Are you confused about the Personal Data Protection Bill, and don't know where to start? We're on a mission to #StartFromScratch and break down components of the bill for your knowledge.
In part 1 we discussed the need for a data protection bill in today's digital world. We provided historical context and hinted at some of the concerns that have been raised about it. In part 2 below, we discuss the bill's basic elements and provisions. 2/n
Let's begin with the basics - the most important definitions. Given the example that you're a Facebook user, you are called a "data principal". Facebook is the "data fiduciary", and the entity that processes your data for, say, advertising purposes is a "data processor". 3/n
Next we understand data categories. Most provisions deal with "personal data" because the bill doesn't apply to "anonymised" data.
(Clause 91, however, empowers the Central government to ask fiduciaries (like Facebook) and processors to provide anonymised data).
4/n
Now, who will enforce this law?
A "Data Protection Authority" will be the main regulator. Its will protect your interests and ensure compliance with the Act. For example, it can ask fiduciaries to provide any relevant info and issue directions which they must comply with. 5/n
What are YOUR rights?
Your personal data can't be processed without informed consent which is valid only if it is freely given, clearly expressed, and capable of being withdrawn. But consent is bypassed in case of unlawful activities, security, and search engines operation.
6/n
You have the right to obtain your personal data and a summary of activities performed on it, correct/complete/update it, receive it and transfer it to any fiduciary, restrict it if it is no longer necessary. Please refer to the blog post for more details on your rights.
7/n
Now in your interest, data fiduciaries (again, like social media platforms) have certain obligations imposed on them. Each data fiduciary must implement a privacy-by-design policy that explains how your privacy and data security is going to be ensured throughout processing.
8/n
Fiduciaries must make some info available to you, like categories of personal data generally collected, manner of collection, purposes for which personal data is processed, categories processed in exceptional situations, and the procedure for your exercise of your rights.
9/n
Fiduciaries and processors must implement security safeguards:
- De-identification, encryption, etc
- Steps to protect integrity of personal data
- Steps to prevent misuse/unauthorised access/destruction/etc of personal data
- Periodic reviews of their security safeguards
10/n
Lasly, the Bill provides for a variety of exemptions, many to the government. These are some of its most criticised sections, and rightly so. Take a look: 11/n
We hope this was helpful in furthering your understand of the Bill! In the next edition, we're going to do a deep dive into the many challenges of the bill, and how the movement for #DigitalRights in India can address them.
RT, like, share, and ask us questions!
12/n
• • •
Missing some Tweet in this thread? You can try to
force a refresh
In 2018 @GoI_MeitY refused to provide us with public consultation comments on the Data Protection Bill in response to our RTI request.
After 3 years of pursuing this, the Central Information Commission has held that MeitY's denial is grossly improper. 1/n internetfreedom.in/persist-transp…
The RTI reply stated that the comments were confidential, but the CPIO did not cite any provision under section 8 of the RTI Act, 2005 to support this. Thus, the refusal was without basis and illegal. 2/n indiankanoon.org/doc/758550/
So we filed an appeal before the First Appellate Authority.
The FAA replied that the information can’t be shared under section 8(1)(i) of the RTI Act.
But this section provides exemptions for cabinet papers, and doesn’t apply to our request! 3/n indiankanoon.org/doc/93879/
Thread!
As election fever rises and #Kerala#TamilNadu and #WestBengal go to the polls, we're bringing you an analysis of manifestos of major parties on their commitments to tech innovation, digital rights, internet access, privacy and cybersecurity. 1/n internetfreedom.in/2021assemblyel…
Despite a rising number of young voters and Indian internet users, political parties have been slow to move on digital rights. Before the 2019 general election we drafted an agenda making an appeal across party lines to prioritize digital rights. docs.google.com/document/d/1AX…
2/n
Following are our key learnings surrounding the promises made by political parties. We follow a model in which a “+” indicates a positive move, “-” a negative one, and “?” indicates one which does not present a clear foreseeable consequence or is ambiguous.
3/n
#MobikwikDataLeak
We have written to @IndianCERT asking them to initiate an inquiry over the Mobikwik data breach under Sec. 70B(6) of the IT Act. We lay out 5 steps MobiKwik must take to alleviate the situation. Pls read and RT for public knowledge. 1/n internetfreedom.in/mobikwik-data-…
Over 8.2 TB of data of MobiKwik users has reportedly been put on sale over the dark web with an asking price of 1.5 Bitcoin (~ INR 65 Lakhs). The leak includes KYC, passport, address, email, phone number and aadhar card details of 10 Crore Indians. indianexpress.com/article/techno…
2/n
MobiKwik's denial has been countered by independent researchers who indicate that a breach has occurred. MobiKwik also reportedly sought help from Amazon last month after they discovered that someone outside the organisation downloaded their S3 data.
Thread: Facebook has announced a Human Rights Policy which will be applicable to all FB, WhatsApp, and Instagram users. We analyse this new policy in India's context, and call on FB to improve its practices openly and transparently for Indian users. 1/n internetfreedom.in/facebook-human…
FB outlines its commitment to the UN Guiding Principles on Businesses and Human Rights. Given that FB has been criticized for aiding human rights violations for years (scoring a mere 45/100 on the RDR index), the policy is too little, too late. 2/n rankingdigitalrights.org/index2020/
1. FB has committed to protecting privacy on WhatsApp, saying it won't give governments access to people’s data. The IT Rules, 2021 require traceability of information originators which may affect encryption so this is welcomed. But the Policy is insufficient on many fronts:
3/n
Thread on COVID-19 surveillance:
On May 28, 2020, we filed an RTI request with @BECIL_India on their tender to procure a Personnel Tracking GPS Solution and a Covid–19 Patient Tracking Tool. These surveillance measures impinge on rights of privacy, autonomy, and dignity.
1/n
We did not receive a reply. Then on October 30, 2020 we filed a first appeal against them and still did not receive a reply. Our last step in the matter was to file a second appeal with the CIC on December 12, 2020.
In 2021, BECIL has finally replied to our first appeal.
2/n
They state that procurement for the two items has not been done till date. Further, they have also stated that since this project is still at the Expression of Interest stage, a cost-benefit analysis is not required. 3/n
Breaking: Via an RTI filed with @MIB_India, we obtained 112 pages of complaints filed against Tandav. Sent 40 days before the IT Rules came into force, they triggered OTT censorship in India. Our policy analysis of grave implications on free speech. 1/n internetfreedom.in/tandav-case-st…
All of the complaints follow a template. 1. They've been filed majorly in Hindi and English. 2. Almost all were filed in the 3 day span of Jan 16 to Jan 18 2021. 3. Many include similar objections (even language) clustering around hurt religious sentiments.
Read one here: 2/n
After the complaints were filed, the creators apologized and removed controversial scenes, but multiple FIRs were filed against them.
People went on demanding that censorship and criminal penalties be imposed on OTT platforms. On Feb 25 2021, the government did exactly that.
3/n