The Government Is Exploring Ways To Exempt Security Agencies From The Data Protection Bill

The government is in a last-minute meeting with security and intelligence agencies to find ways to exempt them from the Personal Data Protection Bill or establish a special waiver to regulate their public scrutiny.

The agencies have put a red flag in the application of the provisions of the Bill, which the Cabinet is expected to consider early, in its surveillance and investigation functions. “These agencies, including some of the state police forces, access the data for security reasons and some of them may be of a private nature. They want protection, “said a connoisseur familiar with the subject.

Some of these agencies, according to sources, have suggested a general exemption as in Section 24 of the Right to Information Act. Some others have pointed to the model followed in the IT Law according to which 10 agencies were recently designated as authorities empowered to intercept digital traffic through an established approval process. Another point of view that was being explored was to have a monitoring mechanism to prevent misuse by intelligence agencies.

The proposed Personal Data Protection Bill requires entities to obtain the consent of individuals before accessing their personal data, which, according to intelligence agencies, is counterproductive for their mandate to monitor the activity for security reasons. In addition, they add that the surveillance under these provisions will leave them legally vulnerable. In addition, the bill does not distinguish between governmental and private entities.

Those who knew the details told that this is the only key issue that remains for the bill to be finalized and placed before Parliament in the next session. The government has relied heavily on the bill proposed by the Srikrishna Committee.

In addition to this, the government has “focused” on the definition of what constitutes personal and private in the bill. The ambiguity in the definition, the sources said, was a problem often raised by industry, which the government has tried to address by being specific in its definition.

In its draft, the sources said, the government defined consent as a “finite concept,” which means that consent once given cannot be assumed for a period of time and for all purposes. In addition, the government has leaned towards more monetary sanctions than criminal provisions. “It is better to penalize a company and target a portion of its profits than to send the CEO to jail,” explained one informant.

However, it is known that any deliberate attempt to reverse engineer a data string to track and identify a person from a larger anonymous data sample will attract serious criminal action. This applies to a large extent to data samples in health studies where the identity of the patient is not revealed.

The government prepared the bill after examining about 12,000 representations that were received in the bill proposed by the Srikrishna Panel, which was placed in the public domain for comments.

Both provide for a body similar to CIC (Central Information Commission) to deal with complaints of privacy violation. The government bill, the sources said, has also been subjected to another round of discussions among interested parties, which includes security agencies.― Tech2.org