Personal data bill not enough to protect citizens’ rights

A proposed legislation does not prioritise the rights of Indians over their data in the public and has instead expanded to areas beyond its ambit and without sufficient consultation, senior executives at digital rights organisation Access Now have said.

The Personal Data Protection (PDP) legislation–in the making since 2018—will be tabled in Parliament’s Winter Session beginning Monday. Reports and dissent notes filed by the members of the Joint Parliamentary Committee (JPC) deliberating the Bill suggest several changes from its initial draft in 2019. Social media seems to have been included in the legislation.

“Based on the reports so far and the details shared by MPs involved in the process, it is clear that this is not currently the Privacy and Data Protection law that India needs. The current draft does not adequately protect people’s right to privacy and autonomy or enable strict accountability, particularly from the government,” said Raman Jit Singh Chima, Asia Pacific Policy Director and Senior International Counsel, and Namrata Maheshwari, Asia Pacific Policy Counsel, at Access Now.

“…Parliament will have to amend the draft to incorporate safeguards in line with the Supreme Court’s rulings on privacy and international human rights standards,” they said.

As data breaches and financial frauds increase, India needs a sound legislation for data protection. The JPC adopted the Bill last week, amid criticism from some MPs that the government had given itself a wide berth on a host of issues.

“The recent public furore and parliamentary, judicial discussion around the NSO Pegasus revelations also demonstrate that India’s surveillance law framework is outmoded and needs urgent overhaul to better regulate and oversee how government agencies can access our personal data. Further, the government has a strong grip over the composition and functioning of the proposed Data Protection Authority which severely undermines its independence, authority and ability to safeguard privacy,” said Cheema and Maheshwari, referring to the Israeli spyware.

To ensure an independent Data Protection Authority, the government should not be involved in its composition, selection of its members and functioning, they said.

“The current draft Bill allows for the government to decide the selection criteria for these “adjudicating officers” – the same government that itself would be one of the main parties often complained about to the DPA. This gravely compromises the independence of the DPA.”

News reports and sources have suggested that the Bill has proposed to tackle social media. The JPC has reportedly proposed treating social media platforms, which are not intermediaries as publishers, as publishers, holding them liable for the content they host.

“The protection that social media intermediaries have against liability for third party content on their platforms under the IT (Information Technology) Act, also known as the “safe harbour”, is crucial to protecting free speech online. Treating social media platforms as publishers liable for such content would have a chilling effect on free expression and far reaching consequences for democracy,” said the Access Now executives.

“This framework under the IT Act should not be amended through the separate and parallel process surrounding the PDP bill and in the absence of in-depth and sustained multi-stakeholder consultation on this specific issue. International best practice is also clear – the legal liability of intermediaries for third party speech on their platforms is not made part of a data protection law,” they said.

The recent IT Rules for social media intermediaries, introduced earlier this year, have been contentious on several issues.

Congress party MP Gaurav Gogoi, a member of the JCP, filed a dissent note last week, questioning the rationale the removal of a clause in a previous Bill that penalised companies for data breaches.

“It is only when penalties are high that technology companies are forced to comply with the government or regulations. That is what we have seen in Europe and other parts of the world,” said Gogoi.

Agreeing with Gogoi’s point, Cheema and Maheshwari said, “Existing data protection laws in other countries mostly contain this in the language of the law itself. Indeed, that is the case in India’s Competition Act as well, where penalties are set in the text passed by Parliament and includes provisions allowing for fines set to percentage points of the total turnover of the business – a best practice in order to avoid companies from avoiding penalties by creative corporate structuring. The European GDPR also does exactly that; it is regarded as an effective law because its teeth comprises penalties that target the total global turnover of a business, sending a signal to multinational companies to take the law, and people’s rights, seriously.” Business Journal