The much awaited Personal Data Protection Bill of 2019 was introduced in the Lok Sabha on Wednesday and would now be examined by a joint select committee before being taken up for passing. It seeks to protect the privacy of personal data, regulate the processing of "sensitive" and "critical" personal data and establish a Data Protection Authority of India (DPAI) for regulations.
The Statement of Objects and Reasons of the bill provides the backdrop for it: (a) the 2018 Supreme Court verdict declaring "privacy" as a fundamental right under Article 21 of the Constitution of India (protection of life and personal liberty) in the Justice KS Puttaswami vs Union of India case (b) a subsequent nudge from the Supreme Court to frame such a law and (c) the Srikrishna Committee's recommendations and draft on privacy protection.
But those in the know say the work had begun much earlier in 2011. It was in 2018, however, that a draft bill was put in the public domain for comments.
What the bill provides:
The bill lists some of its key features, which are as follows.
(a) Promote concepts of consent, purpose limitation, storage limitation and data minimisation etc.;
(b) Lay down obligations on agencies collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal);
(c) Confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data;
(d) Establish Data Protection Authority of India (DPAI) to protect the interests of individuals, prevent misuse of personal data, ensure compliance and promote awareness about data protection;
(e) Notify "social media intermediary" as a significant data fiduciary whose actions have a significant impact on electoral democracy, security of the state, public order or sovereignty and integrity of India;
(f) Confer the "right of grievance" to individuals to complaint against data fiduciary;
(g) Empower the central government to exempt any government agency from application of the proposed law;
(h) Empower DPAI to specify the "code of practice" to promote good practices of data protection and facilitate compliance and,
(i) Provide for "Adjudicating Officer" for deciding penalties and award compensation for violations and "Appellate Tribunal" to hear appeals against these.
How well does it achieve the objective of protecting privacy?
Unrestrained access to personal data by government agencies
After having provided for privacy safeguards, the bill empowers the central government, in Section 35, to allow any government agency to bypass all these (a) in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign states or public order and (b) for preventing any cognizable offence relating to the above (a).
The only safeguards are: (i) a written order from the central government specifying the reasons for breaching privacy and (b) in a manner (procedures, safeguards and oversight mechanism) "as may be specified" in future.
In sharp contrast, the 2018 draft had many privacy protections.
Section 42 of the draft, while granting exemptions to the central government only for "the security of the State", had said the processing of personal data "shall not be permitted unless authorised pursuant to a law, and in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved".
The 2019 bill does not talk about any of these: A Parliamentary law to be framed for the purpose and tests of what is "necessary" or "proportionate" to the objectives being sought for breaching privacy.
This is likely to raise serious objections, especially in view of the snooping and surveillance allegations made by Whatsapp and Google in recent months in which fingers were pointed at the government agencies.
Pavan Duggal, a well-known cyber law expert, says: "The exemptions granted in Section 35 completely undo the objective of this (proposed) law. It puts power in the hands of the central government and specifically makes it a party, judge and adjudicator of its own cause. There are no checks and balances.
"In view of the recent challenges (emerging out) of the reported Whatsapp and Google snooping events, the chances of abuse of power under Section 35 are immense, with no transparency and accountability towards the relevant data principal. The ultimate target will never know how their personal data is being used by the government agencies. Section 35 stands to negate the enjoyment of personal privacy and other digital liberties."
On the other hand, Rahul Matthan, partner at the Trilegal and a privacy and data protection expert, says Section 35 would not worry him since any misuse of it would still be subjected to the legal protections given in the Justice Puttaswamy case verdict, which includes tests for what is "necessary" or "proportionate".
Dilution in data localisation
The 2018 draft provided for storage of one serving copy of all personal data in India. It disallowed processing of "critical" personal data abroad and subjected "sensitive" personal data to a tight regulatory mechanism like explicit consent, contractual clause, approval of DPAI and central government permission. The 2019 Bill only talks of "critical" and "sensitive" personal data and subjects those to a similar regulatory regime.
("Personal data" is defined to mean any characteristics, trait, attribute or other feature of the identity of a natural person, while "sensitive personal data" relate to financial data, health data, genetic and biometric data, caste, religious or political belief or affiliation etc. "Critical personal data" has not been defined and left for the DPAI to do so.)
Matthan says: "I would say this is onerous (to maintain a mirror of data in the case of "sensitive" personal data). Data should be allowed to go freely. The purpose of localisation is to give access to data to law enforcement agencies. So, I am not sure what is going to be achieved by keeping a mirror on sensitive personal data in India."
Heavy burden on DPAI to regulate privacy
Section 94 of the bill provides that the DPAI would make regulations, rules, safeguards for protection of privacy and restrictions on continuous or systematic collection of "sensitive" personal data etc., including even defining what is "critical" personal data.
Duggal says the DPAI has been empowered to make many regulations which should have been stipulated in the bill. The bill should have specified "critical" personal data which is the Kohinoor of this data protection crown. Besides, the element of cybersecurity is completely missing from the Bill, making it a paper tiger, not an effective law.
He also points out that the definition of "data" is deficient (less elaborate) vis-a-vis the Information Technology Act of 2000 - which he says is the mother legislation for all matters relating to electronic format. "First and foremost, it excludes "knowledge" from the definition and further, it excludes data in any form other than digital, including computer print-outs, punched cards, punched tapes and provides no protection for these", he adds.
Matthan, however, says when a law of fast-moving area of data technology is being framed it is impossible to put all regulations together into law. It is better for the law to articulate the principles and leave it to the delegated legislation to prescribe provisions.