Author: Siddharth Vishwakarma, III year of B.A.,LL.B. from National Law Institute University, Bhopal
It's been a year since the Indian government introduced the Personal Data Protection Bill, 2019, in Parliament, but there's still a lot of uncertainty about the final version of the legislation's enactment and implementation. The Indian data protection laws remain a legal quagmire, and the legislation seems to be mired in legislative process and formalities, with the law now in the final stages of parliamentary scrutiny - being reviewed by a Joint Parliamentary Committee. To make matters even more complicated, multiple government efforts to regulate data are running concurrently. Rather than fostering creativity and encouraging new companies, departments are gradually putting themselves in the position of becoming a disjointed jungle of overlapping regulatory initiatives. The Ministry of Electronics and Information Technology ("MEITY") established a Committee of Experts on Non-Personal Data ("NPD") recently issued a revised report recommending the implementation of legislation regulating NPD on December 16, 2020. In December 2020, a government member of the Joint Parliamentary Committee said that the Personal Data Protection Bill will not be passed in its current form, and that "the bill in itself is not something that is working....And that the committee is...going to redraw the bill."[1]
Background
Although the stated purpose of the Bill was to provide for the protection of individuals' personal data and to establish a Data Protection Authority to carry it out, numerous terms and concepts remain undefined, and recent regulatory initiatives introducing new sectoral policies/ draught regulations around different types of data and how it is handled have added to the confusion.
Individuals' constitutional right to privacy - the Bill's very intent - is, however, in danger of being jeopardized because the Bill gives the government unrestricted and expansive powers to exempt its agencies from the Bill's requirements in some circumstances. Furthermore, discretionary powers granted to the executive branch of government must be supplemented by clear and concise instructions for the executive to follow while exercising the power. The Bill ignores this fundamental concept, claiming that the protocol, protections, and monitoring mechanisms to be followed for surveillance are all outlined in rules created by the government.
The Bill lacks many necessary safeguards to protect the right to privacy and, more importantly, dilutes the right to privacy and increases State surveillance power without creating adequate checks and balances, which is a major concern because the proposed framework is unlikely to adequately protect privacy. This will almost certainly have catastrophic implications for the stated goal of preserving individual privacy and personal information. Perhaps it is precisely this lack of clarity of vision that policymakers require to resolve the competing interests of individuals' ability to exercise their right to privacy and the need for community data to facilitate bottom-up innovation, the private sector's ever-increasing appetite for personal data, and the State's function and surveillance agendas.
Also, anonymised data is characterized as information that has undergone a "irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified," according to Section 3(2). In this regard, it should be remembered that irreversible anonymisation is impractical, and the State's right to access anonymised personal data is an infringement of the right to privacy over personal data in the absence of clauses in the Bill prescribing requirements for anonymisation and penalties for violation.
While the current legislative effort may seem to be a ray of hope in India's dark tunnel of regulatory flux surrounding data security and privacy, it may be too little, too late. The government has already lost the lead in formulating and implementing the new legislation, and technical advancements have already altered the techno-legal environment.
In some ways, we can already see early signs of recognition of this fact, with the Committee of Experts on Non-Personal Data (Community Data) recommending the introduction of legislation governing NPD to be enforced by an NPD authority (NPDA) and laying down key principles to be incorporated in the NPD Legislation in its revised Report dated December 16, 2020, much to the consternation of civil society. By the time businesses find out how to reconfigure systems to comply with the new Indian Personal Data Protection legislation, another Data Legislation dealing with data and requiring compliance with an entirely different set of obligations would have already been enacted.
[1] https://theprint.in/india/data-protection-bill-wont-get-cleared-in-its-current-version-bjp-mp-rajeev-chandrasekhar/568003/