JOIN USExemptions to government weakens Data Protection Bill: Rajeev Gowda
The Personal Data Protection Bill seeks to regulate the use of individual data by the government and private entities. Senior Congress leader and Rajya Sabha member M V Rajeev Gowda tells Sagar Kulkarni of DH his concerns over the draft legislation. Below are the excerpts from the interview:
Q. How will an individual's privacy be impacted by the Personal Data Protection Bill?
A. The objective of this bill was to protect an individual’s personal data. However, the focus seems to have shifted to “promoting economic growth using data”. There are some serious flaws in the bill which can impact an individual’s privacy: 1. Exemption to government agencies; 2. The clause for verification of social media users; 3. The government’s power to access any sort of anonymised data/non-personal data by directing data fiduciaries; 4. Lack of safeguards for “anonymisation” which poses a threat to personal data and privacy of the individuals; and 5. A weakening of the Data Protection Authority which was expected to be an independent regulator.
Q. How do you view the concerns over verification of social media accounts? One argument is that this part should be exempted from the ambit of the bill?
A. The bill obliges Social Media Intermediaries (e.g., Facebook and Twitter) to offer users an option to voluntarily verify their accounts. This, in effect, creates a class of “non-verified” users who may be targeted for surveillance. Also, some platforms allow users to remain anonymous and this aspect is contrary to that feature. Further, it is better that this aspect is left out as there is a case going on in court about this very issue.
Q. Does the power to exempt government agencies from the ambit of the PDP Bill to maintain public order and national security bother you?
A. Yes, the provision for Government access to personal data under the PDP Bill, 2019 (Section 35) is wider than what was allowed in the Srikrishna Committee’s version of the Bill (2018 version). Now the Central Government has the power to exempt any government agency from the purview of the Bill (all or select provisions). Also, the Bill does not codify the principles of necessity and proportionality as determinants to access personal data. This certainly weakens data protection substantially.
Q. How do you view the provisions of government getting access to non-personal data of business entities?
A. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee to separately discuss over a data governance framework for the regulation of “non-personal data”. The purview of PDP 2019 should be limited to personal data and Non-Personal Data must be left out its ambit to avoid any conflicts and overlaps. Companies and citizens will be concerned about whether, through this provision, the government is creating a back-door for a non-personal data-sharing regime which can be easily converted into identifiable data through corroboration of various data sets.
Q. A key provision of data localisation has been diluted?
A. The Dilution is only partial: a) Localisation requirements are now only for sensitive and critical personal data (stored in India with conditions for transfer overseas); b) Critical personal data may only be processed in India [Section 33(2)]; c) Sensitive personal data (“SPD”) may be transferred outside India based on explicit consent; and d) Individuals have not been given the right over data storage: Data principals, i.e., individuals, should be given rights over where they wish to store their personal data and there is a debate over whether the State should impose restrictions on transfer of such data, especially once explicit consent has been given.
Q. Why is it important to have data storage within the country instead of servers abroad?
A. The argument is that larger corporations can afford to invest in such infrastructure, given the size of their Indian markets. But this requirement should not act as a deterrent for startups. Further, some companies may have only a US-based clientele. Subjecting them to the same requirement does not make sense.
Q. The Bill also has provisions on Right to Erasure? Will this provision help individuals to erase their digital footprint altogether?
A. The Right to erasure is not absolute, it is conditional. A user can request his/her data to be erased- when such data is no longer necessary for the purpose of processing. Data fiduciaries (e.g., companies) may refuse such requests for erasure, but data principals (individual users) may require fiduciaries to provide reasonable justifications.
The process of completely erasing digital footprint is more complex and very difficult to achieve for the common man or woman. However, this is a personal choice that people should be allowed to make. Nowadays, with even Aadhaar identities are being digitally stored, it will be tough to completely get off the grid. Moreover, with the advent of artificial intelligence, the right to erasure becomes even more difficult.
Q. The Bill seeks to create a Data Protection Authority, but it also appears that it will be dominated by government nominees and less representation to independent experts. How do you view this?
A. The composition of the Data Protection Authority is not in line with the Justice Srikrishna Committee’s suggestions. It deliberately leaves out part-time/expert members from the DPA’s board. This is a departure from the traditional practice of composition of many other statutory agencies and regulatory bodies. This prevents the DPA from benefiting from the expertise of academics, researchers, practitioners and technical experts who could be independent voices and bring ideas and criticism to the functioning of the DPA.
While section 48, allows the DPA to hire consultants and experts, they will still not be a part of the internal board, limiting the impact on the decision-making agency. So, it is important for the DPA to be independent.
Q. How credible are concerns that the Bill may lead to a creation of a surveillance state?
A. Section 35 of the Bill magnifies the already existing surveillance powers of the government. It will enable surveillance projects like NATGRID, nationwide facial recognition programme, interception of devices, effectively making way for the government to collect and process any category of personal data as per their requirement by two means-
a. Exempting any government agency from the bill (Sec 35)
b. Directing any private data fiduciary to share “anonymised personal data” and non-personal data (Sec 91).
With such access, it blurs the line with the state and the ruling party as such data can be potentially misused or tampered with during the elections.
Such access is not in line with the privacy judgement of the Supreme Court (Puttaswamy judgement), as granting personal data access to the government without safeguards and judicial oversight is against constitutional principles. Without incorporating the principles of necessity and proportionality, this provision should not be a part of the PDP Bill, 2019.
Q. The Bill was referred to a Joint Committee headed by a BJP member, instead of the Standing Committee on Information Technology headed by Shashi Tharoor. How do you view this?
A. There was absolutely no need to do this. The new Joint Select Committee has ruling party MPs in a majority and is also headed by BJP MP. The existing IT Committee, under the chairmanship of an opposition party MP, would have certainly scrutinised the bill with a fairer and more critical approach. This is typical of this government’s attempts to bulldoze critical legislation rather than subject bills to appropriate and detailed critical scrutiny.