Moneycontrol PRO
Open App
you are here: HomeNewsBusiness

Draft Personal Data Protection Bill is taking focus away from individual privacy, say experts

The bill was finalised and adopted by the Parliamentary panel on November 22, and would be tabled in the Winter Session of Parliament. The bill was first proposed in 2018 by the expert committee headed by Justice BN Srikrishna following the Supreme Court judgement that ruled that privacy is a fundamental right.

November 25, 2021 / 04:21 PM IST
(Representative Image)

(Representative Image)


The Personal Data Protection Bill has conflated issues by bringing in social media and non-personal data and exempting the government from purview, experts have said. This only muddied the waters by taking the focus away from individual privacy, they noted.


While the bill seeing the light of the day is a welcome move, experts have raised several concerns that need to be addressed.


The bill was finalised and adopted by the Parliamentary panel on November 22, and will be placed in the Winter Session of Parliament. The bill was first proposed in 2018 by the expert committee headed by Justice BN Srikrishna following the Supreme Court judgement that ruled that privacy is a fundamental right.


Conflating issues


The key concerns raised are around the introduction of social media into the PDP bill, which was not specified in the initial version. The bill states that the social media intermediaries could be treated as publishers and should be subjected to stringent regulation.

Close

“When I saw the PDP bill, 2019 for the first time, it was a shock to see the social media platform on the bill. This was not the place,” said a source, who worked on the bill right from 2017. According to the source, the bill was expected to look at the large picture and this inclusion should have been avoided. Instead, this muddies the waters, the source added.


Supratim Chakraborty, Partner, Khaitan & Co, concurs. “The Personal Data Protection Bill was supposed to be an umbrella legislation covering data protection. It was never made to go into granular details or issues such as the social media platform,” he explained.


According to him, there are clearly many issues around these platforms and people are trying to do a lot of things. “You already have an avenue in the Information Technology Act that has been revamped, and maybe you can work around that. So the issue is that I think somewhere there is a lack of understanding about where (the bill) started from,” he added.


However, these are not the only issues. Ameet Datta, Partner, Saikrishna & Associates, pointed out that the bill is also conflating personal data with non-personal, which could be an issue. According to experts, this could lead to implementation challenges and might not yield intended results.


Other concerns include the need for a formal certification process for digital and IoT devices, and other hardware devices for data security. The draft also mandates a 72-hour timeline for companies to notify breaches. According to experts, this again was too granular for an umbrella regulation.


The experts quoted above agreed that the bill, while looking to address many issues, has strayed from the core, which is the data privacy of an individual.


Khaitan's Chakraborty observed, "In a way, yes. I also believe we are further muddying the waters, and that is what should be avoided."


Datta pointed out that "it is missing the forest for the trees." According to him, in trying to conflate issues, the draft has kept national interest at the focus rather than individual privacy, which was the point of having the data protection bill.


Excess powers to the government


Seven ministers including Jairam Ramesh, Manish Tewari, Derek O’Brien and Mahua Moitra submitted notes of dissent over provisions that give excess power to the government. The two sections that were of key concern were Section 35 and Section 12. In his dissent note, Ramesh said, “Section 35 gives almost unbridled powers to the central government to exempt any government agency from the entire Act itself.”


Section 12 allows the government to process data without consent. The ministers stated that the government can only do so with Parliamentary sanction, and without it, the law is prone to misuse.


By leaving the government out of the purview, there is a broader concern that this could lead to surveillance, violating the core idea, which is individual privacy.


Ramesh further said in his note: “The idea that August 2017 Puttuswamy judgement of the Supreme Court is relevant only for a very tiny section of the Indian population, in my view, is very deeply flawed and troubling, and is the one I reject.”

Vivek Sood, a Supreme Court lawyer, said that while these concerns are fair and should be addressed by narrowing down the exceptions, the need of the hour is to get the bill passed.

Swathi Moorthy
Sections
ISO 27001 - BSI Assurance Mark