india

Updated: Dec 11, 2019 04:10 IST

The proposed law to protect personal privacy in India gives the government more powers to access people’s data over reasons such as safeguarding national security as compared to the law recommended by an expert committee, according to a version set to be introduced in Parliament this week.

The Personal Data Protection Bill, 2019, which will underpin India’s first legal framework to protect privacy after it was held as a fundamental right by the Supreme Court in 2017, has been circulated among parliamentarians, according to a person aware of the development, who added that MPs are likely to push for the bill to be sent to a joint committee for closer scrutiny.

“The bill includes a lot of nuances and it needs to scrutinised more closely,” said this person, asking not to be named. The draft is yet to be tabled in Parliament.

The law is based on a draft prepared by the expert committee led by retired justice BN Srikrishna, and on the whole, gives ownership of personal data to the individual, defines obligations for any organisation handling such data, and lays down penalties and punishments in case a user’s privacy is breached.

The bill prepared by the ministry of electronics and information technology has several new and changed provisions, including those that dilute some of the contentious data “localisation” requirements, and requirements for social media giants such as Facebook and Twitter to carry out new identity verification mechanisms.

Some of these provisions were reported by HT on December 5, a day after the Union Cabinet approved the bill.

According to experts who reviewed the text of the bill, the changes give the government a wider berth when it comes to authorising agencies to circumvent privacy safeguards under exemptions for national security.

“The new version of the bill dilutes provisions on surveillance reform introduced in the previous draft. It removes the internationally recognised principles of ‘necessity and proportionality’. The requirements of ‘necessary and expedient’ in Section 35 have very little meaning,” said Amber Sinha, research director at Centre for Internet and Society (CIS).

Similar changes were spotted by experts in other provisions. “The new draft appears to remove the ‘fair and reasonable processing’ obligation in the Srikrishna Committee draft that applied when personal data is accessed for purposes such as national security and to comply with court orders. In the new version, the government can process personal data on the grounds of national security (Section 35), or for purposes relating to crimes or court orders (Section 36), and the only obligation that would apply would be that it needs to have a specific, clear and lawful purpose,” said Rahul Matthan, a partner-lawyer in technology and media practice at the law firm Trilegal and author of Privacy 3.0.

One of the experts who was on the Srikrishna Committee said provisions relating to exemptions were changed. “The exemptions appear to be wider but are still in the spirit of the Puttuswamy order. As a result of Article 35, there will have to be a written record of surveillance authorisation which was not mandated by law as of now. The proof of the pudding, however, will be in the eating,” said Arghya Sengupta, research director, Vidhi Centre for Legal Policy.

Sengupta added that “the Bill is largely in keeping with the structure suggested in the report by the committee. There are no significant changes in its structure”.

The law will be enforced by a new Data Protection Authority (DPA), which will also monitor and licence companies handling data. The DPA will be headed by six members with expertise in fields such as cyber security and information technology. “The structure of the DPA as per the bill is deeply problematic. If you want the DPA to protect your rights, you will approach an adjudicating officer (AO) and not the chairman. The adjudicating officers do not appear to have complete independence or oversight by DPA members since their terms of service and appointment is determined by the government,” said Raman Jit Singh Cheema, policy director at Access Now and a member of the Internet Freedom Foundation (IFF).

One of the changes in the new bill is also how DPA members are selected. The Srikrishna Committee suggested they are appointed by a panel with representatives of the chief justice (or himself), the cabinet secretary and an expert chosen by the government. The new selection committee will consist of the cabinet secretary, the legal secretary, and the secretary of the electronics ministry.

In addition to individual privacy, the law will also have implications for domestic business and diplomacy since it will force Indian as well as multinational companies to adhere to new rules over how they store and process data of Indian citizens. Companies such as Facebook have opposed hard data localisation rules, which the new bill now appears to dilute by requiring companies to keep a copy if they can secure the consent of their users.