* Any views expressed in this opinion piece are those of the author and not of Thomson Reuters Foundation.India's data protection bill is half-baked and needs urgent public scrutiny
India’s widely billed yet oft-criticized data protection law has been listed for introduction in the lower house of Parliament during the ongoing winter session.
For a while now, data has been openly available in India with no protection over its use or for its users, which will no longer be the case with the implementation of the Personal Data Protection Bill.
The new law is meant to create a framework, which will dictate the type and manner in which data is collected, processed and stored - who will collect it and what purposes it can be used for.
But while it was drafted with the aim of setting up a well-established and comprehensive legislative framework for data protection, it does not appear to have met global standards, which has resulted in a backlash from concerned groups including human rights organizations.
Since the draft was made public and feedback sought, there has been no access to the text, which as per numerous press reports, has undergone significant changes. Apart from the extant issues with the Bill, this has resulted in absolutely no transparency for concerned individuals to form an informed opinion, and also affects one’s ability to adequately hold power to account.
For the Bill to be effective and on par with data protection standards around the world, there are certain issues that need to be ironed out prior to its introduction as legislation.
Firstly, consent: while any agency that collects, stores or processes data is required to obtain an individual’s consent, exceptions provided by the Bill pose substantial problems. For example, it allows the Government to access and process data without consent for provision of welfare services/benefits, and for the issuing of licences, certificates or permits.
This essentially provides the Government with substantial control over an individual’s personal data in the guise of providing welfare services. It is important that such control of data without consent be extremely limited and applicable only in exceptional circumstances. In addition, consent is not required if the data is deemed necessary to further any functions of the state; however, there is no clarity on what these functions are or the rationale behind why an individual’s consent would be a hurdle in performing those functions.
Secondly, data localisation: the Bill necessitates that all data fiduciaries maintain a copy of personal/sensitive data in a server in India. While the Government can deem certain data to be critical - although it does not clarify what this might be - which would require that it be only stored in India, it can also exempt certain categories from this requirement.
This essentially would require foreign internet intermediaries to ensure the data they collect, or process is hosted in India. The intent is to provide ease of access to data for various purposes such as investigations, research, etc. But the concern is that this requirement would discourage foreign data fiduciaries from entering the Indian market and deprive Indian citizens of an assortment of otherwise accessible services. Such a requirement is also not a well-established standard in other jurisdictions.
Thirdly, surveillance: there is a pressing need for surveillance reform in India. This Bill highlights national security as an exception, but to ensure this exception isn’t relied upon for anything and everything, it is necessary that the Bill maintains the principle of proportionality so that this exception be applicable with the conditions laid down in the case of Puttaswamy v Union of India (2017), which upheld the right to privacy as a fundamental right protected by the constitution.
Finally, the authority: regulatory powers have been awarded to the Data Protection Authority (DPA) to enforce safeguards for the Bill. Ideally, this authority should have complete independence, but the Bill overindulges the Central Government; the Government’s complete control over the DPA’s composition has resulted in a lack of adequate representation, and the fact that any directives it may issue are considered final, leaves little room for recourse.
These are merely broader concerns around the Bill. Granular aspects such as the distinction in obligations between a data fiduciary and a data processor, the unquestioning acceptance of inferred consent, and even the limited right to access, amongst a plethora of other concerns surround this half-baked Bill.
It is therefore essential that the Bill be referred to the Parliamentary Standing Committee first, to ensure that it is reviewed and opened up to public consultation so that these and other concerns can be urgently addressed.
Joanne D’Cunha is associate counsel at the Internet Freedom Foundation, a digital rights group, in New Delhi.