In an interview, Justice Srikrishna, the architect of the first draft bill, said the blanket power of exemption from all provisions of the law in favour of a government agency is a disastrous move
The Personal Data Protection Bill, 2019, which seeks to regulate the use of individual data by the government and private companies has been referred to a joint Parliament committee. The proposed law, as cleared by the Union cabinet, allows the government to access personal data. The provision has attracted much controversy, for being in sharp contrast to what was proposed by an expert group headed by former Supreme Court judge B.N. Srikrishna in its first draft in July 2018.
Currently, there are no laws on the use of personal data and preventing its misuse, although the Supreme Court had upheld the right to privacy as a fundamental right in 2017. In an interview, Justice Srikrishna, the architect of the first draft bill, said the blanket power of exemption from all provisions of the law in favour of a government agency is a disastrous move. Edited excerpts:
How is the personal data protection bill different from the previous draft that was submitted to the government? What do you think are the key changes?
There are three significant changes in the current bill. First, Data Protection Authority’s (a regulator that will take steps to protect the interest of individuals and prevent misuse of personal data) composition is dominated by the government, as contrasted with the diverse and independent composition as suggested in the committee’s draft. In the current bill, the authority’s chairperson and six whole-time members will be appointed on the recommendation of a committee comprising cabinet secretary, IT secretary and law secretary.
The second difference is that there is a blanket power of exemption from all provisions of the law (including access to personal data without consent, citing national security, investigation and prosecution of any offence, public order) in favour of a government agency.
The third difference is that there is an attempt to control social media by reserving a right of access without consent of non-personal data or anonymized data.
Is it a good idea to send it to a joint select committee comprising members of both the Houses of Parliament for wider discussion on the bill?
Nowadays, there is not much time left for Parliament to discuss any bill threadbare. This being a serious law, its contours need to be carefully considered before enacting it. Hopefully, the select/joint committee will devote the attention needed. (The committee is expected to submit the report in the budget session of Parliament that usually begins January-end.)
The bill seeks to lay down a legal framework to preserve the sanctity of consent in personal data sharing. However, it also states that the central government has the power to exempt any agency of government from application of Act. What is your view in this regard?
The consequence can be disastrous from the point of view of safeguarding the right to privacy of an individual as there would be no independent oversight. No amount of self-certification by an executive officer would be sufficient safeguard.
Is it a good idea to dilute data storage requirement for non-critical and non-sensitive personal data?
The provision (on data storage) is not too much different and seems more of a cosmetic change. The earlier draft required non-critical and non-sensitive data to be stored elsewhere (global servers outside India) with a mirror copy of the same in India. The whole idea was that the access should be available in India otherwise there would be need to seek permission of the foreign government to access data. This has been changed. Now there is no restriction (data can be accessed) with the consent of data principal. This will not make much of a difference and is not a severe change. However, critical data, which is yet to be defined by the government, still has to be stored and processed only in India. Sensitive data can be processed outside India, but with consent. (The bill categorizes data into three categories—critical, sensitive and general. Sensitive data—financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation—can be stored only in India. However, data can be processed outside India with explicit consent).
How will the bill impact India’s trade relations with other nations as far as IT services are concerned?
The greater worry is the likely impact on the fundamental rights of individuals. Trade issues with foreign countries can always be sorted out by negotiations, bilateral treaties and nations resort to international forums like World Trade Organization (WTO). What is worrying is what is happening to individual data in India. Data is a person’s individual fundamental right and that is being abridged without following the strict constitutional parameters.
There is a new provision that the government can have access to non-personal data that has not elicited positive response from the industry. How do you view this?
Trade bodies may not have carefully thought about the consequences. The dangerous part of the bill is government’s access to non-personal data. A business entity may have non-personal data such as financial data, business strategy data, future projections data, etc., that is not personal but necessary from the company’s point of view. It is doubtful if any business entity would be comfortable to share all that data with the government.