Data protection law: How JPC proposes to hand over citizens’ personal info to govt
Every mouse click, every touch tap through the day on phones, laptops and tablets is accumulated in the data minefield that each one of us has turned into. This minefield can reveal more about us than probably our families, close friends or even partners. It is, therefore, personal in the true sense. Any unauthorised breach of this personal space is, thus, illegal. But can the...
Every mouse click, every touch tap through the day on phones, laptops and tablets is accumulated in the data minefield that each one of us has turned into. This minefield can reveal more about us than probably our families, close friends or even partners. It is, therefore, personal in the true sense. Any unauthorised breach of this personal space is, thus, illegal. But can the government authorise such a breach using law? If a joint parliamentary committee (JPC) report on personal data has its way, our ‘truly personal’ will soon become violable —by law.
The JPC has proposed significant amendments to the 2019 draft of the Personal Data Protection Bill (PDPB) by expanding the ambit of the legislation to include non-personal data, in addition to personal data, and suggested renaming the legislation as the Data Protection Bill, 2021, making the very concept of ‘personal’ redundant.
The PDPB has come a long way since the original 2018 version of the Bill prepared by Justice BN Srikrishna Committee was altered by the Ministry of Electronics and Information Technology (MeitY). MeitY prepared an altered version—PDP Bill 2019—and tabled it in the Lok Sabha on December 11, 2019.
The 2019 Bill was referred the same day to the JPC, which submitted its report on December 16, 2021.
The Bill put out by the JPC provides for a comprehensive framework for protection of personal data and constitution of a seven-member (including the chairperson) Data Protection Authority (DPA).
While the data fiduciary – which exercises control over the processing of personal data–includes the state, a wide range of exemptions have been granted to the state:
1) Exemption to any of its agencies in the interest of sovereignty and integrity, security, public order, incitement to commission of cognisable offences;
2) Exemption from substantial obligations, where information is processed in the interest of prevention, detection, investigation and prosecution of offences or contraventions or where processed by courts or tribunals in dispensation of judicial functions; and
3) Exemption from procuring consent where personal data is processed in the course of provision of services or benefits from the state, issuance of certificates, compliance with law, judgment or order or where responding to emergencies, outbreaks or other issues of public safety.
No Right to Privacy
Data protection is as much about the security of personal data of citizens in the hands of fiduciaries as it is about the security of personal data in the hands of those to whom it belongs. The main concern with versions of the Bill revolves around the Right to Privacy of citizens and the blanket exemptions given to the Union government to invade the security of personal data in the name of national interest.
The Right to Privacy of citizens is a fundamental right as affirmed by the Supreme Court in the Puttaswamy judgment. It would be naive to conclude that every bit of personal data has a bearing on national security and this is precisely what the committee seems to have missed.
The JPC has not concretely demarcated areas of national security and put in place necessary safeguards if exemptions become unavoidable in some cases. It has instead recommended a blanket exemption. Surprisingly, the JPC has enabled the government to exempt itself from compliance.
Hyderabad-based data security researcher Srinivas Kodali, who works with the Free Software Movement of India, told The Federal: “The Data Protection Bill proposed by the JPC gives a wide range of exemptions to the government to collect, store and use extensive personal data of citizens without any oversight and control. This is a bad law for a democracy.”
“This Bill also enables the employers to compile and analyse extensive personal data of workers. This is an intrusion into their privacy. From the point of view of labour rights as well as the Right to Privacy, this is deplorable.”
Inclusion of non-personal data
The JPC report has vastly expanded the mandate of the proposed law by including non-personal data (that is general data security) under its ambit, without even defining non-personal data, and seeks to change the name of the legislation from ‘Personal Data Protection Bill’ to as ‘Data Protection Bill’.
The rationale cited by the JPC is that there cannot be a strict separation between personal and non-personal data and the proposed Data Protection Authority (DPA) will have to deal with both.
Besides state agencies, the JPC has recommended the Bill should include within its ambit companies and NGOs as ‘processors of personal data’.
Clause 57 of the Bill, proposed by the JPC, says that the data fiduciary should conduct an audit and appoint a data protection officer. It also stipulates penalties for contravention of certain provisions of the law saying the data fiduciary “shall be liable to pay a penalty which may extend to Rs 5 crore or 2 per cent of its total worldwide turnover of the preceding financial year, whichever is higher.”
Business chambers and corporate houses have already opposed this expansion of coverage to non-personal data, which includes GSTN data handled by an auditing firm or tax data by a taxation consultancy, and the hefty penalties prescribed as they are not willing to commit themselves to invest in technologies to prevent piracy of the general data they handle.
The only exemption allowed for Micro, Small and Medium Enterprises (MSMEs) is for manual compilation of the data. Commenting on the JPC recommendations, M Raveendran, president of the Compressor Industries Association in Coimbatore, told The Federal, “While big companies can cough up money to institute the data safeguards as required by this law, it is obvious the MSMEs cannot. Those who draft such legislations live in some other world. If the government wants to enforce such onerous conditions on the MSMEs through a law, then let the government help them with the necessary funds and technologies for due compliance.”
While a strict law on cyber security and general data protection—especially for protection from misuse by corporates—is needed, clubbing it with the law on personal data security of citizens might dilute the exclusive thrusts needed in both areas.
It would be ideal if the government brought in a separate law for non-personal general data without coming into conflict with the right to information. There is no reason why the DPA cannot be governed by two laws.
Question of consent
The question of individual consent with regards to the use of personal data is also a controversial issue. The JPC’s proposals reaffirm the principle that personal data of citizens cannot be used or transferred by companies without their informed consent and if someone decides not to give consent, that person cannot be deprived of any service, legal right or claim by the state.
Unfortunately, the JPC widely expands the scope for the processing of non-consensual personal data without consent with a generic rider – “where such processing is necessary”. This opens the floodgates for authorities to lay claim on people’s personal data without consent and with impunity.
Control over social media
Although the JPC report claims that the Bill is intended for protection of personal data only and social media regulation is a different subject, the report reiterates the provisions of the IT Act & IT Rules, 2021, on the liability of social media companies as intermediaries. This allows for increased government control over social media exchanges and threatens the Freedom of Expression.
Data security activists have questioned whether social media companies and other internet service providers can demand consent from the users in the first place to use their personal data, including for transferring them to a third party for commercial use. Can consent by consumers alone justify personal data transfer by companies to third parties? Neither the JPC report, nor the PDP Bill 2019, address these issues.
Toothless against surveillance
That the proposed law does not explicitly ban surveillance by the government, allowing bureaucrats and the police officials to breach people’s privacy at whim, is a grave omission. Despite increasing use of facial recognition technologies by police departments in several states, the JPC report ignores the issue of surveillance both by government agencies and employers.
The PDP Bill 2019, in Clause 13, had proposed that collection of non-sensitive personal data of employees by employers, including data on attendance and “any other activity relating to the performance”, can be exempted from the provisions of the Bill. Going a step ahead, the JPC has recommended that even sensitive data can be processed.
S Kumaraswamy, a leading lawyer and labour rights activist in Chennai, told The Federal, “Whether it is work-from-home or e-commerce delivery work, the companies have instituted advanced surveillance systems to track employees hour-by-hour to deprive them of any leisure and rest. Any legal sanction to this is inhuman.”
DPA: an appendage of bureaucracy
There are some other contentious issues as well. While individual citizens can file complaints with the proposed DPA and even claim damages in case of violation of their personal data, the key issue over the DPA’s autonomy has been left unaddressed.
There is a risk that the DPA would be reduced to just another extension of the Indian bureaucracy. Worse, as per the PDP Bill 2021 proposed by the JPC, the DPA is fully “free” to give “certain regulatory relaxations for a specified period of time” even to private entities under Sandbox conditions (that is, under trial conditions).
Data localisation to strengthen government’s monopoly
Experts say former US President Donald Trump’s objection to data localisation—which restricts the flow of data from one country to another—by naming India at the Asia-Pacific Economic Cooperation (APEC) meeting in November 2017 and the continued US opposition was the main reason why the Modi government was delaying passing the original 2018 version of the Bill.
While it is good that data localisation provision has been retained in the 2021 version of the JPC report too without succumbing to pressure from the developed countries, as per Clause 34(1) (b) of the Bill, “the Central government, in consultation with the Data Protection Authority, is empowered to allow transfer of sensitive personal data…to any country”.
National security as the ruse
The JPC report identifies personal data as data on finances, health, official identifier, sex life, sexual orientation, biometric, genetic data, religious or political belief or affiliation, personal profile of individuals, business transactions, travel data, communication and exchanges, records of police cases and detention due to participation in democratic protests, political party or trade union membership lists, anti-government writings and speeches, or religious or caste backgrounds where there can be potential discrimination and backlash.
But the JPC reduces the scope of such elaborate personal data to ‘digital personal data’ only. It doesn’t apply to transfer of non-digital hard copies of personal records.
True, personal data can be used for both positive as well as negative objectives. For instance, health data of individuals can be used to improve the quality of healthcare or can be used by the top hospitals to target potential patients. Banking data can be used for financial planning, or personal financial records can be used by criminals for financial fraud or blackmail. The list goes on.
Just because there are some positive sides to the use of personal data, serious violations of the Right to Privacy cannot be overlooked.
It is obvious that all personal data cannot be equally sensitive and pose danger to the country’s security. A proposed law on personal data protection should clearly identify and demarcate data that has a bearing on national security.
The JPC report, however, grants a provision for sweeping exemptions based on the presumption that all personal data has a bearing on national security. In doing so, the JPC empowers the government with unhindered powers for surveillance, exempting it from all regulations and accountability. It offers a carte blanche to the government by exempting it from all data security restrictions. Clause 35 of the proposed Bill comes as the last nail on privacy when it exempts “any agency of the government from application of the Act”.
The JPC report and the Bill it proposes have, thus, failed to ensure adequate protection for personal data security and privacy. The dissent notes by some members – such as Manish Tiwari, Derek O’Brien, Mahua Moitra, Gaurav Gogoi, Ritesh Pandey, Jairam Ramesh, Vivek Tankha and Amar Patnaik – have amply highlighted this failure.
The last word, however, has come from Justice BN Srikrishna himself who, on December 22, 2021, denounced the JPC’s version of the Personal Data Protection Bill, 2021, as “endangering privacy”.
With all that, the wheel seems to have come full circle.