Recently, the Personal Data Protection Bill, 2019 was introduced in Parliament. The Bill has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session, 2020. The Bill seeks to provide for protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose. In this blog, we provide a background to the 2019 Bill, and explain some of its key provisions.
What is personal data and data protection?
Data can be broadly classified into two types: personal and non-personal data. Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. Non-personal data includes aggregated data through which individuals cannot be identified. For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data. Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Why was a Bill brought for personal data protection?
In August 2017, the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. The Statement of Objects and Reasons of the Personal Data Protection Bill, 2019 states that the Bill is based on the recommendations of the report of the Expert Committee and the suggestions received from various stakeholders.
How is personal data regulated currently?
Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. The Expert Committee in its report, held that while the IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings.3 For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.
What does the Personal Data Protection Bill provide?
The Bill regulates personal data related to individuals, and the processing, collection and storage of such data. Under the Bill, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. The Bill governs the processing of personal data by both government and companies incorporated in India. It also governs foreign companies, if they deal with personal data of individuals in India.
Will individuals have rights over their data?
The Bill provides the data principal with certain rights with respect to their personal data. These include seeking confirmation on whether their personal data has been processed, seeking correction, completion or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer necessary or if consent is withdrawn. Any processing of personal data can be done only on the basis of consent given by data principal.
Are there any restrictions on processing of an individual’s data?
The Bill also provides for certain obligations of data fiduciaries with respect to processing of personal data. Such processing should be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. Certain fiduciaries would be notified as significant data fiduciaries (based on certain criteria such as volume of data processed and turnover of fiduciary). These fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
What is the grievance redressal mechanism if the above restrictions are not followed?
To ensure compliance with the provisions of the Bill, and provide for further regulations with respect to processing of personal data of individuals, the Bill sets up a Data Protection Authority. The Authority will be comprised of members with expertise in fields such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
Are there any exemptions to these safeguards for processing of personal data?
Processing of personal data is exempt from the provisions of the Bill in some cases. For example, the central government can exempt any of its agencies in the interest of security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or research and journalistic purposes. Further, personal data of individuals can be processed without their consent in certain circumstances such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Is the Bill different from the draft Bill suggested by the Expert Committee?
The Bill has made several changes from the draft Bill. For instance, the Bill has added a new class of significant data fiduciaries, as social media intermediaries. These will include intermediaries (with users above a notified threshold) which enable online interaction between users. Further, the Bill has expanded the scope of exemptions for the government, and additionally provided that the government may direct data fiduciaries to provide it with any non-personal or anonymised data for better targeting of services.
In a follow-up blog, we will provide a detailed comparison of the key provisions of this Bill with the Draft Personal Data Protection Bill 2018, released by the Justice B. N. Srikrishna Committee.
The Union Cabinet approved the Model Tenancy Act, 2021 on June 2, 2021, for adoption by state and union territory governments. The Model Act has three primary objectives. First, it aims to regulate renting of residential and commercial premises by establishing conditions for tenancy, eviction, and management of the property. Second, in regulating tenancy, it proposes mechanisms to balance and protect the rights of landlords and tenants. Last, it proposes a three-tier adjudicatory mechanism consisting of Rent Authorities, Rent Courts, and Rent Tribunals for speedy adjudication of tenancy related disputes.
However, note that rental housing is regulated by states as land, land improvement, and control of rents falls under the State List of the Indian Constitution. This Model Act is only a proposed framework that states and union territories may alter when passing their own tenancy laws.
In this blog, we provide a background on the rental housing market and explain some issues with the 2021 Model Act.
Need for the Act
In India, 95% of households in rural areas live in self-owned housing, and rental housing is a predominantly urban phenomenon. Between 1951 and 2011, the urban population in India grew by six times and as of 2011, comprises 31% of the total population. This is projected to grow to 40% by 2036. However, the share of persons living in urban rental accommodation has decreased from 58% to 27% between 1961 and 2011. The 2015 draft National Urban Rental Housing Policy noted that urban areas face a significant housing shortage and stated that this cannot be addressed by home ownership. In 2012, a Technical Group studying urban housing shortage estimated the urban housing shortage to be at 1.9 crore units. The 2011 Census noted that between 6.5 crore to 10 crore people (17% to 24% of the urban population) live in unauthorised housing in urban areas. The Economic Survey (2017-18) noted that rental housing is a key way to address informality and shortage. It stated that rental housing enables mobility and affordability for low-income segments, who may not be able to purchase housing. It also observed that a significant portion of urban rental housing stock is vacant, attributing it to unclear property laws, poor contract enforcement, and rent control laws.
State governments regulate rental housing through various legislative tools including rent control laws. To prevent landlords from charging exorbitant rent and ensure affordable housing, these laws specify a ceiling on rent and put conditions on eviction of tenants. The 2015 draft Policy noted that rent control laws discourage private investment in rental properties. It observed that rent control laws also skew arrangements towards tenants and lead to more litigation. This has eroded the trust of landlords in the regulatory system. A significant share of the rental demand is addressed through alternate arrangements such as leave and license agreements and informal leases.
A model law to regulate tenancy was first proposed in 1992. The first draft Model Tenancy Act was released in 2015, which was adopted by Tamil Nadu. However, as of 2021, 20 states including Karnataka, Maharashtra, and West Bengal continue to have rent control laws. A few states including Madhya Pradesh, Jharkhand, and Chhattisgarh have repealed their rent control laws.
Besides its key objectives, the Model Act also seeks to ensure affordability, formalisation and increase private investment in the rental housing market. The framework proposed under the Model Act may address some of these concerns. However, experts have recommended supplementing this with other policy initiatives to meet these objectives. For instance, a 2012 Technical Group observed that about 96% of the urban housing shortage pertains to the Economically Weaker Sections (EWS) and Lower Income Group (LIG) categories. The 2015 draft Urban Rental Housing Policy noted that a repeal of rent control laws may increase private investment and availability of rental housing. However, it has recommended several other measures to ensure affordability of rental housing. These include: (i) provision of incentives such as tax exemptions and subsidies to tenants and home owners, (ii) encouraging public-private partnerships and residential rental management companies, and (iii) enhancing access to finance within the EWS and LIG sectors.
Concerns for right to privacy
The Model Act requires all landlord and tenants to intimate the Rent Authority about a rental agreement with a prescribed form. The form requires both the tenant and the landlord to submit their Aadhaar numbers and attach self-attested copies of the card with the form. This may violate a 2018 Supreme Court judgement, which states that requiring Aadhaar card or number can be made mandatory only for expenditure on a subsidy, benefit or service incurred from the Consolidated Fund of India. Registering a tenancy agreement does not entail these, therefore making Aadhaar number mandatory for registering a tenancy may violate the judgement.
The Model Act also states that tenants and landlords will be provided with a unique identification number after registering a rental agreement. Details of the agreement along with other documents will be uploaded on the Rent Authority’s website. It is unclear if personal details of the parties such as PAN and Aadhaar number, which must be submitted along with the agreement, will also be made available publicly. If these are shared on the website, this may violate the right to privacy of the involved parties. The Supreme Court has included the right to privacy as a fundamental right. This right may be infringed only if three conditions are met: (i) there is a law, (ii) the law achieves a public purpose, and (iii) the public purpose is proportionate to the violation of privacy. Sharing personal information of individuals may not serve a public purpose, and hence may violate the right to privacy of such individuals.
Dispute redressal
The preamble of the 2021 Model Act and the background note accompanying the 2020 draft Model Act state that it seeks to establish a speedy adjudication mechanism for disputes linked to tenancy agreements. The Model Act specifies the timelines for resolution of cases linked with eviction and payment of rent. However, timelines have not been specified for certain cases. For instance, no timeline has been specified within which the Rent Authority must resolve a dispute on withholding of essential services or revision of rent.
Specification of minute details
The Model Act seeks to balance the tenant-landlord relationship by specifying rights and duties of both parties. However, it also caps the maximum possible security deposit amount that a tenant must pay to the landlord. Further, a suggestive framework for the rental agreement also includes minute details on responsibility for repair and maintenance. If codified, these specifications may hinder flexibility in framing tenancy agreements.
For a PRS analysis of the Model Tenancy Act 2021, please see here.