Ensure Online Signature Lawfulness for Your Personal Leave Policy in India

How to eSign a document: online signature lawfulness for Personal Leave Policy in India

[Music] um hello everyone I'm anujana Curry and you're watching like blog many of you would know that the digital personal data protection bill has been passed by the parliament on the 9th of August and we thought a person who is better equipped to explain the bill what laws it brings and concerns about it should be given the platform so I welcome Advocate Advocate Gupta has been involved in multiple constitutional cases regarding civil liberties on the internet including Shreya single versus Union of India which struck down section 66a of the it act 2000 for having a very broad applicability by featuring the word offensive among other things and the aadhaar Judgment where the Supreme Court upheld the right to privacy as a fundamental right and a part of right to life under article 21 of the Constitution he also co-founded internet Freedom foundation and NGO that advocates for digital rights and Liberty and tax blocking of websites technology related Free Speech violations internet shutdowns and so on so about Gupta welcome to live thank you so much thank you so much for having me here uh we took some liberties with your intro if you'd like to add other things yeah okay right uh before we begin the interview I would just like to State the objective of the interview which is uh that digital rights and following the jurisprudence around data protection is something we believe you have experience with and data disclosure and civil liberties around the internet is why I would like to explain the digital personal data protection Bill and of course any concerns you may have about the bill Shall We Begin yes please please yeah so I want to start with what is the data protection bill because that is a fundamental question the the statement of object and reasons which will be on the screen when we uh publish this video is that it is to provide protection of digital personal data lay down grounds or processing personal data plays General and special applications on persons who process personal data and provide certain rights and so on so can you explain to us beyond the statement what is what the bill is and of course the internet has been around for a while so have there been previous attempts or laws that can answer to these goals of the government uh Anusha thank you so much for having me here the first thing which lawyers need to conceptually understand is that when the Supreme Court reaffirmed the fundamental right to privacy in the POTUS family judgment August six years back Justice chandrachud's opinion which was co-signed by I think so uh three other judges besides him four in total out of a nine judge bench uh had stated that the right to privacy is both a negative restriction in the sense that it limits the power of the state in terms of what it may want to do but it is also a positive obligation in terms of ensuring that it brings out acts of legislation which is one of the primary methods to which rights can also be protected through action of legislatures now this in the sense of protecting informational privacy which is one of the sub components of privacy by itself is what takes the form and shape of a data protection Bill and yes of course there have been attempts at a data protection Bill the one of the much more uh earliest ones is uh one in 2011 started by the department of personnel and pensions which was at that time called a privacy Bill actually and this law which has been passed by the Lok Sabha and the rajya Sabha yesterday uh which is on August 9th uh is essentially attempting to give effect to the Buddha Swami judgment but does not end up actually doing that as we'll come to um when we do our analysis okay um so let's just get right into it because there are four Concepts I think we should start uh and explain from the beginning because they seem to be the introduction of this bill in some ways so can you quickly help us understand what is the data protection board what is a consent manager a data fiduciary and a data principle um also if you feel like there's other Concepts you'd like to include in this list please feel free to thank you so much I think it's very important for us people to know that especially lawyers to know what are the stakeholders or what are the entities which are mentioned with respect to what are the rights and duties under this law and I think it all starts with the uh with the description of what is called as a data principle which is in uh sub Clause J of section 2 which is the definitions Clause by itself and it states that the data principle means the individual to whom the person later relates and where such individual is a child includes the parents or lawful guardians of such a child and subclass 2 is a person with disability including her lawful Guardian acting on her beloved so what we should understand is that the person from whom their personal data is being collected is the data principle so the impacted person and it is usually an individual so it won't be an artificial entity it'll be a natural person now who is the which are the entities which hold this data these are the second category of stakeholder groups and that includes the data fiduciary and the data processor these are two okay so sub clause subclose I States the data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing a personal data it is somebody who's taken the data from you in that sense and is responsible because the word which is used here in the definition is fiduciary just like a bank okay and data processor which is further defined in sub Clause K means any person who processes personal data on behalf of a data fiduciary it means data principle data taken by a data fiduciary data processor does the activity as per a specified purpose okay and the consent manager comes a little before in the definitions clause in sub Clause G which means a person registered with the board which board will just come to in a second who acts as a single point of contact to enable a data principle to give manage review and withdraw her consent through an accessible transparent and interoperable platform for that essentially means a new entity will be created you are a data principal every time your data is requested by a new data fiduciary or a data fiducity which already has your personal data wants to put it to a new purpose and that will be done by a data processor which actually does the Computing or does the actual performance of that act that will be managed by intermediary and that intermediary will be called a consent manager quite simply on your smartphone you will have the ability in a single dashboard as per the intention of this law to manage your consent across different data fiduciaries with one consent manager or two consent managers in that sense right and uh like but it says a single point of contact in that sense so I I would I would think that while there may be multiple multiple consent managers a person will essentially only have to one consent manager all the data fiduciaries instance your smartphone applications Etc will all link to that consent manager and of course those applications which have taken your consent may also be relying on third parties data processes to undertake that activity so these are the entities broadly in terms of the rights and obligations which are identified within beyond the uh beyond the administration of the law by itself now the law essentially invisages that consent based sharing will be done that's become obvious now what happens when that consent is in fact breach is called a data breach okay and a data breach by itself is defined fairly fairly broadly okay and it states that there's a Authority also established for the purposes of adjudicating of a personal database so firstly what is a personal data breach it's in sub Clause U which says personal data breach means any unauthorized processing of personal data accidental disclosure acquisition sharing use alteration destruction or loss of access to personal data that compromises the confidentiality Integrity or availability of personal data that's up close you now who do you go to for MIT that's the data personal data protection board okay so that's essentially the framework which has been provided under this law for data principles that's you and me when we give our data to a data fiduciary which then in turn on the basis of the purpose of the consent gives it to a data processor which then does the activity and this consent is managed by a consent manager in case that consent is broken there's a personal data breach you approach a data protection board and you file a complaint for remedy so this I hope clearly sets out what other entities which are being created by this loan yes yes it does thank you for that uh now that we've understood that I want to Circle back to what you said essentially consent is at the center of of this bill in some ways and uh what I I would just like to provide context for consent a lot of us know what consent is in the regular apartment parlance and how it's impo important in the context of the bill is what would like to know so uh actually consent is a very old practice which essentially emerges from the patient practitioner context for instance if I want and in fact one of the first books on the theory and practice of consent was with respect to how people who are being subjected to any kind of medical process or procedure are made aware of the risks as well as the specific purpose for this they are consenting that their body is being operated on which is very important and what's the first important thing in that for you to be put to notice for you to be told why the procedure is being done and then you have a choice to examine so for instance if you go to hospital you say I'm suffering from ailment or B ailment the doctor says that this is a procedure we will like to perform these will be the risks would you consent and you remember you find a sign a consent form so similarly under this law there are Provisions for notice consent but they are very very wide and Broad exemptions which are provided which essentially renders this consent meaningless both from the public and the private sector where certain specific uses by itself which was called earlier the deemed consent provision but is now called certain legitimate uses under Clause 7 are Exempted from taking consent in the first instance itself and you may ask apar what are these purposes like so for instance if you look at Clause 7 and you look at uh you know like just in terms of uh sub Clause F or G it says that no consent will be required if there is uh let's say a epidemic or outbreak of disease for Gathering your data we've all been through the covet pandemic what this essentially means the government does not need to put to notice that they are going to use your personal data or provide you with the option subsequent to that that you can say that please do not gather my personality and this may be your medical records just because there is an epidemic under the national disaster management act as kovid was right the second exemption here I'd like to highlight just for a second just to highlight that consent is broadly rendered meaningless is that it is exempt for the purposes of employment or for safeguarding the employer etc etc classified information or for the provision of any service or benefit sought by the data principal who is an employee what this essentially means is that there is a free pass given to any employer with respect to employee in terms of gathering their personal information and they also do not need to put that employee to notice that they are again Gathering their personal data and here the public sector or the government is essentially the largest employer of people in India which would include I would imagine School teachers to people who are employed on our airports to everyone more or less so I so the range of exemptions just here just in section 7 by itself I mean I'm not mentioning the other exemptions which follow later is very very broad so Anuj as much as consent is a central feature of data protection legislations this exemption of certain legitimate uses where consent is presupposed is in fact at variance with several international data protection statutes okay uh I'm glad that you brought up the exemptions because that was my next question it flowed from a post I saw on the internet Freedom Foundation uh Instagram page and the post voices concerns about the bill about four concerns which uh I mean I'm sure you're aware of uh and uh now I want to follow up on the last thing you said that it is it it differs from some of the more some of the other International legislations on this topic could you just expand on that for just a minute so the first thing I'd like to mention is that we have never seen and I think I I will be supported even by people who may support this law just on the small objective fact that data protection statutes do not impose duties in terms of penal action for breaches on data principles which is ordinary people who are sought to be protected by this law so if you look at Clause 15 which contains duties of data principles by itself it states several duties which are applicable to you and me under this law so it's not only a Protection Law it's providing you a positive obligation as ordinary person to comply with provisions of all applicable laws for the time being enforced while exercising rights under the provisions of this act so even if there's a small breach under any other law municipal or otherwise but you're exercising your rights under this law for consent or notice or correction etc etc for access to your data but your income non-compliance with even one small piece of law anywhere it disentitles you from the scope of protection of this law completely but that does not end there Clause B says you cannot impersonate another person which also means you cannot Mark in proxy for people who may be somewhat disabled as much as data principles can be people who are disabled and somebody else stands for them they cannot sometimes that level of disability is not formal for instance uh parents or people who are aged uh lack digital literacy by itself so that may be a ground in terms of bad faith of presuming that a person is impersonating another person what is most concerning ing to me is that a person is under positive Duty not to suppress any material information while providing her personal data for any document unique identifier proof of identity or proof of address issued by the state or any of its instrumentalities which means that even if a private company asks you for certain contact details and you do not wish to give it and quite often people do give inaccurate details or incomplete details because they have at different levels of threat or sensitivity for instance young women who may be working professionals or maybe interacting with the geek economy may not give their full address particulars or the unique identifiers given that they may run the risk of any any kind of stalking etc etc but all of these positive duties by itself are very clear in terms of being a complete outlier from any other data protection globally and what is the consequence you may ask apar if there's a breach of these duties and that's provided in this schedule and it says that a fine of 10 000 rupees may be in both of breach of uh duties observed under section 15 which is uh item serial number five on the schedule so essentially for each breach a person may be put to penalty and of course there's also a provision in the duties under Clause 15 that you can't file a pulse or privilege complaint with the data protection board so it means that quite often people who may not have the investigative capacity or may not have all the evidence and their complaints may be dismissed by the data protection board they may also be facing a greater amount of injury so several other features also of this data Protection Law very very outstanding in the sense that they don't have any comparable reference points in other data protection legislations for instance exemptions to private companies which may be done as a feature much more of industrial policy Iran and data protection and that's there in Clause 17 and if you look at Clause 17 of course exemption for government entities is Broad but what what's truly truly surprising for me is that the government can also buy notification exempt you know like uh companies class of companies completely so it says that um in uh subclause 3 the central government under 17 the central government May having regard to the volume and nature and lawyers May notice it doesn't say high volume or low volume it's it's completely vague it doesn't specify the form of the nature it can be a nature of anything right so pick up the dictionary so it says that having regard to the volume and nature of personal data processed notify certain data fiduciaries or class of data fiduciaries including startups so not only startups it may be a data fiduciary which may be one company it may be a class of data fiduciaries which means multiple companies or and a startup so it's an inclusive category so they'll be Exempted from the consent provisions and large compliances under this law so this is why I think that not only is this law very different from what we see in data protection statutes and I would encourage given that lawyers may want to say that apar what is the basis of you seeing this I would say please look at uh Australian academics work his name is Graham Greenleaf and he's done a comparative view of data protection legislations globally right and you will not see these teachers in any of his writing and in fact he's engaged with an earlier expert committee also set up by the Indian government by the minister of electronics and ID and sent submissions there uh which was the Justice BN Shri Krishna committee so this law is an outlier and I'm uh I I regret to say not in a good way okay um I I'm sure we could provide the literature that that you just refer to uh in a link in the description uh I'll just send you a link yeah yeah for sure we can do that after the interview because uh now now that my last question has flowed into the third concern which is duties and penalties uh is there any more that you'd like to add to the duties and penalties or was that exhaustive because it sounded I I think that's that that's a lot by itself that's yeah okay so the last concern is what's gathered a lot of uh attention because Anjali bharswatch did an entire takeover episode where she talked about the exemptions that this act uh brings to uh like changes it brings to the right to Information Act yes so the amendment that it introduces can you please explain to us what was the law before and what does the amendment bring to section 81j okay so essentially the right to Information Act has a body of exemptions and one of the body within that body of exemptions like you can of course seek information from a Public Authority and the right Information Act has made a transformational law in bringing together accountability which means that if a road is uh broken in front of your house but the municipal Department says that it's been relayed or especially for people who are on substance subsistence and support from the state by itself in terms of employment guarantees pensions rations subsidies of different types a day this course is a kind of accountability in a real tangible sense in that way so the right to information law has of course it's not absolute it has a very well fine-uned balance of exemptions and these exemptions also include the right to privacy under Section 81j section 81j actually has been very actively litigated right up to the Supreme Court and has been a section which as per transparency act Advocates and I agree with them has been used to essentially as the ground to limit public information despite the intention of Section 8 on J so what does eight one say eight one JSA it does not only say that any information which is private is exempt and cannot be provided under an application made for right to information It also says the the refusal of the provision of the information has to be balanced or is subservient to public interest which means privacy is a consideration under the right to information act however under a correct statutory reading public interest takes a higher footing to it so they need to be uh they need to be balanced in a way in which there's a higher degree of value provided section 81 ja has been litigated quite often people can see it and read about it more but what does this law do this law which arguably does not provide you consent centralizes a immense amount of data Gathering Power with the government okay also has the power to then exempt private companies thereby what many people say is not providing you a real meaningful sense of transparency also amends section 81j of the RTI act and I'll just read it once so what it does is it replaces uh 81g completely with uh one single sentence uh where it says that uh the the the information which relates to personal information so Section 8 is this kind of information cannot be provided and then now the fresh 81.jsa is that information which relates to personal information what do you notice public interest has a ground no longer exists thereby what ends up happening is that section 81j will now not have that balancing any longer it will be used in a very oppressive manner to limit flow of public information thereby have a real tangible harm a lot of people possibly the most wonderful sections of your Society even beyond that I think a co-feature of criticism of this law is that uh it doesn't have a regulatory body per se right a lot of the enforcement under very vague standards will be determined as per notifications by the central government which also ends up appointing the data protection board under Section 18. so uh and the central government can also demand information under this law not only from the data protection board but can also recommend Sumo Moto complaints to it for breaches of data so what I think is also conceptually important to understand is that there's so much control for the enforcement of the statute by the central government not only in terms of notifications and standard setting but also in terms of complaints so imagine that now you don't have a right to information law which can have that balancing of public interest some way or the other public document which is not also covered by the official Secrets Act is made available to a journalist or to a person who works in the transparency movements towards posting a greater degree of accountability the central government can file a complaint to the data protection board which lacks Independence is appointed by it its service conditions will be determined by the central government and essentially that will be a pure conflict of interest in that sense uh I think in several several deep ways injuries have been called by the Digital Data protection uh act and it's not only to privacy it's also to transparency okay that that's uh all the questions I had about if there's anything else you'd like to add either to the concerns or to a broad base of understanding the digital personal rights personal right personal data protection bill I apologize uh you can say them right now we would like to platform them for sure uh what I'd uh especially like lawyers to consider is that the Digital Data protection Bill uh is uh flowing uh in some ways uh in ance with the Judgment in so many words of the Buddha Swami judgment as well and if one looks at put a Swami 2 and especially I know it's a dissenting opinion of Justice Chandra should he highlights especially in the context of informational privacy and the way personal data is gathered by the government by itself the state it has an enormous amount of control over ordinary Indians which without a proper regulation that kind of power will be antithetical to a democratic framework as well as the constitution of India the right to privacy links to all our fundamental rights as much as informational privacy links to all our fundamental rights what we eat what we wear what we think we talk to and I think this law especially uh for for for in terms of how it orders people their relationships is very very important I believe that this law which has been passed by parliament requires considerable uh Improvement and I hope that lawyers over a period of time through the analysis critique and activism can help uh refine it in future I'm sure that people who are normalized also will be watching this video I hope you are with us at this point of 30 minutes into the interview and um thank you so much uh Mr Gupta for making time for this interview thank you so much and which for having me here that's all we have for you in this video uh the internet Freedom Foundation provides information about digital rights and issues around the internet governance on Instagram and on their website and we encourage you to see their work for yourself there will be a link in the description for the same if you found this video informative please leave a like and tell us in the comments how we can bring you more interviews like this one if you'd like to support uh the work we do here please consider becoming a member of the livelaw YouTube channel for only rupees 89 per month and please consider subscribing to our Channel and hit the Bell icon for notifications thank you thank you Arnold so much