It would be helpful if lawmakers choose to listen and readjust some principles when examining the Data Protection Bill, 2019

India has finally brought the Personal Data Protection Bill, 2019 in the public domain. The legislation, which has been more than a year in the making, went through a committee headed by a retired judge, with public consultation. This was followed by a Ministry of Electronics and Information Technology-led public consultation but something changed midway. Of the over 600 public comments received by the Government on the first draft of the Personal Data Protection Bill, none are available in public domain. The entire exercise, that began on a participative note, suddenly changed course.

This raises a flurry of questions from stakeholders who are not sure about the intent and implications of the proposed legislation. Let us take a look at some intriguing questions regarding the Personal Data Protection Bill, 2019.

The initial Bill had chosen to define personal data based on the characteristic trait or any other feature of identity of the data subject. The new Bill’s text also encompasses inferences drawn for profiling as personal data. This leads to a question regarding the nature and degree of inferences which can be categorised as personal data.

Along similar lines, the definition of sensitive personal data, has, in the new Bill been left with additional jurisdiction overview of the Central Government, whereas the first draft had left it at the door of the proposed Data Protection Authority. In the same breath, it may be added that the very selection process of the chairperson and members of the proposed Data Protection Authority in the initial draft had been suggested to be in consultation with a person with judicial qualifications whereas the new Bill puts the onus on a bureaucrat from the legal affairs department to advise on the selection process. These co-joined clauses from the text of the new Bill have led many to question the intent behind removing the judicial intervention oversight of the Data Protection Authority.

The most contentious questions, however, arise on a new clause 91, inserted in the miscellaneous section of the Bill. The clause reads, “The Central Government may, in consultation with the (Data Protection) Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed. Explanation — for this sub-section, the expression ‘non-personal data’ means the data other than personal data.”

The most common questions on the classification of data into personal and non-personal throw up issues around possible Intellectual Property Rights, copyright violations and boundaries of personal vs derived vs processed vs non-personal data. Many have asked the relevance of forming a non-personal data committee, which has been tasked to arrive at legislation through a consultative process.

This committee, comprising senior officials from two Ministries as well as some private sector representatives has already had informal discussions with a couple of big-tech companies. The non-personal data committee, which is yet to come out with a background paper or even a formal consultation process, perhaps loses its stature on any proposed legislation on non-personal data. Industry operators would be greatly benefitted if they knew the definitions and nuances of non-personal data and the enforcement guidelines strategy.

This sets the tone for a lively clause-by-clause debate on the Bill. The Government has referred it to a Joint Select Parliamentary Committee bypassing what many would have assumed to be the Standing Committee for Information Technology, in Parliament. It could potentially allow relevant stakeholders to make brief presentations regarding their issues and key concerns with the personal data protection legislation. The question is, will they?

Let’s shift our attention for a while and focus on basic premises. While data is precious, no benefit comes out of it till aggregated, processed, analysed and effectively used for human good. While everyone wants to have access to ever-growing terabytes of every individual’s data, only a handful, perhaps, have a will to do so for charitable purposes. Do they have the necessary skill sets to collect and analyse data? Then come the questions related to intent, purpose, business and many such puzzles.

If we add to it a machine-influenced set of “data principles” i.e. those that are not fully controlled by human jurisdiction, a new crystal starts to deflect the sunrays. We may agree to the fact that we perceive much of the world through the colour of the light we look at it through. That means there is ample scope for illusionary demons lurking in transparent, faraway landscapes. Do we, therefore, stop believing or do we readjust /refocus constantly? If that’s the case, coming back to our original set of questions, it would be helpful if lawmakers choose to listen and readjust if required some principles when examining the Data Protection Bill, 2019.

(Writer: Kumardeep Banerjee; Courtesy: The Pioneer)

It would be helpful if lawmakers choose to listen and readjust some principles when examining the Data Protection Bill, 2019

India has finally brought the Personal Data Protection Bill, 2019 in the public domain. The legislation, which has been more than a year in the making, went through a committee headed by a retired judge, with public consultation. This was followed by a Ministry of Electronics and Information Technology-led public consultation but something changed midway. Of the over 600 public comments received by the Government on the first draft of the Personal Data Protection Bill, none are available in public domain. The entire exercise, that began on a participative note, suddenly changed course.

This raises a flurry of questions from stakeholders who are not sure about the intent and implications of the proposed legislation. Let us take a look at some intriguing questions regarding the Personal Data Protection Bill, 2019.

The initial Bill had chosen to define personal data based on the characteristic trait or any other feature of identity of the data subject. The new Bill’s text also encompasses inferences drawn for profiling as personal data. This leads to a question regarding the nature and degree of inferences which can be categorised as personal data.

Along similar lines, the definition of sensitive personal data, has, in the new Bill been left with additional jurisdiction overview of the Central Government, whereas the first draft had left it at the door of the proposed Data Protection Authority. In the same breath, it may be added that the very selection process of the chairperson and members of the proposed Data Protection Authority in the initial draft had been suggested to be in consultation with a person with judicial qualifications whereas the new Bill puts the onus on a bureaucrat from the legal affairs department to advise on the selection process. These co-joined clauses from the text of the new Bill have led many to question the intent behind removing the judicial intervention oversight of the Data Protection Authority.

The most contentious questions, however, arise on a new clause 91, inserted in the miscellaneous section of the Bill. The clause reads, “The Central Government may, in consultation with the (Data Protection) Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed. Explanation — for this sub-section, the expression ‘non-personal data’ means the data other than personal data.”

The most common questions on the classification of data into personal and non-personal throw up issues around possible Intellectual Property Rights, copyright violations and boundaries of personal vs derived vs processed vs non-personal data. Many have asked the relevance of forming a non-personal data committee, which has been tasked to arrive at legislation through a consultative process.

This committee, comprising senior officials from two Ministries as well as some private sector representatives has already had informal discussions with a couple of big-tech companies. The non-personal data committee, which is yet to come out with a background paper or even a formal consultation process, perhaps loses its stature on any proposed legislation on non-personal data. Industry operators would be greatly benefitted if they knew the definitions and nuances of non-personal data and the enforcement guidelines strategy.

This sets the tone for a lively clause-by-clause debate on the Bill. The Government has referred it to a Joint Select Parliamentary Committee bypassing what many would have assumed to be the Standing Committee for Information Technology, in Parliament. It could potentially allow relevant stakeholders to make brief presentations regarding their issues and key concerns with the personal data protection legislation. The question is, will they?

Let’s shift our attention for a while and focus on basic premises. While data is precious, no benefit comes out of it till aggregated, processed, analysed and effectively used for human good. While everyone wants to have access to ever-growing terabytes of every individual’s data, only a handful, perhaps, have a will to do so for charitable purposes. Do they have the necessary skill sets to collect and analyse data? Then come the questions related to intent, purpose, business and many such puzzles.

If we add to it a machine-influenced set of “data principles” i.e. those that are not fully controlled by human jurisdiction, a new crystal starts to deflect the sunrays. We may agree to the fact that we perceive much of the world through the colour of the light we look at it through. That means there is ample scope for illusionary demons lurking in transparent, faraway landscapes. Do we, therefore, stop believing or do we readjust /refocus constantly? If that’s the case, coming back to our original set of questions, it would be helpful if lawmakers choose to listen and readjust if required some principles when examining the Data Protection Bill, 2019.

(Writer: Kumardeep Banerjee; Courtesy: The Pioneer)