Personal data privacy worry over central government reach
The report of the joint parliamentary committee on the contentious Personal Data Protection Bill 2019 was tabled in both Houses on Thursday, and its 93 recommendations amplified concerns about the central government’s powers to invade an individual’s right to privacy.
The chief concern is that the new legislation fails to provide adequate protection, for it does not stymie the government and its agencies from overriding an individual’s right of consent before processing his personal data.
India is one of the fastest-growing data-generating nations in the world with over 700 million Internet users and over 400 million smart phone users. Together, they generate over 150 exabytes of data annually.
One exabyte is one billion gigabytes (GB). Let us put that in context: some experts estimate that all the words ever spoken by mankind would be equal to just five exabytes.
The data that is generated comes from four basic sources: personal data includes our profiles and demographic data from bank accounts to medical records to employment data. Some more data is generated from web searches and sites visited, which help identify preferences and purchase histories.
There is another large cache of data that comes from tweets, posts, texts, emails, phone calls, photos and videos as well as coordinates that reveal our real-time location.
Finally, there is another stack of data that establishes spending patterns that are thrown up by online purchases, modes of transactions, and preferred payment gateways.
Many individuals may want to keep some parts of that data private, exercise control on who can access it and have a consent mechanism before anyone can process it.
The proposed legislation works in a consent mechanism but it also carves out exceptions to the consent rule which the committee failed to address. The report clearly shows that the majoritarian view drowned dissent within the committee.
The big beef within the committee was over Clause 35, which empowers the committee to exempt any agency of the government from the application of the act for certain legitimate purposes such as security of the state, friendly relations with foreign countries, and public order. The committee tacked on a sub-clause that said the procedure for overriding consent for processing personal data should be “just, fair, reasonable and proportionate” – which tends to cloud the entire procedure with a poorly defined, vague phrase.
“It is important to note that such protection is limited since it applies only as a procedural safeguard and not as a condition to exercising the grounds of exemption,” said the Internet Freedom Foundation, which raised 10 key objections to the report.
The IFF said the bill undermined the primacy of an individual’s privacy by adding the words “to ensure the interest and security of the State” in the first paragraph of the preamble.
“This clearly marks a primary objective of the law to serve security interests that are misplaced within a data protection law,” it said.
However, the IFF welcomed a change in Clause 62 that gives all citizens the right to complain to a Data Protection Authority and secure compensation.
Not everyone has been happy that the bill contains certain provisions that can severely compromise the independence of the Data Protection Authority.
Last month, seven opposition MPs from the 30-member panel gave dissent notes and these were appended to the report. Their main objection was that the Centre would end up controlling the Data Protection Authority.
The IFF said: “Fresh language has been inserted in various sub-clauses to exercise such power in consultation with the central government.”
It said the “fresh insertions” increased government power over the Data Protection Authority, thereby reducing its independence.
It explained how this could be done. “Practically, this would allow a policy pronouncement by the ministry of electronics and IT (MEITy) to override protections under the Draft Data Protection Bill, 2021…. As a result, the decision of the central government will now be final in all matters, further weakening the independence of the Data Protection Authority.”
The IFF also said that there was a “noticeable expansion in Clause 94” under which the power of the central government had been expanded to “include various fresh subjects”.
Supreme Court advocate and the founder of online child safety firm Cyber Saathi, N.S. Nappinai, said: “The scope has now been unequivocally expanded to include non-personal data…. This would certainly spell good news for India-based businesses, particularly start-ups. I hope, however, that this addition does not delay implementation.”
Trishee Goyal of the Vidhi Centre for Legal Policy told The Telegraph: “The bill currently provides exemptions that are wider than what the Justice Srikrishna Committee draft had provided for…. Given the recent controversies around state surveillance, for example, in the context of Pegasus, this is one of the issues that have the potential of stalling the bill and resulting in constitutional challenges.”