The Personal Data Protection Bill 2019, seeks to regulate the use of individuals’ data by the govt and private firms, but gives the govt the power to exempt any of its agencies from the law. If the bill passes, your sensitive financial data could also be used without your consent. Nilanjana Chakraborty asks industry experts how this will impact individuals
The Personal Data Protection Bill, 2019, has been referred to a joint parliamentary committee. The bill seeks to regulate the use of individuals’ data by the government and private companies, but gives the government the power to exempt any of its agencies from the law. This means that any government agency can access your data if the government deems it necessary in the “interest of sovereignty and integrity of India". If the bill passes, your sensitive financial data could also be used without your consent. Nilanjana Chakraborty asks industry experts how this will impact individuals.
Arya Tripathy, Principal associate, PSA
Core tenets of accountability, transparency can be affected
If implemented as is, the law will impact how financial data is being processed. Firstly, the scope of personal and sensitive data has been enlarged. Any personal data has the potential of becoming sensitive. For instance, name and password combined with other data can disclose bank account details, pin, tax returns and card details. Thus, the line between personal data and sensitive data can be blurred.
Secondly, in the context of financial data, state or any private entity while complying with any legal mandate (like banks, financial service providers, insurers) can without any prior information gain access to and process an individual’s financial information. This may adversely affect the core tenets of accountability and transparency in processing personal data.
Lastly, the government can suspend application of any provision of the bill where it deems necessary in the interest of the state. Sans specific requirement for authorization, it can be interpreted to allow state to access financial information. These grounds are generic and tend to provide state with greater leeway.
Raj Khosla, Founder and managing director, MyMoneyMantra
Intervention from state may dilute the bill’s essence
Data protection is a fundamental right of every Indian and the new legislation should thus be a cornerstone in protecting privacy of the second largest internet population. But selective state-sponsored intervention may dilute the very essence of the bill. As outlined by EU’s General Data Protection Regulation (GDPR), data protection and consumer privacy need to be harmonised.
In today’s economy, digitization has enabled the formal economy to touch almost every individual on pan-India basis—for instance, the Aadhaar-linked subsidy disbursal. If data access and storage is restricted only to the government, large-scale innovations will suffer. The order of the day is a consent-based free flow of data.
In particular, the banking and financial services industry deals with high volumes of data, i.e., phone numbers, bank accounts, and so on. With a lopsided ecosystem for data protection, the consumer will find his privacy selectively compromised, and he will also be deprived of multiple choices. At a macro level, such restrictions can mitigate universal financial literacy.
Trishneet Arora, Founder and chief executive officer, TAC Security
Sensitive financial data should be protected
The bill that has been tabled follows the precedent set by EU’s GDPR and is a much-needed intervention. However, it must be ensured that important issues such as national security are not used to validate the unregulated harvesting of private citizens’ data by government agencies.
The government should strike off the objected clause and instead leverage the precedent set by the privacy judgement issued by the Supreme Court in 2017. The government should make it mandatory to declare specific objectives for collecting private data, as well as the authorities ordering this and the procedures that will be followed. The level of data collection should also be proportionate to the interest being achieved. This will go a long way in ensuring that private data remains protected, without compromising the security of the country. Given that information is also an important tool for national security, the current bill is satisfactory. The government must, however, look to implement certain frameworks to protect sensitive financial information of private citizens and business enterprises.
Ramki Gaddipati, Chief technology officer and co-founder, Zeta
Provision is necessary for the govt; needs to be allowed
The provision which allows exemptions for government agencies is necessary for any government to function. But while these are necessary measures, the safeguards may not be sufficient.
There may not be an easy enough articulation that gives adequate power to the government without allowing for it to misuse it. A government with the motivation to do so can misuse the provisions available, but the intention of the provision is necessary and it needs to be allowed. In a sense, we are required to trust the government and rely on it to do its job in the spirit of the laws that are applicable.
Use of data that is collected under the provisions available in Chapter 8, Section 36 or 35 for commercial purposes will definitely amount to a breach of law. However, I do not think there is a cause of concern with respect to commercial use of the data.
But for official purposes, the data could still be used. But if a government that is inclined to misuse the data for its own purposes does so under the provisions of the bill, it is going to be difficult to establish a breach of law.