring the Supreme Court of how secure the Aadhaar data was (while the extent of Aadhaar card's use was being heard vis-a-vis privacy and data safety concerns in 2018), then Attorney General KK Venugopal told the court that it is very safe since it was protected by 13 feet high, 5 feet thick walls.
Data access to private players
Despite the Supreme Court limiting the use of Aadhaar to social welfare schemes, it stands diluted.
In 2019, it amended the law to allow private banking and telecom companies to carry out Aadhaar-based KYC verifications in 2019. In May 2023, the Finance Ministry allowed 22 financial entities – including Amazon Pay (India) Pvt. Ltd, Aditya Birla Housing Finance Ltd and IIFL Finance Ltd – to verify the identity of their customers through Aadhaar under the money laundering law, the PMLA. The MeitY proposes to further widen such verification for private entities.
It isn't just the CoWIN, a large number of government apps collect private data of Indians for various purposes without their privacy being protected in absence of law – Agristack for agriculture, e-SHRAM for migrant workers, Arogya Setu and Ayushman Bharat Digital Health Mission for health and National Digital Education Architecture for school children virtually covering every area of life. The DNA Technology (Use and Application) Regulation Bill of 2019, which is pending, seeks to empower the government to harvest citizens' DNA profiles too, even for civil cases. more
The new Digital Personal Data Protection Bill of 2022 does little to protect privacy.
It does mention the "right to free consent" but this is meaningless because it (i) grants wholesale exemptions to government agencies to breach privacy without any checks and balances (ii) a breach is declared non-criminal, attracting only monetary penalty (iii) takes away compensation for victims of data breach provided under the IT Act of 2000 (iv) allows cross-border data transfers, though limited to specific countries and territories under specific "terms and conditions" but to be spelt out later and (v) provides for a regulatory mechanism without spelling out its composition, eligibility and selection process – all critical to its functional independence – while vesting all this power with the executive – to be decided in future. In fact, (vi) it puts privacy on par with the "need" to process private data and (vii) does away with the need to classify personal data as "sensitive" and "critical" which were prohibited from processing outside India in the 2019 version. It is more of a concept note rather than a piece of legislation.
Instead, the previous version, the Bill of 2019 (which was withdrawn), declared privacy a fundamental right but came with two notional and vague safeguards: (a) prior written order specifying the reasons for exemptions from privacy and (b) procedures, safeguards and oversight for such exemptions to be laid out in future. That is why, a Joint Parliamentary Committee (JPC), which examined it, had suggested 93 amendments and asked the government to abide by the three tests for allowing any infringement on privacy: (i) tests of necessity (ii) proportionality (iii) legitimate state action. These have been ignored in the Bill of 2022.
Such is the idea of protecting privacy that while assuring the Supreme Court of how secure the Aadhaar data was (while the extent of Aadhaar card's use was being heard vis-a-vis privacy and data safety concerns in 2018), then Attorney General KK Venugopal told the court that it is very safe since it was protected by 13 feet high, 5 feet thick walls.
Data access to private players
Despite the Supreme Court limiting the use of Aadhaar to social welfare schemes, it stands diluted.
In 2019, it amended the law to allow private banking and telecom companies to carry out Aadhaar-based KYC verifications in 2019. In May 2023, the Finance Ministry allowed 22 financial entities – including Amazon Pay (India) Pvt. Ltd, Aditya Birla Housing Finance Ltd and IIFL Finance Ltd – to verify the identity of their customers through Aadhaar under the money laundering law, the PMLA. The MeitY proposes to further widen such verification for private entities.
It isn't just the CoWIN, a large number of government apps collect private data of Indians for various purposes without their privacy being protected in absence of law – Agristack for agriculture, e-SHRAM for migrant workers, Arogya Setu and Ayushman Bharat Digital Health Mission for health and National Digital Education Architecture for school children virtually covering every area of life. The DNA Technology (Use and Application) Regulation Bill of 2019, which is pending, seeks to empower the government to harvest citizens' DNA profiles too, even for civil cases. more
Viewed by 2167
It would be a good idea to clearly understand what is the privacy that most people are so bothered about? more
Jun 23
most people take this very lighly. This could have serious ramifications on our lives. Serious attention is needed as there is absolutely no way you can control data flow once there is a breach. The government cannot have an open leeway and exemptions in this. more
Jun 23
This is a very serious issue impacting every citizen. Among other things, anybody's Aadhar and PAN details can be misused to fraudulently clean out someone's financial assets in the banks, etc. Such laws are extremely important and immediately required. more
Jun 22
