Personal Data Protection Bill on Hold - AgainLatest Version of Measure to Be Reviewed Following Strong Objections
The long-awaited personal data protection bill, which was expected to be cleared by the Indian Parliament this year, has been put on hold yet again following serious concerns raised about recent changes in the proposal. It's been referred to a joint parliamentary committee for further review.
Opponents of the heavily revised bill argue that it would compromise citizens' right to privacy. They claim that the latest version of the bill would give the government "snooping powers."
The committee could submit a report on the bill before the budget session of the Parliament in early 2020.
The revised bill, which was presented to the Parliament on Wednesday, was opposed by the majority of the leaders, who said it had been substantially changed from what was recommended by the 10-member Srikrishna Committee, which had prepared the original draft. That committee was headed by B.N. Srikrishna, former chief justice of the Supreme Court of India.
The bill in its current form states that in certain situations when the government believes it's necessary to protect the integrity of India or security of the state, the government could exempt its agencies from the legislation's rules that govern the processing of personal data.
The latest version of the bill also largely would eliminate data localization, which many in Parliament had supported. Many have accused the government of bowing to the pressure of U.S. corporations that have opposed data localization, which would require them to store Indians' data on servers located in India.
"It is good that the bill has been referred to a joint Parliamentary committee," says Vicky Shah, a Mumbai-based cyber lawyer. "The bill presented in the Parliament is only 40 percent of what was proposed by the Srikrishna Committee. It needs to be reviewed again so that we don't compromise the privacy of citizens as well as do not give unnecessary power to the government."
In July 2018, the committee led by Srikrishna submitted its draft bill to the Ministry of Electronics and Information Technology with a goal of creating a powerful data protection law. That draft was finalized after a year of consultations with various stakeholders.
It's not yet clear who will serve on the joint committee that will review the revised bill.
"The question is what changes will be suggested and whether the government will agree to those suggestions," says Dinesh Bareja, COO at Open Security Alliance.
"At a time when privacy is gaining momentum everywhere, it is surprising that as a nation we are still nowhere close to understanding the concept of privacy. When the government is taking steps to justify snooping, we can't really expect much on privacy."
Criticism of Revised Bill
Srikrishna opposed some of the new proposals in the heavily revised bill and asked for feedback from various stakeholders.
"The bill in its present form is dangerous and can turn India into an Orwellian State," he says. "They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications. I have always believed that there should be an independent judicial oversight on government access." (See: Data Protection Bill: The Data Fiduciary's Role)
Summary of Provisions
Here's a summary of three of the revised bill's key provisions:
Exemptions for Government: The revised bill's most controversial provision would exempt the government from the legislation's rules governing the processing of personal data if the government believes that's necessary to protect the integrity of India or the security of the state. The bill extensively broadens the exemptions granted to the government from these and other data protection obligations, giving rise to significant concerns for citizens' privacy.
For instance, Section 35 gives the government wide powers to exempt itself from the protections guaranteed to citizens under the bill. This section empowers the central government to exempt "any" government agency from "all or any" provisions of the act with regard to processing of specified personal data. The government can also take such a step if it is satisfied that it is "necessary or expedient" to do so in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states and public order.
Section 36 of the bill gives sweeping powers to the government. It allows the processing of personal data in the interests of "prevention, detection, investigation and prosecution of any offense or any other contravention of any law for the time being in force by removing the requirements of legality, necessity and proportionality."
Data Localization: The current bill would dilute data localization requirements. Those requirements would vary for different categories of data. "Personal data" of Indians could be stored anywhere, with no localization requirement. But for "sensitive personal data," a mirror copy would need to be stored domestically, and "critical personal data" would need to be processed and stored only in India.
The original draft of the bill called for more broadly mandated data localization. For "non-critical data," it would require storage of a mirror copy in India.
WhatsApp, Mastercard, Visa and other companies had opposed the mandate saying it would make India an "unfeasible market."
But Srikrishna told ISMG that data localization is needed to help law enforcement investigate cyber incidents as well as protecting the privacy rights of Indian citizens. "We have seen multiple cases where for years a simple case could not be closed because required data is stored on servers which are located beyond our borders," he said.
Consent Manager: The revised bill introduces the concept of a "consent manager," some sort of agency that would manage the process of obtaining individuals' consent for data usage. The bill defines a consent manager as "a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform."