Personal Data Protection Bill: Sweeping Powers To Government A Step Backwards, Say Experts
The Personal Data Protection Bill giving investigating agencies unbridled powers to carry out surveillance on private data has spooked companies and experts who argue that such overarching access is against established principles and is a dramatic step backwards.
The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha on Wednesday, and the government proposed sending the Bill to a joint select committee of both Houses of Parliament amid protests by the opposition.
"Critically, this latest Bill is a dramatic step backward in terms of the exceptions it grants for government processing and surveillance," said Mozilla, the not for profit entity behind the web browser Firefox.
The biggest concern, it rued, is the Bill's expansion of the broad exceptions that were present in the 2018 draft of the data protection bill for the government processing of data.
Crucially, the requirement that government processing of data be "necessary and proportionate" has been cut. Furthermore, a provision was added granting the government complete discretion to exempt any entity or department from any part of the law, it said in a blogpost.
Mozilla argued that this "leaves the current legal vacuum around India's surveillance and intelligence services intact, which is fundamentally incompatible with effective privacy protection".
Software Freedom Law Centre, India said it believes that granting access of personal data to the State, without appropriate safeguards and judicial oversight is against established constitutional principles and should not form part of the Bill.
It also expressed concern that Data Protection Authority- a regulatory body proposed under the Bill - will be completely dependent on the Centre for its formation and membership.
"We believe that to ensure the independence of the DPA, there should be sufficient involvement of judicial members in the selection committee as well as in the DPA. This will guarantee judicial review and will quell concerns of conflict of interest," it said.
On the same issue, Mozilla said under the structure proposed it will be harder for the DPA "to be empowered and effective as the entire governing structure will be appointed exclusively by the government".
The Bill proposes that personal data will not be processed without consent of the owner of the information, and that no personal data will be processed except for clear and lawful purpose.
However, one of the provisions of the Bill will "empower the central government to exempt any agency of government from application of the proposed legislation" - which experts say will give sweeping powers to government agencies to collect data of citizens.
The Bill states that the Centre can - in the interest of sovereignty, security of the state, and public order - "direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data..."
The Bill also states that the central government can frame policy for the digital economy with respect to non-personal data. In particular, it can direct any data processor to "provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the central government".
Further, the Bill says that social media entities with user base above a certain threshold and whose "actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India," will be notified as 'significant data fiduciary'.
Every social media intermediary classified as a 'significant data fiduciary' will be required to enable users in India to voluntarily verify their accounts. Any user undergoing such voluntarily verification will have to be provided with a verification mark that is visible to all users of the service. Such entities will also have to get their policies and conduct (of data processing) audited annually by independent data auditors.
When contacted, a Facebook spokesperson said the Bill will encourage people to be privacy conscious and exercise greater privacy controls available to them.
"We welcome India's efforts to frame data protection legislation. We believe that a data protection law will empower Indian users and boost India's fast growing digital economy," the Facebook spokesperson said.
Protecting people's information is a priority for Facebook, the spokesperson said adding that the company will continue to work alongside governments and regulators to find the right solutions to safeguard users' safety and security.
On the provision around social media user verification on voluntary basis, Mozilla, said the move will be "disastrous for the privacy and anonymity of internet users" as "this would likely entail users sending photos of government issued IDs to the companies".
"This provision will also increase the risk from data breaches and entrench power in the hands of large players in the social media space who can afford to build and maintain such verification systems," it said.
The Bill also provides for stringent ground rules for processing of personal and sensitive information of children, while mandating processing of 'critical' personal data only in India.
Violations in case of processing of personal data of individuals as well as children, and failure to adhere to security safeguards will attract a fine of up to Rs 15 crore or 4 percent of the global turnover. The Bill also proposes up to three-year imprisonment and/or fine of up to Rs 2 lakh for re-identification and processing of de-identified personal data.