After nearly two years of deliberation, the Joint Parliamentary Committee on Personal Data Protection Bill 2019 tabled its report in Parliament on December 16 .The Bill has been in works since the Supreme Court’s Puttaswamy judgment in 2017. Since then it has undergone several iterations and extensions. The revised draft has received wide ranging criticism primarily for bringing in social media and non-personal data under its ambit and also for the blanket exemptions accorded to the government.
During a panel discussion on Plunge Daily Twitter Spaces on Wednesday, Dr Aruna Sharma, former secretary-Steel, government of India, Kazim Rizvi, founding director-The Dialogue and Swati Punia, senior programme officer at Centre for Communication Governance and Ashutosh Bhattacharya, editor-Plunge Daily went into the nitty-gritties of the Data Protection bill and discussed its possible implications.
Underling the criticality of surveillance for law enforcement agencies, Mr Kazim stressed the need for it become more target-centric and accountable.
“In India, we do not have surveillance reforms and our police are not accountable to the parliament or judiciary which is not a global norm. In countries like the US and UK, there are laws to regulate surveillance. We need to move in the direction where there should be more accountability and judicial oversight and there should be a feedback loop in terms of how these agencies are performing. More importantly, the government should invest in building the capacity of police rather than giving wide exemptions.”
Dr Sharma also strongly objected to the wide exemptions for the government in the redrafted bill.
“Previously, there was a high level committee that used to decide whether a particular data or communication has to be put under surveillance but now that authority has been delegated to eight to nine departments and that is disturbing. Particularly, the exemptions that the government has accorded itself under Clause 35 will not stand the Court of Law. So, this clause should be removed from the bill,” she said.
Swati Punia noted forward movement in terms of data privacy and portability in the revised bill
“We have seen movement in terms of privacy rights like right to be forgotten, which was earlier limited to disclosure of personal data now it has been enlarged to processing of personal data as well. Another key reform is about data portability that can only be denied if it’s not technically feasible,” she said.
Kazim called the recommendation to make it mandatory for fiduciaries to report data breach as a major step forward but added that the provision for personal liability in case of data breach seemingly has no global precedent.
“The penalty they have levied seems alright but the only challenge is the criminal liability part because it disincentivises the ecosystem at large, he said.
Underscoring the need for more clarity in terms of non personal data, Swati said, “There seems to be a simplistic understanding that clubbing it can bring two goals together but the objectives being varying and different in nature”
“If non-personal data is leaked , the central government will design rules on how this data breach should be handled and that is concerning. The state being a data fiduciary itself, how could it decide to handle this breach?” she asked.
Dr Sharma pointed out that the Bill gives more emphasis to compliance over security of personal data.
“Non personal data is for analytics so combining it under DPB’s ambit will create a lot of confusion. If you look at the EU’s GDPR law it is still evolving and they have not included non-personal data,” she said.
Speaking about the possible impact of the new data protection on the startup ecosystem, Kazim said localisation restrictions could pose major challenges for startups and MSMEs.
“There is a need for privacy-embedded practices into the business ecosystem but startups could face challenges in terms of storage of data or processing, which is currently available on international cloud servers, ” he said.
“Due to localisation restrictions, those services may not be available. If startups are forced to store data in India or physical servers, the storage cost could also increase. So, there should be an option to either localise or opt for international cloud servers, he added.
The panel unanimously agreed that the PDP 2019 is for securing privacy of individuals and not for regulation of social media platforms. There is already a separate law to address the issue and bringing multiple issues under one umbrella would create more confusion, the panel observed.
