For a long time the bad news was the lack of a data protection Bill. Now the bad news is the likely data protection Bill itself, near at hand after a 30-strong Joint Parliamentary Committee (JPC), appointed to review a 2019 version, finalised its report.
The Bill expected to emerge has been dubbed Orwellian by dissident panel member Mahua Moitra of the Trinamool Congress (TMC), primarily because the majority in the JPC asserted the State’s right to access the data of any citizen, nearly at will, and with little or no protection or oversight. Two years ago, Justice Srikrishna — the man appointed to explore the subject in the first place — used the same term to describe a 2019 draft, purportedly based on his report.
The JPC’s final report is to be presented first to Parliament, after which a data protection Bill — dropping the word ‘personal’ — will be finalised. What we know now about the likely legislation primarily comes from dissent notes from JPC members, and unverified media reports. But it is enough to warrant serious concern. So much so, data liberalisation, rather than data protection, be a more apt name for the legislation.
The JPC reportedly made 170 amendments to the 2019 draft, and waded into uncharted territory, such as determining if social media platforms should be considered publishers and held to account, but made no substantive change.
A key objection from the panel’s dissidents is over Section 35, which can be used by the centre to exempt any government agency from provisions of the Bill. It is unprecedented for a stable, liberal democracy to give carte blanche to its government to harvest citizens’ data. Rishab Bailey, a tech policy researcher at the National Institute of Public Finance and Policy, suggests the clause can allow state electricity boards and likely the Life Insurance Corporation (LIC) of India unfettered access to personal data.
The second contentious provision is a reported cap of $2 million (Rs 15 crore) on fines on private entities for data or privacy breaches. In reality, the fines will be far lower. In contrast, Europe’s landmark General Data Protection Regulation (GDPR) has a cap of $20 million for individual incidents. In reality, the aggregate fines are a lot bigger. The record so far is a fine of $835 million on Amazon, imposed by Luxembourg.
Together, the key provisions of the Data Protection Bill mean that we have a Bill proposing free — and lawful — access to individuals’ data for government, and an easy ride for private entities, such as Facebook and Google, to freely access our data without fear of significant penalties. As experience suggests, Big Tech is so big that even small million-dollar fines have not stopped it from creating move privacy-busting algorithms, or ended its casual handling of personal data.
At least five members of the JPC — Congress MPs Jairam Ramesh and Manish Tewari, Moitra and Derek O’Brien of the TMC, and the ruling Biju Janata Dal MP Amar Patnaik — are believed to have written dissent notes. All primarily take issue with Section 35 and some with Section 12, both of which govern State’s access to personal data.
Ramesh’s key suggestion was parliamentary oversight of Section 35 exemptions that would allow government agencies to freely access citizens’ data. He agreed with the exemptions on grounds of “security of the state,” and “friendly ties with foreign states,” but objected to exemptions invoking “public order”. Overall, Ramesh recommended that the clause be “narrowly tailored to protect it from a constitutional challenge.”
Tewari, who is a lawyer, protested the creation of “two parallel universes — one for the private sector where it would apply with full rigour and one for government where it is riddled with exemptions”, and asserts that the “bill in its present form” would not “stand the test of 'vires' in a constitutional court of law.”
Typically, the JPCs transcend party affiliations. Even Ramesh acknowledged the “democratic manner” of its functioning and the patient hearing he received. But what we likely have after nearly two years of debate within the JPC is nearly the same flawed 2019 Bill. The stalemate suggests dogma has triumphed.
The ruling BJP’s concept of nationalism does not permit anything other than the primacy, and supremacy, of the State, and the subjugation of the individual. It also sharply differs from visions of individual privacy seen in liberal democracies. Regardless of how this debate plays out in Parliament, it is hard to see any more protection to personal data than exists today.
Bala Murali Krishna works for a New York-based startup. Views are personal and do not represent the stand of this publication.