The crucial yet contentious Personal Data Protection Bill (PDP Bill 2019) may just be entering the home stretch on its way to finally becoming law, but a vexing question is now rearing its head—has the Bill lost its very name?
Originally a bill that came out of a well-intentioned movement to secure privacy and personal rights of individual citizens on the internet, the remixed version which will finally go to the cabinet, and eventually, the parliament, seems more a reinvention, where the "personal" seems to have been clinically incised out of the equation in favour of data management, rather than protection.
“Apart from the exemption[s], the PDP Bill envisages granting broader authority to the government to compel disclosure of information that does not constitute personal data and such authority is extended to any government organisation engaged in prevention or detection of criminal activity,” says Satya Muley, founder of the law firm Satya Muley & Co and a lawyer in the Supreme Court.
“Such broad authority may conflict with other fundamental rights in India,” he added.
The irony is glaring. The PDP Bill was originally conceptualised out of the landmark Supreme Court judgement in 2017 that first recognised "Right to Privacy" as a fundamental right. The apex court had then directed the government to develop a framework for governing personal data to ensure the citizen's right to information privacy. This led to a committee headed by Justice Sri Krishna which submitted an expansive report recommending stringent laws to protect the data privacy of Indians and the setting up of Data Protection Authority to govern its implementation, much on the lines of Europe's citizen-centric GDPR, or General Data Protection Regulation.
But, the draft bill that was tabled in parliament in the winter session of 2019 took a distinctly different stand, turning the concept of privacy on its head. It gave government agencies in the realm of law and order unfettered access to data, leading to an outcry amongst opposition ranks as well as civil society activists. This forced the government to refer it to a parliamentary committee, leading to a further two-year delay (and counting).
However, the latest variant of the Bill that was earlier this week cleared by the joint committee headed by BJP MP PP Chaudhary doesn't seem much different on the face of it, sticking to the argument of national security requiring government agencies to tap into personal data. Seven out of the 31 members of the committee raised objections to various clauses, though, despite this, the bill has been cleared to be tabled in parliament, once the JPC and cabinet green signals it.
“The introduction of a comprehensive data protection legislation will bring a paradigm shift in how our tech ecosystem is regulated (but) the concerns of the civil society (include) the blanket exemption provided to the government and allied agencies through the bill,” said Kazim Rizvi, who heads the tech policy advocacy group The Dialogue.
Muley points out, “The Srikrishna Committee report had recommended that all the policies and controls to protect sensitive information were to also apply to government agencies as well. However, the Bill of 2019 and the current Bill recommended by the parliamentary committee has proposed an exception for government agencies to access any individual's personal sensitive information for state and sovereign purposes.”
“The authority to have access to personally sensitive information under the reasons of 'public order', 'sovereignty' and 'safety of the state' threatens to create an unfettered and dangerous exemption,” he added.
The concerns stem from the fact that from a law that was supposed to protect citizens' rights and privacy online, the present draft seems to have watered down most of the provisions in favour of a larger governmental privilege. This extends beyond sensitive personal information online. The plans to use, even monetise, non-personal and anonymised data for “better targeting of services” sticks out.
Then there is also the regulatory body—the powers of the Data Protection Authority seem to have been slowly pegged down, from the looks of it. “The key responsibility of notifying further categories of sensitive personal data earlier lay with the authority, however now this has been passed onto the central government in the 2019 version of the bill,” pointed out Rizvi. Even the appointments to the committee, originally supposed to have been done by the judiciary, has now been passed on to the government.
While on one level the tech powers-that-be may be gleeful at the softening of the law, they would have tough work ahead of them if the law is passed as it is—some stringent provisions for social media companies include holding them responsible for content posted on their platforms as "publishers" and not as intermediaries. The clause about authenticating every user on social media platforms may also turn out to be cumbersome, if not downright unwieldy.
But not everyone feels that the new law is a letdown. “The bill puts strict accountability on private players to report data breaches, appoint a data protection officer, mandatory declarations about passing information to third parties—which are among some of the pros of the bill,” argued Rishi Bhatnagar, Chairman, IET India Future Tech Panel.
The law, which will subsume the IT Act 2000 that has governed aspects related internet so far, also stipulates local storing of data.
“Citizens sensitive data is secured, stays within the national boundaries... the government is taking the right step to hold businesses accountable in case of discrepancies,” said Kunal Kislay, CEO and founder of Integration Wizard solutions. Though, the cost of this may be high and cumbersome for small businesses and startups, not to forget the training required for compliance.
Whether the union cabinet will speed up the bill for passage in the winter session starting in a few days remain to be seen, considering that it is certain to cause stormy scenes of debates and dissent. The delay will also cost the average Indian dear—as Muley pointed out, “Even today India lacks comprehensive legislation for the protection of personal data. We continue to see the rampant collection, misuse of sensitive personal information for marketing, surveillance and other unauthorised purposes without the consent or even the knowledge of the individual.
“There are a lot of hopes attached to the PDP Bill,” he added, “There is urgency involved, too.”