On criminal offences, the data protection bill is weak. Revise it
The proposed law on personal data protection is principally civil in nature. Under the Personal Data Protection (PDP) Bill, 2019, every data fiduciary (an entity that controls the storage and usage of data like say, Google) and data processor (which processes the data, such as, for instance, Cambridge Analytica) is responsible for implementing security safeguards to protect the integrity of personal data and prevent its misuse. In case of contravention, there are provisions for penalties and compensation. For offences punishable under the bill, a court cannot take cognisance unless a complaint is made by the Data Protection Authority of India.
The primary objective of the proposed law is “to provide for protection of the privacy of individuals relating to their personal data”. But as far as the ambit of criminal offences is concerned, the bill is silent on some potentially wilful acts of the data fiduciary and the data processor. It is also overly implicative because it includes the heads of government departments for criminal liability.
The bill identifies three major offences. The first is about re-identification and processing of personal data (without the consent of the data fiduciary or data processor), which has been de-identified already. De-identification entails the removal of sensitive personal details, but as experts have argued, such personal information can be retrieved when large datasets are compared and merged.
But what if the data fiduciary or data processor wilfully re-identifies the data for commercial or other purposes? As the primary responsibility of data protection resides with both these entities, they must be brought within the domain of criminal liability with stiff penalties. But the section doesn’t deal with any such eventuality.
Second, the bill is silent on the intentional sharing or disclosure of personal data to a third party by the data fiduciary or data processor as an offence. In recent years, the world has seen significant data breaches, raising serious privacy concerns of individuals. The White Paper of the Committee of
Experts on a Data Protection Framework for India mentioned the domestic legislation in the United Kingdom, Australia, Canada and South Africa, which make intentional or reckless sharing of personal data a criminal offence. Surprisingly, the joint committee (JC) on the PDP bill did not take this aspect into account. It would be judicious to follow international practices and make intentional disclosure or sharing of personal data a criminal offence.
Third, the bill has a provision to hold the head of department vicariously liable and deemed guilty for an offence committed by its (government) data fiduciary. Both this provision, and the recommendation of the JC on this issue, are problematic.
The usual rule in cases involving criminal liability is to avoid vicarious liability. Though this legal fiction (of criminal vicarious liability) can be created in any statute, the JC appreciated that it may “impede decision making process” and create hurdles in the everyday functioning of the department.
But its alternative — of an “an in-house inquiry” to fix responsibility before initiating criminal proceedings — may not find favour with the judiciary. It is an established principle of law that any information that discloses the commission of a cognisable offence must be recorded as a First Information Report (FIR) without delay. Any in-house inquiry to fix responsibility will amount to an investigation into that offence, which is not permissible under the Code of Criminal Procedure. Further, departments other than law enforcement agencies may not be well versed with procedural laws and equipped to undertake a criminal investigation. The investigating officer, in any case, will have to undertake the probe de novo.
Therefore, it will be prudent not only to do away with the provision of criminal vicarious liability, but also not to allow other departments to enter the domain of the law enforcement agencies.