The Bill, in its current form, more or less tries to hand the government a blank cheque when it comes to accessing citizens’ data.
The Ministry of Electronics and Information Technology (MEITY) is set to brief the Joint Parliamentary Committee on the Data Protection Bill on January 14. As MEITY itself has drafted the Bill, it is unlikely that it will suggest major changes. But the hearing is crucial because it has the potential to alter the course of India’s privacy framework.
The Bill heavily favours the state. It allows the government to staff the Data Protection Authority (DPA) to be set up under the law; enables the Centre to demand non-personal data and allows for processing of personal data, while also giving the Government the power to exempt any of its agencies from the legislation.
There is a lot to discuss but a few issues stand out in relation to the DPA, and the right of the state to access a citizen’s data.
Let us begin with the DPA. The Bill has a broad scope and mandate, and once the Parliament passes the bill into law, the DPA’s work will begin. The Bill outlines the DPA’s duty as protection of the interests of data principals (people whose data is in question), prevention of any misuse of personal data, ensuring compliance (with the Act), and promoting awareness about data protection. The first of these duties is interesting as it gives the DPA broad mandate to act as a representative on behalf of the people and their data.
The body will be expected to meet global standards or even better it. It is important that those standards exist and be maintained. India is in the unique position to draft a law on data protection in which it can learn from the experiences of other countries. It is only fair that India adopts a similar or even higher standard for the law.
The thing to notice here would be how the DPA is staffed, particularly who the chairperson and six members will be, and how they will be appointed. In its current form, the Bill states that one of the six members should have ‘qualification and experience in law’. However, the need of the hour is to not have senior or retired bureaucrats in the DPA but experts who are acquainted with technology, law, and privacy.
The Bill had broadly three trade-offs to manage: Define the powers of the state when it comes to data, set privacy standards around the personal (characteristic, trait, attribute or
any other feature used for profiling) and personal-sensitive (financial data, health data, sex life, genetic data) data of citizens and outline the roles and responsibilities of data fiduciaries.
The big-ticket item here is that the Bill has heavily favoured the government when it comes to access to data and processing of it. There are two reasons why I say that. Firstly, Chapter 3 of the Bill lays out the grounds that allow the government to process personal data for a certain amount of functions. The text of the clauses is fairly broad. For instance, the first clause allows for the processing of personal data for the provision of any service or benefit to a data principal from the state. Although as a proponent of privacy, I am thankful it does not apply to sensitive or critical data and wish it stays that way.
Secondly, Chapter 14 gives the state, in consultation with the DPA, the power to demand non-personal or anonymised data from fiduciaries to enable better targeting of services or form evidence-based policy-making. Given the prevailing environment, one could fit a lot of ground under the umbrella of evidence-based policy-making and abuse that provision if it’s not defined well.
In all fairness to the Bill, it has tried to formulate checks and balances when granting the executive these powers. Two instances come to mind here. Firstly, in granting powers to demand non-personal or anonymised data, it requires the government to consult with the DPA. But given that the DPA will be structured by people recommended and appointed by the central government, the process may end up being redundant. Secondly, the Bill also puts a check on the DPA when it asks the Authority to “specify manner in which the data fiduciary or data processor shall provide the information sought, including the designations of the officer or employee of the Authority who may seek such information, the period within which such information is to be furnished and the form in which such information may be provided”. (Chapter 9)
In spite of all this, I still think that the Bill more or less tries to hand the government a blank cheque when it comes to access to data. As we head into deliberations around this issue, I would argue that there is a chance that this cheque will get blanker. For people who highly value privacy, the good news is that we still have the landmark Puttaswamy judgement that establishes the fundamental right to privacy under the right to life and personal liberty. Moreover, the regulatory climate is shaping into one where the judgement will be needed more than ever. Especially with the government giving itself the powers to access data through the Bill, through recommending and appointing members in the DPA, through allowing agencies to intercept and access data, and through pushing for allowing traceability in communications through amendments to the IT act.
The personal data protection Bill is an essential step towards regulating a new space. However, given the draft version available, it also seems to be the beginning of a new tug of war for access to data. Through the bill, the government has the power to push to erode privacy. The Puttaswamy Judgement allows for privacy to be encroached upon if the encroachment has basis in law, corresponds to a legitimate aim of the state and is proportionate to the objective it seeks to achieve. We are looking at the state’s actions being assessed through these three criteria for months and years to come.
(Rohan Seth is a technology policy analyst at The Takshashila Institution)
This article was first published in Deccan Herald.