The much-awaited personal data protection bill, finalised on November 22, 2021. and scheduled to be tabled in the winter session of the parliament, has received a mixed response.
While the bill finally getting tabled is a welcome move, it received wide ranging criticism from privacy activists for being in favour of the government rather than protecting privacy, which is a fundamental right. It also conflated issues by bringing in social media and non-personal data into its ambit and at the same time exempting the government from purview of the Act, a move that received dissent notes from seven ministers.
Moneycontrol caught up with the man who spearheaded the committee that came up with the first draft of the personal data protection bill in July 2018 – Justice BN Srikrishna. Since then, the draft has undergone several iterations and five extensions, before it was finalized on November 22.
Justice Srikrishna is candid about his criticism on the dilution of the PDP bill, going as far as calling this as “Orwellian”. In this interview, he spoke to us about the concerns around the bill, challenges of conflating personal and non-personal data, and international implications.
Could you share the few concerns from the data protection bill that was tabled in the parliament?
The bill is loaded in favour of the government. The Supreme Court had already declared that privacy is a fundamental right, which cannot be taken away. That is we had suggested in 2018 that you should have a separate law that deals with personal and non-personal data. Now this is a hotchpotch law in which it started off with personal data protection and has now turned into data protection, including the non-personal data. The problem is that the government has been given total power to declare the state exempt from any provisions of the Act on grounds like sovereignty, public good and data security. They say that it should be done in accordance with the procedure, which should be reasonable, rational, and proportional. How rational is to be seen.
Could you elaborate what you meant when you spoke about rational?
If you look at fundamental rights it is subject to restrictions that are stringent in nature. For example, you cannot punish a person unless he is found guilty and convicted in accordance with the Criminal Procedure Code and IPC. We cannot restrict the liberty of the person unless he's found guilty.
In this case, when you say reasonable and rational, who will decide it? It will be a secretary who could declare based on some sections and say it is necessary to access the data. They could say, because, this affects the security of the State. That is why we are suggesting that there should be either judicial oversight or not. You cannot trust the Babus to do this, because nobody will say the government is wrong. That is why you need an independent person to apply his mind and say this is wrong. This is what you cannot do. So that is why I said earlier when I saw the 2019 draft that is sliding into the Orwellian state, and this proves my point.
The other aspect is the Data Protection Authority. The Data Protection Authority should be an independent regulator because it's very important, according to me, much more serious than even regulators like the Reserve Bank of India. When you say that the Data Protection Authority will be appointed by the government's selections, by persons headed by a cabinet secretary, obviously you are going to make them a captive entity. We have suggested that the chairman should be a judge of the Supreme Court. Now the draft says he can be a judge of the Supreme Court or anyone who is qualified to be one.
There are several concerns around the conflation of personal and non-personal data. How is it going to impact data protection?
When you conflate personal and non-personal data, there will be a situation where you don't know where the non-personal data and personal data are. How are you going to determine it? The law does not have a clear-cut picture and, with everything shown on the DPA, the position, according to me, sorry, I'm using a harsh word, will be a captive or a stand of the government.
That is how it is going to work out. For the penalty, we said (in the 2018 draft) that, if it was a multinational corporation and there was a violation of the act, there should be a heavy penalty not less than 4-5 percent global turnover. But, the new bill does not do it, because they can't attain the total global turnover. What is this? Are you saying you can't ascertain the global turnover of a corporation carrying on business in India? (But) that is the reason given.
How do you see this play internationally given the current form we have for data protection? For instance, Europe has strong data protection laws and this is increasingly becoming important for cross-border data transfer.
This is the danger these people don’t realise. A lot of American companies do business across the Atlantic. They have business interests in Europe, where they have GDPR. But in the US there is no GDPR. Data will be transferred from Europe to America or America entities because of the data shield agreement.
This came to be challenged before the European Commission, and then finally it landed up before the European Court. What the court said was, ‘In America, the law is, at the instance of the President of the United States, he can get access to any data held by an American corporation without the consent of the principal. They said this is not acceptable because what is not permissible under the GDPR you bring it through the backdoor. So we cannot agree to this.
This will not be valid data transfer.’ Look at what's going to happen in India. If a European company has to transfer the data here, they would say ‘My data is here and your Babu (civil servants) has stratified it saying that it is in the interest of security and take away my data.’ So what the American companies faced by this judgment will happen here. European companies will have a definite upper hand on this and will go to the Supreme Court.
So do you see this playing out in the courts?
Look at the number of dissenters. Seven members have dissented and they are all valid points, particularly when it comes to the blanket exemption to the government. Anybody with the right mind can go and challenge.
Another key variation from the bill you had presented in 2018 and the final report was dilution of data localization. While your report had mandated localization/mirroring of all personal data in India, the current report has asked only for localization of personal and sensitive data. Do you see these presenting challenges?
Let us assume that all my data is abroad, forget about being sensitive and critical. If we consider that we have a good law and the government can get the data pertaining to me because they have a good reason to believe that I am terrorist. How will they do it? They will go to the MNC and go to the CEO and say, ‘Mr CEO I want Mr Srikrishna’s data.’ The company will say, ‘Sir, the data is kept in Timbuktu or California or Florida. I can’t give it to you without the federal government agreement.’
Then, the only option left is the mutual legal assistance treaty. First of all, it (the process of getting the data) has to go through the executive, and then from government to government it has to go and then it has to be certified. It would take about two years to get this. So you want to catch on the terrorist, which is me here, now. By this time, I would have gone to Antigua and obtained citizenship.
Are you saying that it would have taken less time if all the data were localized within the country?
What we had suggested was that, maintain the data wherever you like. But keep a live copy here. Alternatively, when the government asks with the proper authority, and legislative backing, give an undertaking that it will be produced within two days, three days or even 24 hours. It is not difficult since it is all electronic.
Whoever is operating in India is in my juristriction and I want the data is 24 hours because I am chasing a terrorist. Now, that is not possible because only my sensitive and critical data, and my financial data are stored here because of the Reserve Bank directive. My telecommunication data is maintained here, because of the Telecom and Regulatory Authority of India. But what is critical data? They have not defined what critical data is.
The final JPC report had also touched upon social media and others…
The non-personal data was introduced as Section 95 in this act and that has been expanded to all kinds of irrationality in the JPC. Another thing is the attempt to control all social media, they are calling them social platforms. They have mentioned that if the social media platform users go beyond the threshold in numbers, or carries on activity that is objectionable from the point of view of the government, then they can be subjected to all kinds of restrictions in the act. They have also got all NGOs subjected to the data protection act.
I have a problem with it because, according to me, this should apply to everyone and that every government department shall be responsible for it. But it's difficult to see this government integrating the data. We had also said (in the 2018 report) that if there is a breach in the government department, heads would be responsible. (It is being said that) ‘You can't make him (department heads) personally responsible and we will have an internal inquiry and find out who's responsible for it so that he can stop and identify what was the one?
What will be done with non-personal data is not clear. That is why we said in the 2018 report that the bill will not deal with non-personal data and we will have a separate legislation. But the government set up only a committee and it did not have a single lawyer. That is the problem of getting lost by a committee of technical experts. Now, it (final draft) says what to do with their non-personal data will be decided by the government from time to time and according to its policy. This is another blank check.
There are different types of non-personal data. One is collected by the government such as meteorological data, agriculture, forestation and deforestation, which will be held by the government. Then there is private non-personal data of companies. This could be the policy they have where they want to expand, source raw materials, or raise financials by different methodology. All these are private to the company, why should a government have access to all this.
Do you see challenges in implementation? All the existing regulations and different sectors will need to be in sync for effective implementation and many of these might be riding on the Data Protection Authority…
We said that, before you implement the legislation, set up the Data Protection Authority. I will remind you the Data Protection Authority (DPA) was conceived of as an independent regulator with not less than 50 percent consists of independent persons with judicial oversight by the Supreme Court judge. DPA will be somebody who will interact with the sectoral industries like the chemical, shoe manufacturing and automobile and understand their best practices with regard to the protection of data. Now all that is gone. What is this, I don't understand. Where is the fundamental right protection for non-personal data?