The PDP bill in its current format changes how the Data Protection Authority (DPA) is to be formed and the chairperson is to be chosen. (Left to right: Saikat Datta, Ashutosh Chadha, Justice BS Srikrishna, Rama Vedashree, Shashank Mohan and Parminder Jeet Singh) (Image Source: SFLC)
Underlining the need for the Data Protection Authority to be a regulator who adjudicates all issues between the government department and citizens, Justice B S Srikrishna has questioned whether it would be a good idea for such a body to be nominated by the government.
Speaking at a panel discussion organised by the Software Free Law Centre (SFLC) in New Delhi this week, Justice Srikrishna, who chaired the original committee on Data Protection and released the first draft of the Personal Data Protection (PDP) bill in 2018, asked: ‘Can the Data Protection Authority act independently if they are just a nominee of the government?’
The PDP bill in its current format changes how the Data Protection Authority (DPA) is to be formed and the chairperson is to be chosen. The 2019 bill says the committee for selection includes the Cabinet Secretary, Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs and Secretary to the Government of India in the Ministry or Department dealing with the Electronics and Information Technology. The bill is now with a Joint Parliamentary Committee.
This is in complete contrast to the 2018 bill, which included Chief Justice of India (CJI) or a judge of the Supreme Court of India nominated by the CJI as the chairperson of the selection committee for the DPA. It also called for an expert of repute on the subject of data protection to be a part of the committee, one who would have to be nominated by the CJI or a judge of the Supreme Court of India nominated by the CJI, in consultation with the Cabinet Secretary.
The new bill does away with judicial oversight completely, thus raising eyebrows.
Justice Srikrishna, who has been highlighting changes made to the original scope of the Bill, said the Bill in its current form was not protecting the rights of citizens and could lead to an Orwellian state. “If the state says, in the interest of sovereignty of the state, I want to access all your personal data, is that sufficient? Is this law intended for the purpose? This is nothing but giving a blank cheque to the state to say, you write whatever you want on that, the signature is already there,” he said.
In his view, the bill does not have sufficient safeguards in its existing forms and gave the state free access to personal data. This is a concern that has been raised by others as well, including industry bodies such as NASSCOM and Data Security Council of India.
The bill in its existing form gives wide leeway to the Central government to exempt any of its agencies from the application of the Act, if it deems necessary in the interest of sovereignty, security of the state, etc.
Non-personal data should have been left out
The former Supreme Court judge also expressed concern over the inclusion of non-personal data in the bill, stating it should have been left out. “Two of the issues — non-personal data and social media intermediaries — should have been left alone to be dealt with some other law,” he said, suggesting this aspect has not been thought through.
Read more | Privacy breach
Non-personal data is defined as data that cannot be linked to a person via a name, age or address. So it has to be anonymised by removing all variables which could be used to link it to the personal data of a customer. Such data can also originate from businesses and could include data regarding which location of customers, traffic insights, average spends and the like. Many digital businesses thrive on this data, with algorithms and business models built on top to improve their offerings to customers.
Justice Srikrishna, who has been highlighting changes made to the original scope of the Bill, said the Bill in its current form was not protecting the rights of citizens and could lead to an Orwellian state. (Image Source: SFLC)
The 2019 bill’s miscellaneous section mentions that the Central government could direct any data processor or data fiduciary to “provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.” So the government clearly believes this data will help it improve in delivery of public sector services.
Express Tech is now on Telegram. Click here to join our channel (@expresstechie) and stay updated with the latest tech news
“Creeping in a clause like this around non-personal data is a huge red flag. We are raising this, and for any global corporation that wants to do business for India, and even for Indian firms, this is a big concern,” said Rama Vedashree, CEO Data Security Council of India, who was also on the panel.
Ashutosh Chadha, vice-president for Public Policy at MasterCard, called for a complete recourse to a proper process to specify this non-personal data and to spell out who gets it, under what purpose, with what controls and guarantees around what happens if that data is de-anonymised? “If the data is collected and given to someone and it gets de-anonymised, then who is responsible under which law.”