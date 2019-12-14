Published: 12:11 am 11:14 pm

At a time when data theft and surveillance have emerged as major threats at the global level, there is a need for a robust law that protects citizens’ personal data and prevents its misuse while simultaneously providing a technology tool for governments to fine-tune their delivery services. The Personal Data Protection Bill, 2019, introduced in the Lok Sabha after a long delay, falls short of expectations on several grounds. While the legislation is meant to provide a comprehensive data protection architecture, what it ends up doing is giving sweeping powers to government authorities, particularly the enforcement agencies, to swoop on data without proper safeguards. The draft Bill has deviated from the report of the Justice BN Srikrishna Committee, which was constituted to prepare a data protection framework for securing personal data in the country’s increasingly digitised economy. One of the major grey areas is granting exemption to enforcement agencies from the purview of the law. This will lead to investigating and enforcement authorities wielding unbridled powers and snoop on personal data, ostensibly under the cover of protecting the interests of the country’s sovereignty, security and integrity and maintenance of public order. This goes against the spirit of the Supreme Court’s landmark ruling declaring privacy of citizens as a fundamental right as part of Article 21 of the Constitution. Another area of concern is that the government gives itself powers to obtain any user’s non-personal data from the companies. It would adversely affect the internet economy and e-commerce businesses.

Experts have also flagged concerns over issues relating to localisation of data, individual consent and penalising those companies breaching the privacy norms. The Bill envisages constitution of an all-powerful Data Protection Authority (DPA) to supervise and regulate data fiduciaries. Packed with bureaucrats without any room for outside experts or judicial oversight, it smacks of excessive regulation. The DPA is empowered to draft specific regulations for all data fiduciaries across different sectors, supervise and monitor their functioning and initiate enforcement actions. It will also have a separate adjudication wing to impose penalties and award compensation. The whole mechanism becomes problematic when the government agencies themselves get involved in surveillance and snooping of citizens’ data. The draft legislation allows for processing of individuals’ personal data without their consent if it is necessary for any function of Parliament or State legislature. It is unclear what functions of Parliament would necessitate such processing of data without consent. On the contentious issue of storing the data locally, it has several ambiguities including the provision on keeping a ‘serving copy’ of all personal data in a server or data centre located in India. The laws in the European Union, Australia and Canada have no such requirement.

