Protecting Private Data

The Cabinet has cleared the Personal Data Protection Bill, which is due to be presented in Parliament in the current session. This is the first legislation that lays down concrete principles for protecting personal data. It is also the first codification of the fundamental right to privacy, affirmed by the Supreme Court in a 2017 judgment. It lays down the principles by which data would be judged “personal”, “sensitive’ and “critical”, and mandates processes by which such data may be obtained with consent, stored, and processed. However, the Bill is not a comprehensive privacy law because it leaves many grey areas unaddressed, and may need extensive amendment or follow-up legislation before it offers adequate protection to citizens. It will thus need to be subjected to proper scrutiny by lawmakers before being cleared. The initial draft was prepared and presented in July last year by a committee headed by Justice B N Srikrishna. The delay has reportedly been caused by multiple amendments, and inter-ministerial consultations and the draft, which is to be presented to Parliament, is not in the public domain.

Moreover, the consultation process has been unusually opaque. The Ministry of Electronics and Information Technology has refused to make any of the comments received public, despite multiple right to information requests and questions in Parliament. This has led to controversy with Justice Srikrishna himself, among others, stating that comments should be released, now that the consultation process is over. The committee’s draft mandated that sensitive personal data be stored and processed only in servers located in India. It also laid down procedures for obtaining consent with clear explanations as to the purpose when data is collected.

However, the Bill offers the state wide latitude to conduct surveillance, and to collect data without consent, for many purposes. It also permits processing personal data for prevention, detection, investigation, and prosecution, or any other contravention of law. This latitude effectively drives a truck through the Right to Privacy, given a lack of legal safeguards against surveillance, and the existence of mass surveillance infrastructure such as the Netra.

The draft that is supposed to be presented also reportedly allows the government the right to access all “non-personal” data, even if that data is collected by private organisations. The definition of non-personal data is broad: This could be data where names have been removed for “anonymisation”. There are many ways to “non-anonymise” such non-personal data, especially given the access to Aadhaar, bank records, and other sensitive information. It is possible that such “non-personal” data could be used unethically to target voters during elections, for instance. The draft also reportedly asks social media networks to set up systems for verifying users. This could lead to a sharp erosion of freedom of expression in India’s social media space if it is used to target critics of government policy.

Despite all these gaps and flaws, the establishment of a first basic framework for personal data protection is important. In the absence of such legislation, it is easy for government arms and the private sector to indulge in overreach and collect data without consent, as indeed has occurred in the two years since the Supreme Court ruling. But lawmakers must examine the Bill with care, and raise appropriate concerns so that gaps in the legislation can be plugged.―Business Standard