By effectively allowing every Central agency to snoop on private data, the data protection Bill needs a relook
The latest draft of the Personal Data Protection Bill, 2019, which is doing the rounds of Parliament, seems to have ruffled many feathers while pleasing some quarters at the same time. At first glance, it appears that the Bill has plugged many loopholes. It categorises data into three categories — critical, sensitive and general — and calls upon social media firms to create a mechanism to keep a check on trolling. But it has also made some glaring exemptions. It has granted Government agencies the complete authority to access personal data of Indian users without the need for a court warrant. This, the Government feels, is in the interest of the country and will protect its sovereignty and integrity besides maintaining public order and developing friendly relations with other nations. The provisions of the Bill are in sharp contrast to the recommendations made by the BN Srikrishna committee last year. It had recommended that “processing (collection, recording, analysis, disclosure, etc) of personal data should be done only for clear, specific and lawful” purposes. The current Bill does away with the need for definition of any sort. Moreover, the authority for protecting personal data is vested with authorities in the Government and bureaucrats. This, in essence, will give rise to a conflict of interest as it is the Government against whom the public wants to protect data. Then the larger issue of data brokers, companies who routinely buy and sell data even outside the country, remains unaddressed. Worse, their modus operandi is one that comes within the legal boundaries. While demands for localisation have been made, they do not figure in the current scheme of things. Besides, localisation alone cannot ensure that the data will be protected within domestic confines, for even if the broker is located, is there any provision that can hold him/her accountable? While there is little doubt that certain aspects of information cannot be made fully private, fiduciary information, for example, much of that data is already known to many agencies. And on this count, several Indian firms have proven themselves to be particularly inept at handling it. Leaks, both inadvertent and malafide, are extremely common across the country. Whistle-blowers, who expose the dark and dirty deeds of wrongdoing in the corporate sector and the Government, leave a potential grey area for the misuse of personal data in the country.
With search engines very conveniently being left out of the latest draft Bill, it appears that the public affairs folks at Google must be pleased as punch. But is that one exemption too far as well? Nobody is debating that in a country like India, personal data, even at a very granular level, is important to provide better public services. Most importantly, better information can lead to massive cost savings and other efficiencies. Unlike many Western countries, where the public at large is very touchy about their personal data, in a country as large and diverse as India, things unfortunately have to be slightly different. At the same time, it is also evident that India has a high incidence of tax avoidance and all sorts of small scams that rob the public exchequer and taxpayer. Better analytics should make those crimes less prevalent, although they won’t remove them altogether. Then there is the provision called the “Right to be Forgotten,” which should allow individuals to have some of their personal data removed from the internet. While this copies the European legislation around the same topic, the practicality of such a provision in India, which is likely to be misused by conmen and fraudsters to remove unflattering remarks, is questionable. There are concerns still about the unpreparedness of offline businesses to duly comply with the provisions of the Bill. Of course, this is just a draft provision and unlike many other Acts, which the Government is pushing through, this Bill is going through a Select Committee. Hopefully, all political parties will appoint their smarter and digitally aware parliamentarians to this committee to represent them. The data protection Bill should not be rushed through. It is a Bill that will be very important for the digital future of this country and indeed the world.