Recently, the Personal Data Protection Bill, 2019 was introduced in Parliament. The Bill has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session, 2020. The Bill seeks to provide for protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose. In this blog, we provide a background to the 2019 Bill, and explain some of its key provisions.
What is personal data and data protection?
Data can be broadly classified into two types: personal and non-personal data. Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. Non-personal data includes aggregated data through which individuals cannot be identified. For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data. Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Why was a Bill brought for personal data protection?
In August 2017, the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. The Statement of Objects and Reasons of the Personal Data Protection Bill, 2019 states that the Bill is based on the recommendations of the report of the Expert Committee and the suggestions received from various stakeholders.
How is personal data regulated currently?
Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. The Expert Committee in its report, held that while the IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings.3 For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.
What does the Personal Data Protection Bill provide?
The Bill regulates personal data related to individuals, and the processing, collection and storage of such data. Under the Bill, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. The Bill governs the processing of personal data by both government and companies incorporated in India. It also governs foreign companies, if they deal with personal data of individuals in India.
Will individuals have rights over their data?
The Bill provides the data principal with certain rights with respect to their personal data. These include seeking confirmation on whether their personal data has been processed, seeking correction, completion or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer necessary or if consent is withdrawn. Any processing of personal data can be done only on the basis of consent given by data principal.
Are there any restrictions on processing of an individual’s data?
The Bill also provides for certain obligations of data fiduciaries with respect to processing of personal data. Such processing should be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. Certain fiduciaries would be notified as significant data fiduciaries (based on certain criteria such as volume of data processed and turnover of fiduciary). These fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
What is the grievance redressal mechanism if the above restrictions are not followed?
To ensure compliance with the provisions of the Bill, and provide for further regulations with respect to processing of personal data of individuals, the Bill sets up a Data Protection Authority. The Authority will be comprised of members with expertise in fields such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
Are there any exemptions to these safeguards for processing of personal data?
Processing of personal data is exempt from the provisions of the Bill in some cases. For example, the central government can exempt any of its agencies in the interest of security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or research and journalistic purposes. Further, personal data of individuals can be processed without their consent in certain circumstances such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Is the Bill different from the draft Bill suggested by the Expert Committee?
The Bill has made several changes from the draft Bill. For instance, the Bill has added a new class of significant data fiduciaries, as social media intermediaries. These will include intermediaries (with users above a notified threshold) which enable online interaction between users. Further, the Bill has expanded the scope of exemptions for the government, and additionally provided that the government may direct data fiduciaries to provide it with any non-personal or anonymised data for better targeting of services.
In a follow-up blog, we will provide a detailed comparison of the key provisions of this Bill with the Draft Personal Data Protection Bill 2018, released by the Justice B. N. Srikrishna Committee.
The National Anti-Doping Bill, 2021 is listed for passage in Rajya Sabha today. It was passed by Lok Sabha last week. The Bill creates a regulatory framework for anti-doping rule violations in sports. It was examined by the Parliamentary Standing Committee on Sports, and some of their recommendations have been incorporated in the Bill passed by Lok Sabha.
Doping is the consumption of certain prohibited substances by athletes to enhance performance. Across the world, doping is regulated and monitored by the World Anti-Doping Agency (WADA) which is an independent international agency established in 1999. WADA’s primary role is to develop, harmonise, and coordinate anti-doping regulations across all sports and countries. It does so by ensuring proper implementation of the World Anti-Doping Code (WADA Code) and its standards. In this blog post, we discuss the need of the framework proposed by the Bill, and give insights from the discussion on the Bill in Lok Sabha.
Doping in India
Recently, two Indian athletes failed the doping test and are facing provisional suspension. In the past also, Indian athletes have been found in violation of anti-doping rules. In 2019, according to WADA, most of the doping rule violations were committed by athletes from Russia (19%), followed by Italy (18%), and India (17%). Most of the doping rule violations were committed in bodybuilding (22%), followed by athletics (18%), cycling (14%), and weightlifting (13%). In order to curb doping in sports, WADA requires all countries to have a framework regulating anti-doping activities managed by their respective National Anti-Doping Organisations.
Currently, doping in India is regulated by the National Anti-Doping Agency (NADA), which was established in 2009 as an autonomous body under the Societies Registration Act, 1860. One issue with the existing framework is that the anti-doping rules are not backed by a legislation and are getting challenged in courts. Further, NADA is imposing sanctions on athletes without a statutory backing. Taking into account such instances, the Parliamentary Standing Committee on Sports (2021) had recommended that the Department of Sports bring in an anti-doping legislation. Other countries such as the USA, UK, Germany, and Japan have enacted legislations to regulate anti-doping activities.
Framework proposed by the National Anti-Doping Bill, 2021
The Bill seeks to constitute NADA as a statutory body headed by a Director General appointed by the central government. Functions of the Agency include planning, implementing and monitoring anti-doping activities, and investigating anti-doping rule violations. A National Anti-Doping Disciplinary Panel will be set up for determining consequences of anti-doping rule violations. This panel will consist of legal experts, medical practitioners, and retired athletes. Further, the Board will constitute an Appeal Panel to hear appeals against decisions of the Disciplinary Panel. Athletes found in violation of anti-doping rules may be subject to: (i) disqualification of results including forfeiture of medals, points, and prizes, (ii) ineligibility to participate in a competition or event for a prescribed period, (iii) financial sanctions, and (iv) other consequences as may be prescribed. Consequences for team sports will be specified by regulations.
Initially, the Bill did not have provisions for protected athletes but after the Standing Committee’s recommendation, provisions for such athletes have been included in the Bill. Protected persons will be specified by the central government. As per the WADA Code, a protected person is someone: (i) below the age of 16, or (ii) below the age of 18 and has not participated in any international competition in an open category, or (iii) lacks legal capacity as per their country’s legal framework
Issues and discussion on the Bill in Lok Sabha
During the discussion on the Bill, members highlighted several issues. We discuss these below-
Independence of NADA
One of the issues highlighted was the independence of the Director General of NADA. WADA requires National Doping Organisations to be independent in their functioning as they may experience external pressure from their governments and national sports bodies which could compromise their decisions. First, under the Bill, the qualifications of the Director General are not specified and are left to be notified through Rules. Second, the central government may remove the Director General from the office on grounds of misbehaviour or incapacity or “such other ground”. Leaving these provisions to the discretion of the central government may affect the independence of NADA.
Privacy of athletes
NADA will have the power to collect certain personal data of athletes such as: (a) sex or gender, (ii) medical history, and (iii) whereabout information of athletes (for out of competition testing and collection of samples). MPs expressed concerns about maintaining the privacy of athletes. The Union Sports Minister in his response, assured the House that all international privacy standards will be followed during collection and sharing of data. Data will be shared with only relevant authorities.
Under the Bill, NADA will collect and use personal data of athletes in accordance with the International Standard for the Protection of Privacy and Personal Information. It is one of the eight ‘mandatory’ standards of the World Anti-Doping Code. One of the amendments moved by the Union Sports Minister removed the provision relating to compliance with the International Standard for the Protection of Privacy and Personal Information.
Establishing more testing laboratories across states
Currently India has one National Dope Testing Laboratory (NDTL). MPs raised the demand to establish testing laboratories across states to increase testing capacity. The Minister responded by saying that if required in the future, the government will establish more testing laboratories across states. Further, in order to increase testing capacity, private labs may also be set up. The Parliamentary Standing Committee on Sports (2022) also emphasised the need to open more dope testing laboratories, preferably one in each state, to cater to the need of the country and become a leader in the South East Asia region in the areas of anti-doping science and education.
In August, 2019 a six-month suspension was imposed on NDTL for not complying with International Standard for Laboratories (ISL) by WADA. The suspension was extended for another six months in July, 2020 due to non-conformity with ISL. The second suspension was to remain in effect until the Laboratory complies with ISL. However, the suspension was extended for another six months in January, 2021 as COVID-19 impacted WADA’s ability to conduct an on-site assessment of the Laboratory. In December, 2021 WADA reinstated the accreditation of NDTL.
Several athletes in India are not aware about the anti-doping rules and the prohibited substances. Due to lack of awareness, they end up consuming prohibited substances through supplements. MPs highlighted the need to conduct more awareness campaigns around anti-doping. The Minister informed the House that in the past one year, NADA has conducted about 100 hybrid workshops relating to awareness on anti-doping. The Bill will enable NADA to conduct more awareness campaigns and research in anti-doping. Further, the central government is working with the Food Safety and Standards Authority of India (FSSAI) to test dietary supplements consumed by athletes.
While examining the Bill, the Parliamentary Standing Committee on Sports (2022) recommended several measures to improve and strengthen the antidoping ecosystem in the country. These measures include: (i) enforcing regulatory action towards labelling and use of ‘dope-free’ certified supplements, and (ii) mandating ‘dope-free’ certification by independent bodies for supplements consumed by athletes.