Disappointing report

House panel report on data protection Bill has many holes

The Joint Committee of Parliament (JCP) has tabled a 542-page report on the Personal Data Protection Bill after two years of deliberations. It suggests 81 changes and 151 corrections. But the controversial aspects remain, and some recommendations make it even more controversial. Several JCP members belonging to Opposition parties have written dissent notes.

The Bill offers sweeping powers to the government and its agencies to conduct surveillance and collect data for a wide range of purposes, including the catch-all term “security”. Instead of reining in blanket powers, the JCP “feels though the State has rightly been empowered to exempt itself”, that power may be used “only under exceptional circumstances”. It is unclear who decides that the circumstances are exceptional.

The JCP recommended “personal” be dropped, with the Bill expanded to cover non-personal and non-digital data. It also steps well beyond the remit of the proposed Bill by arguing social media platforms be treated as publishers and not just intermediaries. It recommends social media platforms be allowed to operate in India only if the parent sets up an office in the country. The report also recommends a statutory body be established for media regulation with respect to data protection.
 

The JCP has amended clauses relating to transferring personal data outside India to say “sensitive personal data shall not be shared with any foreign government or agency, unless such sharing is approved by the central government”. In theory, this is to prevent the data shared overseas with permission from being shared with a third party without specific permission a second time. In practice, this would add a layer of red tape and could lead to rent-seeking, since it imposes a penalty of Rs 15 crore or 4 per cent of the violating entity’s worldwide turnover.

The Bill was a follow-up to the historic 2017 Supreme Court judgment that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty” and there the court had asked for specific legislation to protect this fundamental right. The Justice Srikrishna Committee submitted a report and a Draft Bill in 2018. However, the legislation eventually presented before the JCP in 2019 had many changes and was termed “Orwellian” by Justice Srikrishna himself.

The Bill proposes a data protection authority (DPA) be appointed with statutory powers to oversee data collection and make a call on possible violations. The DPA’s members will be drawn from retired civil servants, judges, and academics with domain knowledge. The DPA must be informed within 72 hours of any data leak, or breach, being known. The absence of media experts, or members drawn from civil society, renders such a DPA opaque.

The report also allows fiduciaries to charge fees for requests made by data principals on the basis of their fundamental rights. The JCP recommends imprisonment for offences. This could be used selectively to punish entities in disfavour with the government, given the long wait before criminal cases get a hearing.

This Bill suffers in contrast to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which covers all individuals regardless of nationality if their personal data is held in the EU. The GDPR also offers granular protection against government surveillance, along with a “Right to Forget” clause. An Indian citizen would be better protected if their data was held in the EU rather than within India under this Bill! Hence, the report disappoints. It doesn’t address concerns about over-reaching government access to private data. The inclusion of social media platforms also appears unnecessary.