The Joint Parliamentary Committee examining the government’s Personal Data Protection Bill has asked for public comments on the legislation. The committee is headed by BJP lawyer and MP Meenakshi Lekhi and has a total of 28 members.
A number of data privacy advocates welcomed the move, as the demand has been growing for quite some time to discuss and debate the bill publicly. “It’s important to have wide consultations on the bill to get stakeholder inputs,” said Sreenidhi Srinivasan a senior associate at IKIGAI, a technology-focused law firm.
As The Citizen reported earlier, Clause 35 of the bill has garnered particular criticism. It permits the government to exempt any government agency from any or all of the bill’s provisions. “Any government agency can be exempt for one of several reasons. This is a fairly wide exemption,” said Srinivasan.
“There should be more transparency regarding this, because if there’s no reasonable suspicion and still there is a probe on somebody’s data, that is problematic,” said Karnika Seth, a lawyer and privacy data expert. Seth believes the exemption requires various checks and balances to ensure it is not abused.
The bill’s exemptions “will have to be tested against the Justice Puttaswamy decision on the right to privacy – and the test it lays down for necessity and proportionality,” Srinivasan believes.
A constitution bench of the Supreme Court held in the Justice K.S.Puttaswamy case in 2017 that the right to privacy is a fundamental constitutional right protected by Articles 14, 19 and 21.
There are also concerns regarding the use of data by the government. Clause 91 of the bill empowers the central government to direct any data fiduciary or data processor to provide it with anonymised personal or non-personal data, ostensibly to “enable better targeting of delivery of services or formulation of evidence-based policies”.
“There is an issue with this sharing of non-personal data with the government. What and how much access can it exercise?” asks Kumar Deep Banerjee, country manager for the Information Technology Industry Council, a US-based trade association that represents a host of tech companies including Google, Facebook, Amazon and Microsoft.
Srinivasan explains further: “There’s a separate government committee looking at non-personal data. The goals of a data protection law are very different from the policy goals for regulating non-personal data. These conversations should be kept separate.”
Banerjee believes that since a committee is already looking into the matter, it is not necessary to have such a provision at all in the data protection bill.
The bill proposes a Data Protection Authority whose constitution and functions have raised some doubts. In the bill’s last draft the government removed the judicial member from the proposed selection committee recommending members to the DPA.
As Banerjee points out, this would mean removing the judicial overview that was initially envisioned in the draft bill proposed by the Justice BN Srikrishna Committee. “The constituting of the DPA, the selection of its members is left to the central government, which in our opinion puts too much powers with the central government.”
Justice Srikrishna himself told the media during the winter session of Parliament that the draft bill is “dangerous” and threatens to turn India into “an Orwellian state”.
Seth believes the DPA should have representation from “all the various stakeholders” in the industry, “in order to maintain a balance of power”.
But no matter how it is constituted, a single DPA could find it difficult to deal with regulation and compliances issues across the entire country.
Srinivasan warned that “the DPA has to make regulations, issue codes of practice, hear complaints, award penalties, etc. Once the DPA is set up, it may be flooded with complaints. The DPA’s capacity to carry out both regulatory and adjudicatory functions should be looked at closely.”
Many tech businesses have also raised concerns about proposals like data localisation, which would compel them to store all their data locally in India. “The very premise of this provision is something we do not agree with. Because if the question is about lawful use of data, for national security etc. then there are existing international conventions under which one can easily access data for law enforcement,” Banerjee remarked.
Seth agrees that the relaxed requirements on data localisation from the earlier draft are a welcome change. “Whatever data is not very sensitive should not be barred from free storage and processing anywhere. Doing that would stifle the inherent globalised nature of the internet. But critical data must be stored in the country.”
A final concern Srinivasan expressed was that the bill defines no timeline or deadline for compliance, unlike the EU’s General Data Protection Regulation, which gave businesses two years to comply. This can create an uncertain business environment.
Newer inclusions to the bill also need some considering. “Some new concepts were introduced in the 2019 bill, like sharing non-personal data with the government. Those in particular should be discussed extensively,” Srinivasan emphasised.
Both Srinivasan and Banerjee said they were looking forward to sending their responses to the committee. Banerjee is hopeful it will hear out their concerns.
“What has been done is that some principles are laid out… but it is important that the rule-making synchronises with that. If it doesn’t then the objective is lost,” said Seth.
The committee is accepting reviews and suggestions till February 25 over email. The comments it receives will not be made public.