GD: Personal Data Protection Bill, 2019

-documented by Shivam Singh

The discussion took place on 5th July was on Data Privacy started with the discussion on Personal Data Protection Bill which was introduced by Hon’ble Minister Ravi Shankar Prasad, last year. Our discussion stressed on the caveats, loopholes and the capability of the Indian Government to implement that.

The PDP Bill which was introduced on 11 December 2019 protect the personal data of individuals and provide the Data Protection Authority for the same. The bill governs the processing of personal data by:

1. Government
2. Companies incorporated in India
3. Foreign companies dealing with personal data of individuals.

It amends the Information Technology Act of 2000, which deletes the provision related to the compensation payable by companies to the individuals after failing to protect the personal data. It also had significant parallels to the European Union Laws of data protection which is GDPR (General Data Protection Regulation). But, in PDP Bill there are many caveats like in the case of the Data Transfers abroad the government has the power to transfer abroad but it does not have any say in the adequacy of the other country to receive the Data that is transferred, also in contrary to GDPR, the PDP bill allows the Government to direct any entity handling data to provide with any non-personal and anonymous data.

One of the challenges or the anathema to the privacy of the bill is the Re-Identification of the anonymous bill. It is matched with publicly available data to know where the data belongs or where it comes from. It is something that the entity handling data can do to connive with the authority to inflict malicious harms and can compromise the privacy of the data. Another caveat that adds to it is the revelation of Hon’ble Minister of Road Transport and Highways and MSME, Shri Nitin Gadkari has vindicated that it has provided the data entries of 87 private and 32 government entities access to Vahan and Sarathi database which yielded a revenue of 65 crores. So, this thing really questions the credibility of Indian government regarding Personal data protection. On October 2019, Israeli spyware Pegasus, a software which snooped on Whatsapp of Indian Journalists was one of the instances where it impinged upon the privacy of individuals.

With the Implementation of the bill, the likely and ostensible effects on the Indian economy is also perused. The bill will regulate the data used in all sectors of Indian Economy and would establish new compliance measures for the vast majority of Indian business. This bill would also allow the government to take the non-personal data from the companies so this could have an insidious effect on innovation and technology. And the government agencies are exempted from the legislation of this bill and also allow them to decide what safeguards they will apply to their use of data. This bill to some extent can give rise to a sort of surveillance state which instead of strengthening the privacy, would exacerbate it.

In contrary to IT regulation Act 2000, it exempts from the compensation paid by sharing data, whether done inadvertently or it is a wanton act. Other concerns are regarding data localization and Data Mirroring. PDP bills enable the cross border data transfer, having the sub-category of keeping a copy of data within the country which is known as Data mirroring. Data processing of critical personal data, which the government will notify later would, however, be barred from the cross-border transfer. However, the liberalized bill as compared to the draft bill of Justice Srikrishna committee of 2018 is welcomed by the Business as it would limit costs to business and ensure users to have a choice where they want to store data. But, the scruples of India’s infrastructure to safeguard the data would still be there. Let’s take an example of Telegram, it’s a Russian Messaging app having servers only in Russia. So, any breach of privacy would not hold the Indian government accountable. And, with the PDP Bill now the social media intermediaries would have the onus for the non-user content data uploaded by the third party. Also, there should be an independent regulatory board to operate the Data protection measures, just like the RBI. In an Anti-CAA protest where UP Government used the data to punish the protesters was justified to retaliate the wanton vandalisation of the Public Property but the people would be cynical about the Government which can likely become the “Orwellian” State by the use of Private data. So, there should be an Independent Regulatory Board which would commit itself to ensure that the Private data of people is being used, within the precincts of National Security, Integrity and Sovereignty.