The Personal Data Protection Bill

Q Why is it in News ?

A The Joint Committee report on the Bill has failed to provide robust draft legislation ensuring the privacy of citizens.

Q What is the background of the Personal Data Protection Bill ?

A

• The Puttaswamy judgment held that the right to privacy is a fundamental right.
• The Puttaswamy judgment and the Justice B.N. Srikrishna committee report led to the Personal Data Protection Bill of 2019.
• The Joint Committee report on the Bill has failed to provide a robust draft legislation ensuring the privacy of citizens.

Q What are issues with the Joint Committee report on Personal Data Protection Bill ?

A

• Division into Government and private domains: The report has divided the digital world into two domains — government and private.
• This division is based on the presumption that the question of right to privacy emerges only where operations and activities of private entities are concerned.
• Exemption to government and government agencies: Clause 12 of the Bill provides exemptions for the government and government agencies and Clause 35 exempts government agencies from the entire Act itself. 
• Clause 12, which says personal data can be processed without consent for the performance of any function of the state, is an umbrella clause that does not specify which ministries or departments will be covered.
• The issue with the defining harm: The Bill says, “harm includes any observation or surveillance that is not reasonably expected by the data principal”.
• This means if you install any software in your computer and the software violates the principle of privacy and data get leaked, the complaint of the data principal will not be legally tenable as the defence will be that ‘once you have installed the software, you should have reasonably expected this level of surveillance’.
• The government can use these provisions as a means of control and surveillance.
• The Committee has failed to provide formidable firewalls to protect the privacy of individuals and has also carved out a mechanism for government control over personal data.
• Against the Supreme Court judgement: The provisions are ultra vires of the judgment on privacy.
• Inclusion of non-personal data harms the economy:  By including non-personal data within the ambit of the Bill, the Joint Committee has put a huge compliance burden on the economy.
• This will hit the MSME sector and small businesses harder as technical processes involving data-sharing are very expensive.
• The government-constituted panel headed by S. Gopalkrishnan also opposed the idea of including non-personal data in the Bill.
• Mandatory data localisation, it is estimated, will squeeze the economy by 0.7-1.7%.
• Hamper the smooth cross-border flow of data: This may also invite similar measures by other sovereign countries which will hamper smooth cross-border flow of data.

Q What are the concerns with the Data Protection Authority ?

A

• For compliance with the provisions of the Act, a data protection authority (DPA) has to be appointed.
• It is doubtful whether a single authority will be able to discharge so many functions in an efficient manner.
• Concern with appointment: Unlike the Justice Srikrishna committee report which provided for a judicial overlook in the appointments of the DPA, the Bill entrusts the executive with the appointments.
• Although the Joint Committee report expanded the committee, the power to appoint the panelists vests with the Central government.
• Lack of independence: Clause 86 says, “Authority should be bound by the directions of the Central Government under all cases and not just on questions of policy”.
• This weakens its independence and gives the government excessive control.
• Violation of federalism: There is internal data flow and the States are key stakeholders in the process.
• Even if the proposed central authority issues directions to allow processing of data on the grounds of ‘public order’, it is important to note that ‘public order’ is an entry in the State List. 

Q What can be the Way Forward ?

A The report has raised more questions than it has solved. At the time of passage of the Bill, loopholes must be plugged so that India can have a robust data protection law.