The Indian Personal Data Protection Bill is expected to be taken up for a much-awaited discussion in the winter session of the Parliament, after almost two years of deliberations. But a few of the provisions have come under great scrutiny by dissenters and opposition parties across the country, leaving the future of the PDP bill a question mark.
To understand the criticism, let us look at the state of surveillance in the country in the past two years with the increased use of drone technology to monitor the citizens. The Delhi police did this during the assembly elections and the riots following it in February 2020, the protests during the foundation of Ayodhya’s Ram Mandir and the pandemic lockdown. Not just the Delhi police, police across states like Mumbai, Punjab, Hyderabad, Kerala and Chennai had relied on drones to survey citizens during the lockdowns. Some have continued this use even after the suspension of the lockdown. While drone usage is regulated under UAS rules, the states asked for exemption from the law, making drone surveillance more contractual than a legal safeguard for data protection. The proposed personal data protection bill might have similar effects.
The History
Countries across the globe have introduced their data protection laws after the EU GDPR that came into effect in 2018. As of now, these safeguards are governed by the Information Technology Act, 2000, which was amended to include Section 43A and 72A that give a right to compensation for improper disclosure of personal information. India’s long journey to an independent bill began in 2019, with a joint parliamentary committee drafting the bill’s report that sought to provide protection of personal data and establish a data protection authority.
The bill has been tenured six times since. One of the most awaited bills, the 250-page final report, is likely to be tabled on 21 December 2021, during the winter session of the Parliament. But some provisions have already come under criticism, with seven of the 30 members showing concerns.
The Bill’s Recommendations
The PDP Bill requires prior consent to the use of individual data, limits the list of purposes for which companies can process data, and restricts data collection to only the data necessary for providing a service. Companies will further need to localise their data and appoint data protection officers.
The NPCs recommendations also widen the bill’s scope to cover not only personal data but also non-personal data for unauthorised breaches. Essentially, it restricts non-consented acquisition, usage, sharing, alteration or destruction of either type of data since it will compromise the confidentiality and availability of data. In addition, the bill covers accidental breaches as well, meaning that it will also cover the company’s lack of compliance or ignorance.
The bill recommends social media firms should be treated as publishers, making them liable for the content spoken or distributed on their platforms. They will also need to set up offices in India to function in the country.
The bill further proposes data fiduciary and data processor, referring to a controller and processor. This means that the bill will apply to Indians in the country but also foreign individuals conducting business in/with India.
The point of the bill that has come under most scrutiny is its power to the government to exempt its probe agencies from the provisions of the Act. It excludes the government and its agencies like the CBI and UIDAI from national and public welfare security provisions.
Criticism from Opposition
Responding to the inclusion of non-personal data, lack of data localisation and social media while exempting the government from the purview, opposition MLAs have filed dissent notes.
The TMC tweeted saying Section 35 of the Act will give the “government exclusive rights to invade our privacy whenever they want”.
Congress MP Manish Tewari has objected to the entire Bill through a 10-page dissent note that states that the bill’s construction has an ‘inherent design flaw’.
“The bill as it stands creates two parallel universes – one for the private sector where it would apply with full rigour and one for government where it is riddled with exemptions, carve-outs and escape clauses. In my limited experience of three decades as a litigator, I have always been taught and made to appreciate that a Fundamental Right is principally enforceable against the State. A bill that seeks, therefore, to provide blanket exemptions either in perpetuity or even for a limited period to the ‘State’ and its instrumentalities, in my estimation, is ultra vires of the Fundamental Right to Privacy as laid down by a 9-judge bench of the Supreme Court of India in Re Puttuswamy (2017) 10 SCC 1,” Tewari argued.
In fact, even Justice BN Srikrishna, who had worked on the bill’s first draft in 2018, called the bill “Orwellian”.
Social Media and Silencing
Mishi Choudhary, a technology lawyer and online civil liberties activist, deemed India the only democracy overlooking the State’s surveillance power. With the power of the Aadhar and the government, the personal data will be chained together to follow us through “every fiscal and administrative transaction”. A lack of check on this government power is surely a concern.
The second stretch of criticism comes towards the social media related recommendations. India’s history looks at punishing social media companies or their executives for controlling the freedom of speech on the platforms. Just in July, the Indian government and Twitter were at a ‘war’ with the Intermediary Guidelines and Digital Media Ethics Code rule that demanded social media platforms to censor speech as per the terms of the rules. The JPC report recommends criminal punishment for such offences under the law, essentially giving the government control to threaten Twitter executives with jail time for non-compliance.
Additionally, putting the burden of user-generated content on the social media platforms by deeming them as publishers will make platforms liable for any inappropriate content. This will involuntarily make platforms the arbiters of online speech and lead to over censorship.
Second, this might, along with the compulsion to set up offices in India, increase the uncertainty for social media platforms and hurt the growth of the digital economy.
Opposition is not it
Contrary to the dissent, Salil Parekh, the CEO of Infosys, has a more positive approach to the bill’s demands. According to him, the laws are not a cost to the enterprise but critical building blocks of the technological future of India.
“If you see data regulation guidelines across different jurisdictions, the main objective is to protect individual privacy and protect some level of intellectual property,” he said at the Carnegie India Global Technology Summit 2021. “I think in India also, regulations will be along those lines. It’s not to be viewed as a critical element.”
The Indian government is not known for its track record of maintaining the citizens’ personal privacy with instances such as the Pegasus spyware project or WhatsApp suing them over internet laws that could lead to mass surveillance of its 400 million Indian users. But the genuineness of the citizen’s data protection will only unfold with the winter session of the Parliament.
