The draft Personal Data Protection Bill, 2018, produced by the committee headed by former Supreme Court judge BN Srikrishna is a positive baby step towards data protection. This follows growing concerns across the world regarding how data of citizens is being misused by entities, both private and state.
This draft law bolsters the Supreme Court ruling on privacy and is warranted in an increasingly data-driven digital space. The draft Bill proposes the formation of a separate authority, the Data Protection Authority of India, DPA for short, to handle issues pertaining to violation of the relevant law. The draft Bill has also laid to rest speculation over amendments it reportedly recommended for the Right to Information Act, Aadhaar Act and Information Technology Act. In the case of the RTI Act, although it was suspected that amendments purportedly suggested in the Bill would weaken its application, the draft has only added a clause that ensures that disclosure under the RTI Act would not be constrained by the proposed data protection law. This separates the RTI Act and data protection laws, by which it is ensured that the law cannot be invoked to deny information under RTI Act.
Also Read
However, while the Bill is noteworthy as a maiden endeavour towards better data protection in the country, concerns remain. One grey area in the Bill pertains to the data localisation clause. Experts in the industry fear the law would affect globally connected businesses. They worry that it is an expensive proposition to get companies to establish data centres within the country and that investment in such facilities would affect businesses adversely. It is a valid concern from the point of view of businesses and perhaps the worries need to be addressed in terms of time given to ensure compliance. From the perspective of national security, the move to localise data is most welcome. It would definitely help expediting investigation of crimes involving virtual communication and exchange. But caution is advised wherever the term “national security” is used. A trigger happy government might also end up using this as a tool to detect and crush dissenters, forcing entities to reveal information under the garb of national security.
The Snowden revelations pointed towards a sinister plot by the US government to use surveillance as a weapon against the citizen. What is to say this doesn’t happen in India as well? Even while the draft Bill has focused on localisation of data, one aspect it appears to not have addressed adequately is controls on surveillance — be it by the state or other entities within the country. Sections 42 and 43 of the Bill provide exemptions that facilitate the collection of data by the state in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law. The clause seems to imply that Aadhaar has been kept out of the purview of draft law. It is a strange addition considering the fact that one of the reasons why this committee was created is due to privacy concerns raised by civil society regarding the Aadhaar project.
These sections also reinforce the antiquated terms of the Telegraph Act and the Information Technology Act on surveillance. Prior judicial authorisation is not required to conduct surveillance; executive sanction by a competent authority is adequate to initiate such action. The numbers of telephone interception orders issued by the government are indicative of the kind of targeted surveillance that occurs and the absence of any reasonable application of mind in many cases. Given that the BJP Government has majority in Lok Sabha, amendments suggested to the law are unlikely to be accepted. It therefore cannot be hoped that lacunae in the draft Bill would be addressed proactively by the Government. This will be a sad scenario as data protection will be an ever changing and ever widening legal instrument that will require constant monitoring, not only by government but more importantly by social watchdogs.
