Data Protection Bill: Hits And Misses
The Joint Parliamentary Committee, set up to examine the Personal Data Protection Bill, 2019, tabled its report in parliament on Thursday. The report includes a draft version of the bill which, according to the committee, should be called The Data Protection Bill, 2021.
BloombergQuint had earlier reported on the key recommendations likely to be made by the committee. All of those are included in the version tabled on Thursday:
Personal and non-personal data to be governed by a single legislation.
Regulating social media companies.
Procedure to exempt government agencies from the purview of the bill.
Provisions related to data localisation.
Composition of the data protection authority.
Experts share their initial views on the hits and misses in the JPC report and implications for citizens, whose privacy the law aims to protect.
A "Flawed" Framework
The JPC report has endorsed the section which grants the government power to exempt its agencies from the rigors of the data protection law.
The proposal was introduced by the government itself in 2019 in the Personal Data Protection Bill. The JPC has now made a slight improvement to it.
It has said that the procedure for granting such an exemption must be just, fair, reasonable and proportionate, and this exemption should be granted in exceptional circumstances.
The bill proposed by the JPC provides a limited, flawed framework for data protection, Raman Cheema, Asia-Pacific Policy Director at Access Now, said.
The rights it provides to individuals are undermined by wide exceptions given to the government to exempt itself from data protection requirements.Raman Cheema, Asia-Pacific Policy Director, Access Now
The data protection bill was meant to put in place a clear legal framework to regulate how personal data of individuals is collected, used, and shared by both the private sector and the government, Cheema says. Unfortunately, the bill as brought back to the Parliament, achieves this objective in only a limited way, he told BloombergQuint.
Cheema also cited the provisions related to the Data Protection Authority to support his view.
In DPA, the law was supposed to create an independent regulator that would enforce the rights granted to individuals. But, the appointment process of the members of the data protection authority does not have enough safeguards to ensure its independence from the executive, Cheema opined.
The nomination committee is tasked to appoint the DPA's chairperson and members.
Out of the seven members of this nomination committee, six are officers directly appointed by the central government or serving at the pleasure of the union council of ministers. The one independent expert would also be chosen by the government. For the nomination committee, the JPC has suggested to include the Attorney General for India, an independent expert nominated by the central government, director of any of the Indian Institutes of Technology and any of the Indian Institutes of Management.
The JPC has further worsened the independence of the DPA, Cheema said. It has proposed that the DPA should be bound by the directions which the central government is empowered to issue under the law.
The government's own version—the 2019 bill—had restricted the binding nature of its directions to only questions of policy.
The JPC, however, has broadened the government's hold over the DPA by removing the limit that directions by the government can be only on policy issues.Raman Cheema, Asia-Pacific Policy Director, Access Now
In effect, he added, individuals will be limited under the current version of the law on when they can assert their rights to prevent over-broad collection and use of their personal data by government agencies. 'Nor will they be able to access an independent data protection authority that could force the public and private sector to respect data protection rights'.
The JPC has defined “profiling” as any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal. This is similar to the government's version, in addition to the DPA being allowed to frame regulations for additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling.
Supreme Court advocate NS Nappinai opined that the JPC was expected to do a closer review of profiling provisions in the Personal Data Protection Bill, 2019. 'It hasn't done so'.
The JPC has treated the term 'profiling' similar to data processing, she explained.
There is a big difference in allowing businesses to do data processing, marketing versus profiling. The JPC report has treated all these in the same manner. My expectation was for a closer review by the JPC of profiling provisions which I believe have not been addressed at all.NS Nappinai, Advocate, Supreme Court
There is a direct negative connotation with profiling. It will tantamount to a higher level of corporate surveillance which the data protection law is supposed to protect against, Nappinai said. 'That the law and the JPC report may result in effectively legitimising profiling of adults as an extension of corporate surveillance is my cause for concern'.
Nappinai welcomed the JPC's suggestion on a complete bar on processing of children’s data.
The 2019 version of the data protection law didn't address what happens to an individual's data in the event of death. The JPC has suggested adding this aspect to the law i.e. users should be able to decide what happens to their data once they are deceased. To that end, the JPC has recommended that users should have the option of nominating a legal heir as the nominee, exercise the right to be forgotten and append the terms of agreement with data fiduciaries.
The move to allow people power over what happens to their data after their death is a welcome change, Apar Gupta, executive director at Internet Freedom Foundation.
Another useful recommendation, he added, is that the law should allow an aggrieved data principal to file a complaint with the Data Protection Authority for violation of any of the terms of the Act.
This is a welcome change as it provides for the ability of ordinary citizens who are data subjects to avail remedies by filing a complaint.Apar Gupta, Executive Director, Internet Freedom Foundation
But, Gupta added, there are still several other provisions that undermine user rights from the prior versions.
For instance, he pointed out, the JPC has retained the provision which allowed data fiduciaries to reject requests for correction, completion, updation or erasure of personal data if they disagreed with such requests. Data fiduciaries will be able to reject such requests on the basis that certain data is still necessary for the purpose for which it was processed, Gupta pointed out.
Another concerns relates to the exemption provided to data fiduciaries vis-à-vis right to be forgotten.
A user's right to restrict or prevent continuing disclosure/processing of data can be denied if the data fiduciary can show that retention, use and processing of such data is in accordance with the provisions of the data protection law.
This makes little sense as data principals (people) have legal rights and the data fiduciaries (an artificial entity) that process their data have duties and responsibilities under the law. Gupta opined. "There seems to be a logical error in the JPC's approach on the position of data principals and fiduciaries on this issue. This will give increased discretion to government departments and companies to hold on to personal data."