Over the last two decades, the issue of privacy -- in particular, the collection, processing and sharing of personal data of individuals -- has become increasingly prominent in India. That India does not yet have an omnibus data protection law has remained an important political failure of successive governments. The Personal Data Protection Bill, 2019 (PDP Bill), was introduced in Parliament during the winter session, and then referred to a Joint Select Committee of Parliament for deliberation. This is the latest in a series of steps taken by the government, some more half-hearted than the others, over the last decade towards formulating a data protection law.
In 2012, Justice A P Shah had provided detailed recommendations towards the creation of a data protection regulation. In the past, the Department of Personnel and Training had been the nodal authority working on a privacy legislation, and there were at least two different drafts, one from 2011 and another from 2014 that were produced. None of these attempts went anywhere due to a lack of political will. Even in the present case, the process was necessitated by questions posed to the government by the Supreme Court.
Also Read: What you should know about data protection
In 2017, during the Supreme Court hearings in the referral matter before the constitution bench to clear the judicial uncertainty around the existence of the right to privacy in K S Puttaswamy and Anr vs Union of India (the Puttaswamy judgement), the Government of India announced the setting up of an expert committee to frame India’s data protection law. A 10-member committee led by Justice BN Srikrishna was set up by the Ministry of Electronics and Information Technology (MeitY). In mid-2018, the Srikrishna Committee provided its report along with a draft law. Over the next year and a half, the ministry sat on the committee’s draft, and then went on to introduce a new draft with significant changes in Parliament.
Wide surveillance powers
The most significant changes in MeitY’s draft are the extensive grounds for the central government to exempt any government agency from the requirements of the Bill. The previous draft mandated that any exemptions for domestic law enforcement or national security purposes would have to satisfy the internationally recognised principles of necessity and proportionality. However, in the latest draft, a simple executive order issued by the central government authorising any agency of the government to process personal data can allow them to conduct surveillance without any clear safeguards. Moreover, the “procedure, safeguards and oversight mechanism to be followed” will be prescribed in the rules. It is established law that if discretionary powers are given to the executive branch of the government, it must be accompanied by clear and specific guidelines for the executive to exercise the power. This cardinal rule is ignored by the PDP Bill.
A weak regulator
While there is relative global consensus on a liberal framework for data-protection principles, there is much less agreement on what the most effective ways are of applying and enforcing these principles. What separates weak and strong data protection regimes is the presence of a strong and independent regulator with robust powers and tools.
This Bill also talks about the creation of a Data Protection Authority (DPA). But, if we compare this draft with the old one, we see a clear trend of powers and functions taken away from the DPA and given to the central government. This poses many dangers. In order to govern data protection effectively, there is need for a responsive market regulator with a strong mandate, ability to act swiftly, and resources to do so.
The political nature of personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the DPA are independent of the executive. The DPA’s independence is also gravely threatened. The composition of the members of the committee to select the DPA has been drastically changed. From the Srikrishna Committee’s recommendation of a diverse committee of the Chief Justice of India, the Cabinet Secretary and one expert of repute, the PDP Bill has changed it to a committee composed entirely of members of the government.
State’s appetite for data
Many advocates of big data argue against the privacy principles as impediments to unlocking the benefits of big data by preventing actors from working with as much data as possible. The two competing interests of preserving privacy and big data exceptionalism are not aligned. It is imperative that a policy decision clearly choosing the right to privacy over the economic incentive of unregulated access to data needs to be made by those drafting the privacy law.
Privacy is a fundamental right and must be independent of financial considerations. No economic interest can justify or outbalance the individual’s right to privacy. The PDP Bill contemplates a scheme under which the central government may direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies in any manner. First, it is inconceivable why a law on personal data protection deals with non-personal data at all. Second, the idea of the State having unfettered access to data available with private actors raises serious questions about its surveillance designs.
No clear roadmap
The previous draft had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified. Most importantly, it specified a time period within which the DPA had to be established and rules and regulations notified. The PDP Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within which the DPA would be established and specific rules and regulations notified.
To give a sense of the scale of this problem, there are 25 provisions that have been deferred to rules that have to be framed by the central government and a further 19 provisions have been deferred to regulations to be notified by the DPA. The absence or delay in notification of such rules and regulations will have a severe impact on how effective this law is.
The draft law prepared by the Srikrishna Committee was by no means perfect, but had it been passed into law, it would have marked a significant stride in India’s struggle to govern personal data and protect the privacy of its citizens. However, the government’s PDP Bill draft introduced in Parliament and passed by Lok Sabha, while retaining much of the structure of the Srikrishna Committee draft, made serious changes that dilute the most important protections that a data protection law must provide. As the 30-member Joint Select Committee deliberates this Bill, it will do well to remember that the primary goal of any data protection law is to protect the privacy of citizens -- both from private players and the State.
(The writer is Research Director, Centre for Internet and Society)