The draft personal data protection bill that seeks to empower the Centre to exempt any government agency from the provisions of the proposed legislation has the industry worried, as they warn that such exemptions represent "new, significant threats" to the privacy of Indians.
The proposed bill also provides for voluntary verification of social media users and transfer of non-personal data.
The outcry from industry watchers, analysts and civil society comes amid the draft bill suggesting that the Centre will be empowered to exempt any government agency from the application of the act and verify social media users.
One of the provisions of the draft bill states that the Centre can—in the interest of sovereignty, the security of the state, and public order—"direct that all or any of the provisions of this act shall not apply to any agency of the government in respect of processing of such personal data...".
The bill, cleared by the cabinet last week, is likely to be introduced in the Lok Sabha in the next couple of days. Mozilla's Policy Advisor Udbhav Tiwari said that if Indians are to be truly protected, it is urgent that Parliament reviews and addresses "these dangerous provisions before they become law".
"Indians have been waiting for a strong data protection law for years now, and this latest bill delivers real privacy in regards to processing by companies and is a dramatic step backwards in terms of processing and surveillance by the government. Exceptions for government use of data, the verification of social media users, and the forced transfer of non-personal data all represent new, significant threats to Indians' privacy," said Tiwari.
Mozilla is the not for profit entity behind the web browser Firefox.
While the bill seeks to protect personal and sensitive data of individuals, it proposes to allow processing of private data without explicit consent in case of security, credit scores, debt recovery, operation of search engines and whistle-blowing.
The draft bill also states that the central government can frame policy for the digital economy with respect to non-personal data. In particular, it can direct any data processor to "provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government".
Further, social media entities with user base above a certain threshold and whose "actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India," will be notified as 'significant data fiduciary'.
Every social media intermediary classified as a 'significant data fiduciary' will enable the users in India to voluntarily verify their accounts. Any user undergoing such voluntarily verification will have to be provided with a mark of verification that is visible to all users of the service. Such entities will also have to get their policies and conduct (of data processing) audited by an independent data auditor.
Jaspreet Singh, Cyber Security Leader, EY India said termed the Bill a "double-sided sword".
Singh said that while it protects the personal data of Indians by empowering them with data principal rights, "it bestows the central government with exemptions which are against principles of processing".
"The State can process even sensitive personal data when required, without an explicit consent from the data principals. However, the government will need to show that any processing of personal data is necessary and processing of sensitive personal data is strictly necessary for the exercise of any function of the State authorised by law for the provision of service or benefit," Singh said.
- Data of 45 lakh ex-servicemen at risk? Delhi Police books IT firm
- Data Protection Bill: Current draft can turn India into Orwellian state, warns Justice Srikrishna
- India's Data Protection Bill raises concern for private sector: USIBC
- Personal Data Protection Bill referred to joint select committee of Parliament
These broadly-worded carve-outs "can be misused and hence need to be carefully examined", he cautioned.
Arun Prabhu, Partner at Cyril Amarchand Mangaldas, noted that portions of the bill have been pared down, and some changes such as the lack of a clear implementation timeline, requirement to share non personal data, obligations for social media verification "may be a potential source of concern.
He, however, said that certain changes made to the Draft Bill are business friendly, providing for increased certainty, a regulatory sandbox for Artificial Intelligence/Machine Learning and other innovative technology, limiting localisation to non-sensitive data and a potential carve out for non-Indian data processed under contract.
Gartner said that the primary concern will be the execution of the bill across which will include advisory from regulatory bodies such as RBI, IRDAI, SEBI.
"There must to very clear guidelines which the enterprises can easily follow without relying completely on consulting service providers. Very clear deadlines must be mentioned and clarity on the fines in case of violation must be clearly mentioned and should be available on public website," Rajpreet Kaur, Principal Analyst of Gartner said.