Personal Data Protection Bill, 2019 | Data privacy or is it easy access to privacy?

Aurelia Menezes and Mohana Roy

India’s own Personal Data Protection Bill, 2019, may soon see the light of day. The current version of the Bill, introduced in the Lok Sabha on Wednesday and referred to a joint select committee, is different from the first draft in terms of applicability of law.

The legislation has given the central government powers to exempt its own agencies from the purview. In fact, technology companies are already weighing its overall impact on the sector.

 Key Features

The proposed Bill provides for extra-territorial applicability similar to General Data Protection Regulation (GDPR) and governs processing of personal data by both government and private entities incorporated in India and foreign entities doing business in India or collecting such data.

It introduces concepts such as data principal, fiduciary and processors more on the lines of data controller and subjects in GDPR. It also proposes to establish a regulatory body -- the Data Protection Authority (DPA) -- to protect personal data.

The Bill also categorises data as sensitive, critical and non-sensitive/ non-personal or general. The core principle is fair and reasonable processing of data and minimising any meddling in individual’s privacy. However, this principle seems to be present only in letter and not spirit. There is a provision of civil as well as criminal liability in the case of a breach.

Consent of data principal for storing and processing of personal data is mandatory. However, the Bill exempts government agencies from securing consent in the case of security, debt recovery and credit score. Apart from these, the consent will not be mandatory for reasonable purposes such as prevention and detection of any unlawful activity such as fraud, mergers and acquisitions, whistleblowing and operation of search engines.

That’s not all. The Bill empowers government departments to call upon the data fiduciary to provide anonymised personal or other non-personal data for better delivery of services. The clause appears to fly in the face of a comprehensive data protection law as it can easily lead to unlawful activities.

The consequences

The liberty for government agencies in seeking data as provided in the Bill will definitely pose a significant threat to Indians’ privacy. It also suppresses the apex court judgment in the Aadhaar case and the first draft submitted by Justice B N Srikrishna Committee.

It is clear that the Bill gives easy access to one’s privacy. Prima facie, the government is trying to control data flow so as to track down illegal activities by users. But the question here is: What about the threat as government agencies are exempted from the ambit of the law?

There are other fault lines, too. The Bill proposes that data should be processed in a fair and reasonable manner, but does not lay down guidelines for the same in a fair and reasonable manner. The government seems to have completely ignored this part and instead focussed on empowering itself.

It’s incumbent on the legislature to take a close hard look at the Bill and address these shortcomings in order to have an effective data protection.

Aurelia Menezes is partner (corporate) and Mohana Roy is associate (corporate) at King Stubb & Kasiva, Advocates and Attorneys. Views are personal.