2 min read.Updated: 09 Dec 2019, 10:31 PM ISTLivemint
If enacted, the Personal Data Protection Bill will grant a measure of legal authority to our right to privacy upheld by India’s apex court. But some of its details need wider discussion
Ever since India’s Supreme Court upheld privacy as a fundamental right in 2017, citizens have awaited legislation to etch the idea into the laws that govern the country. That task is now expected to be achieved by the Personal Data Protection Bill, originally drafted by a panel headed by justice B.N. Srikrishna, a modified version of which was cleared last week by the Union cabinet for enactment. Its broad intent is to set down laws on how the use of data on individuals is to be regulated, and it grants us some crucial rights over our data, if not clear ownership of it. If the bill gets Parliament’s nod, we will have guidelines on the collection, storage and processing of personal data, and the consent needed for its use, apart from penalties and compensation for violations. The bill has a code of conduct and an enforcement model as well.
To the extent that it assures us control of data shared electronically with various websites, apps and the like, the bill’s provisions should serve as a shield against data misuse. For too long have data collectors assumed that what they know about individuals is for them to deal with as they so choose. It is the finer details of the bill, however, that call for examination. The proposed law not only differentiates between data that is non-personal and personal—the latter defined as anything that can identify someone directly or indirectly—it also slots personal data as “critical", “sensitive" or “general", with different rules for each kind. Sensitive stuff would include health and financial data, as also sexual orientation, religious affiliation and so on. Any company that has customers in India must store this data within the country, barring exceptions where it could be processed outside the country with explicit consent. If the logic of local storage is difficult to grasp, what qualifies as critical data isentirely fuzzy, since this has been left to the government to determine as and when a need arises. What we do know is that such data must both be kept and processed within Indian borders. General information, however, could be held in servers and crunched anywhere. If this was intended as a concession to foreign tech firms protesting the extra server costs they would have to bear on account of 100% data localisation (as proposed earlier), then it is only a half measure, since many would still need to set up or rent local servers for sensitive data.
From the perspective of an internet user, while the bill’s safeguards appear adequate against privacy threats from private players in particular, the same cannot be said in a general sense. If enacted, it would require companies that are deemed “significant data fiduciaries" to verify the identities of its online users, for example, which could cramp the space for free speech afforded by social media apps to those keen on anonymity. For the sake of law enforcement, it would also let the government access personal data. Likewise, for research and policymaking, the state will have the right to people’s non-personal data—which could include “anonymized" personal details. These riders might be in our common interest, as claimed, but they also risk turning privacy into a conditional rather than an inalienable right. They make too much space for regulatory interpretation of it. The bill’s proposed Data Protection Authority is not independent either. This, along with other provisions of the bill, could do with a wide debate if this fundamental right is to work as envisioned.