The Personal Data Protection Bill, 2019 was introduced by the Minister of Electronics and Information Technology, Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals and many serious incidents of data breaches in the past year in which their personally identifiable data including names, addresses and bank account numbers were publicly accessible.
Over 3.94 lakh cyber-security incidents were reported in 2019, according to information tracked by the Computer Emergency Response Team-India (CERT-In) and it has also breached as much as 48 websites of central and state government. The law was necessary since, there is still no law in place to take care of consumer’s data and protect their privacy.
A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. The Personal Data Protection Bill, 2019 – which will have an impact on how businesses collect data and the rights that users have over the data. Currently, the legislation is at draft stage and being examined by a 30-member team of the Joint Parliamentary Committee (JPC) which has invited comments from stakeholders by February 25.
The JPC is expected to present the bill to the Lok Sabha by last week of the Budget Session. When we compared the recommendations made in the revised bill vs the previous, we spotted multiple concerns including related to privacy and surveillance.
Surveillance fears: The Bill presented in the parliament overlooks the original draft submitted by the Justice Srikrishna-led panel in 2018 which had said that no data should be collected by the government until it was authorised by law. Personal data can be processed without consent for medical, security and natural emergencies, employment-related purposes and other reasonable purposes.
There is a very wide exemption given to government agencies for surveillance activities that require access to and processing of personal data. The exemption is two-fold, any agency can be exempted for this purpose, and these agencies can be exempted from any or all provisions of the Bill.
The government can also collect data of users without much restraint and use this data in opaque ways.The Bill dilutes individuals’ control over their data by allowing the government to exempt any of its agencies from any or all the provisions of the Bill.
A recent Pegasus-Whatsapp interception scandal can be taken as an example of this. Under the proposed Bill, the government could empower a security agency, such as the NSA, to undertake such an operation without contravening any laws.
No judicial member in the DPA committee, it raises concern. Since, the Data Protection Authority (DPA) team majorly comprises secretaries from the Cabinet, Department of Legal Affairs and the MeitY.
This raises a major concern about the DPA being independent of the government. “The current Bill is bereft of diversity in the composition of the Selection Committee. It will make the entire committee and appointment process very government centred. It carries the risk that the persons who are appointed as DPAs will again be people who will be predisposed towards the government’s interest. Given that the government is a large data protector, which will also be regulated by the provisions of the bill, it may raise issues of conflict of interest and institutional bias.
Impact on Companies
The Bill, if implemented in its current form, will have a three-fold impact on companies.
It will bring up a level of legal compliance which did not exist earlier for the companies. Thereby requiring companies whenever they gather data of users to place clear notices to users what data is being collected and what purpose it will put towards use.
Businesses will have to revamp their data handling practices. To be data bill compliant, companies will need to allocate budgets and prepare for compliance starting now.
In regard to the utilisation of the data by the companies, some companies can be exempted by the government. However, the expert says, the Bill also does not provide an indicative timeline for compliance.
Inclusion of non-personal data
The Bill further does not offer any explanation for the inclusion of non-personal data. As per the new Bill, the government can ask any company to give it anonymised personal or non-personal data for policy formation and better delivery of services.
In Box: This is a dangerous provision which can allow the government to come in and ask companies to turn over all data they hold, reasoning that they require it for public interest or surveillance.
Last month, Justice Srikrishna had also argued against the inclusion of the clause saying that inclusion of non-personal data in the Bill is dangerous as it needs to be covered under a separate law.
Non-personal data includes any data other than personal such as weather data, e-commerce shopping data, traffic and food delivery data, among many others.
Restrictions on cross-border data
The Bill puts restrictions on the transfer of sensitive and critical personal data, not all personal data.
“The Bill also makes things more difficult for a company as it will have to to obtain approval of the DPA for cross border transfer of data. This could prove to be detrimental to India’s vision of improving the ease of doing business,” said Prasad.
As per industry observers, who have seen the Bill, the current compliances around storage and collection restrictions will also make things a bit difficult for startups, who would like to make their business around data.
Besides, there is no provision that allows for sufficient time to implement the important changes required under the Bill.
As the Data Protection Bill, 2019 is nearing a finalized version, we now wait to see if the JPC takes a good look at the draft and addresses some of the concerns raised.