The draft of the much-awaited Data Protection Bill, which has undergone multiple iterations since it was first mooted as the draft Personal Data Protection Bill in 2018, has finally been adopted by a Joint Parliamentary Committee and is likely to be tabled in the upcoming winter session of Parliament.
At the time it was referred to the JPC for scrutiny, it had been introduced as the Personal Data Protection Bill, 2019, and sought to provide for the protection of personal data of individuals, create a framework for processing such personal data, and establish a data protection authority for the purpose.
As the name of the revised draft itself suggests, the latest version has undergone significant alterations from the Bill as it had been originally submitted. The most significant addition, of course, refers to the inclusion of non-personal data collection and usage, which is why the word ‘personal’ has been omitted. The introduction of the Bill marks a watershed moment in India’s march towards a digital society.
Despite having one of the world’s largest bases of Internet users, and an explosive growth of digital services, e-governance and e-commerce in the country, the absence of any data security laws was a glaring omission. A data privacy law was the need of the hour, given the rapid growth of digital infrastructure and usage in the country. As such, the government’s bid to finally bring in suitable legislation is welcome.
The government is also to be congratulated for following due parliamentary process in bringing in such landmark legislation, unlike, say, the ill-fated farm laws. As the farmers’ protest and the subsequent decision to repeal the farm laws clearly demonstrated, any attempt at coercive and top-down legislation, however well-intentioned, is doomed to fail if broad, popular consensus has not been built up on the issue and all stakeholder views taken on board.
That even the scrutiny by the JPC has shown up a wide divergence of opinion on the issue testifies to the thorny questions sought to be addressed by the Bill and the degree of freedom, fairness, equity and privacy sought to be provided to our citizens. The dissent notes submitted by several Opposition leaders, including the Congress’s Jairam Ramesh and Trinamool Congress’s Derek O’Brien and Mohua Mitra among others, have flagged several issues of concern, which need to be taken on board by the government.
While the Bill provides for strict norms for collection and usage of personal and non-personal data by private entities, the norms are far laxer when it comes to such acts by government agencies. Amongst the norms proposed to be applied to private entities, there is the requirement to mandatorily disclose to data principals if their data is passed on to any third party, the creation of a data compliance officer who must be a member of the senior management, and the obligation on part of the companies to ensure the ‘fairness of any algorithm’ used. Another significant proposal is the bid to treat social media platforms as publishers, and requiring them to mandatorily verify users. It also recommends that social media platforms be made liable for posts by unverified accounts.
In contrast, the requirements on the part of the government, which collects significantly more and ‘richer’ data on its citizens, are far lighter. As per the proposed draft Bill, the state can utilise individuals’ private data without ‘informed consent’ for a number of reasons, including the provision of any service or benefit to the data principal from the state; the issuance of any certification, licence or permit for any action or activity of the data principal by the state, or under any law in force, whether state or Central. Informed consent is also exempted for compliance with court orders, medical emergencies involving a threat to life or public health.
Perhaps the most controversial provision relates to the steps taken in the case of any breakdown in ‘public order’, which has also not been clearly defined. Clause 35 of the Bill, on which as many as seven MPs have already submitted notes of dissent, allows the government agencies to utilise private data in the name of public order, sovereignty, friendly relations with foreign states and the overarching national security provisions.
Opposition parties and other stakeholders have also objected to the government keeping to itself the right to select the chairman and members of the proposed data protection authority, whereas the original draft called for judicial oversight of such appointments in order to preserve autonomy and independence of this key regulator. The sweeping powers given to the government to exempt any government agency it chooses from the provisions of the Bill are also a cause for concern, as this may end up defeating in large measure the objectives of the proposed law.
While the need for a strong data protection law is unquestionable, it is also important to ensure that the law provides a genuinely free and fair framework and has built-in checks and balances to prevent misuse. Wider debate and consultation, within Parliament and without, will help ensure this.