The Joint Parliamentary Committee (JPC) on Personal Data Protection (PDP) Bill 2019, has argued in its report defending the controversial exemption clause that allows the Government to keep any of its agencies outside the purview of the law. The JPC said that a secure nation alone provides the atmosphere which ensures personal liberty and privacy of an individual.
GS-III: Internal Security Challenges (Cyber Security, Government Policies & Interventions, Internal security challenges through communication networks), GS-II: Governance
Dimensions of the Article:
- Significance of Data
- Personal Data Protection Bill 2019
- Advantages of the changes
- Issues with the bill
- About Joint Parliamentary Committee (JPC) report on PDP Bill
- Concerns raised by the JPC
- Recommendations of the JPC on PDP Bill
- Data Protection Authority (DPA): The solution?
Significance of Data
- Data is the large collection of information that is stored in a computer or on a network.
- Data is collected and handled by entities called data fiduciaries.
- While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
- This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
- The processing of this data (based on one’s online habits and preferences, but without prior knowledge of the data subject) has become an important source of profits for big corporations.
- Apart from it, this has become a potential avenue for invasion of privacy, as it can reveal extremely personal aspects.
- Also, it is now clear that much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
- The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows. Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.
Personal Data Protection Bill 2019
- The Personal Data Protection Bill 2019 (PDP Bill 2019) is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders.
- The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority (DPA) of India for the same.
- Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not, such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included.
- The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
- It also grants individuals the right to data portability and the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
- Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
The Bill trifurcates data as follows:
- Personal data: Data from which an individual can be identified like name, address etc.
- Sensitive personal data (SPD): Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
- Critical personal data: Anything that the government at any time can deem critical, such as military or national security data.
Advantages of the changes
- Data localisation can help law-enforcement agencies access data for investigations and enforcement.
- As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
- Accessing data through this route is a cumbersome process and also instances of cyber-attacks and surveillance can be checked easily.
- Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
- Data localisation will also increase the ability of the Indian government to tax Internet giants.
- A strong data protection legislation will also help to enforce data sovereignty.
Issues with the bill
- The current draft requires the DPA to maintain a cadre of adjudicating officers and specifies their desired areas of expertise.
- All other important details, like the terms of appointment, jurisdictional scope, and procedure for hearings, are, however, left to be decided by the central government.
- The Bill doesn’t even specify whether the adjudication process can, or should, be preceded by mediation, which could help in the amicable settlement of many complaints.
- Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
- National security or reasonable purposes are an open-ended term, this may lead to intrusion of state into the private lives of citizens.
- Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
- Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
- Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.
About Joint Parliamentary Committee (JPC) report on PDP Bill
- The committee has retained the Clause 35/Exemption Clause -which allows the Government to keep any of its agencies outside the purview of the law – with minor changes.
- The Clause in the name of “public order”, ‘sovereignty’, “friendly relations with foreign states” and “security of the state” allows any agency under the Union Government exemption from all or any provisions of the law.
- The clause is for “certain legitimate purposes” and also there is precedent in the form of the reasonable restrictions imposed upon the liberty of an individual, as guaranteed under Article 19 of the Constitution and the Puttaswamy judgment.
Concerns raised by the JPC
- The committee expressed concerns with possible misuse. Though the State has rightly been empowered to exempt itself from the application of this Act, this power may be used only under exceptional circumstances and subject to conditions as laid out in the Act.
- The Bill creates two parallel universes — one for the private sector where it would apply with full rigour and one for the Government where it is riddled with exemption, carve outs and escape clauses.
- A Bill that seeks to provide blanket exemptions either in perpetuity or even for a limited period to the ‘state’ and its instrumentalities, is beyond the legal power of the Fundamental Right to privacy as laid down in Puttaswamy judgement.
- Bill does not provide adequate safeguards to protect the right to privacy and gives an overboard exemption to the Government. Clause 35 is open to misuse since it gives unqualified powers to the Government.
- The Bill pays little attention to “harms arising from surveillance and effort to establish a modern surveillance framework”.
- The Bill has no provision to keep a check on collection of data by hardware manufacturers.
Recommendations of the JPC on PDP Bill
- The JPC has called for the development of an alternative indigenous financial system for cross-border payments on the lines of Ripple (U.S.) and INSTEX (EU) and that the Central Government must prepare and pronounce an extensive policy on data localisation.
- The JPC also said that the Government should make efforts to establish a mechanism for the formal certification process for all digital and IoT (Internet of Things) devices that will ensure the integrity of all such devices with respect to data security.
- The JPC has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host, and should be held responsible for the content from unverified accounts on their platforms.
- It also said that under clause which deals with granting powers to the government to make rules, the government should decide the manner in which a data fiduciary can share, transfer or transmit the personal data to any person as part of any business transaction. The government should take the final call on whether sensitive personal data can be shared with a foreign government or agency.
- The recommendations also give the government the scope to set up a future statutory body to look into the use of personal data by journalistic organisations.
Data Protection Authority (DPA): The solution?
- One of the many important duties cast on the Data Protection Authority (DPA) that is to be created under the Bill is to adjudicate complaints received from data principals — individuals whose personal data is processed by others.
- The DPA is set to function as what the Financial Sector Legislative Reforms Commission (FSLRC) termed as a “mini-state”. This refers to an agency that is entrusted with a mix of quasi-legislative (regulation-making), executive (supervision and enforcement), and quasi-judicial (adjudication) functions.
- It comes with the risk that, absent structural safeguards, the agency might end up abusing or, conversely, neglecting some of its functions. A carefully-crafted regulatory design and robust accountability mechanisms are, therefore, essential.
Broad Mandate of the DPA, a problem
- Unlike other sectoral regulators that oversee specific businesses, the DPA’s authority will extend to anyone who deals with personal data.
- This may include individuals, private entities or any department or agency of the state.
- Further, since each data principal is party to multiple online and offline relationships, the universe of regulated transactions becomes even larger.
- Even a miniscule 0.5% rate of complaints out of the total shares of personal data will result in more than 10 million cases in a year. A caseload of this sort would be daunting for any agency.
- As a consequence, the DPA may either be overwhelmed by the volume of complaints or may grossly under-prioritise this aspect, resulting in delays, erosion of trust and poorer outcomes.
-Source: The Hindu