At least five of the 30 members of the Joint Parliamentary Committee on Personal Data Protection (PDP) Bill are moving dissent notes.
Concern of the Members:
Clause 35, in the name of “sovereignty”, “friendly relations with foreign states”' and “security of the state” allows any agency under the Union Government exemption from all or any provisions of the law. It becomes an issue under the Peagus controversy recently.
design of the PDP 2019 Bill assumes that the Constitutional right to privacy arises only where operations and activities of private companies are concerned and it doesn’t concern violation by the government.
Importance of data:
Data usually refers to information about your messages, social media posts, online transactions, and browser searches.
It has become an important source of profits.
Companies, governments and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
Much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.
Handling of data:
Data is stored in a physical space similar to a file cabinet of documents and transported across country borders in underwater cables.
Data is collected and handled by entities called data fiduciaries.
While the fiduciary controls how and why data is processed, the processing itself may be done by a third party, the data processor.
The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
Provisions of the bill:
The bill trifurcates personal data. The umbrella group is all personal data — data from which an individual can be identified.
Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief and more.
Another is critical data, which is determined by government for national security purposes. It requires individual consent for data transfer abroad.
The bill still requires sensitive personal data to be stored only in India.
It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
The final category of critical personal data must be stored and processed in India.
The bill mandates fiduciaries to give the government any non-personal data when demanded.
The bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.
The bill includes exemptions for processing data without an individual’s consent for “reasonable purposes” including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
It legislates on the right to be forgotten.
Merits of the Bill:
Data localisation can help law-enforcement agencies access data for investigations and enforcement.
As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
Accessing data through this route is a cumbersome process.
Instances of cyber attacks and surveillance will be checked.
Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
Data localisation will also increase the ability of the Indian government to tax Internet giants.
A strong data protection legislation will also help to enforce data sovereignty.
Concern related to bill:
The appointment of members to the DPA will not be made through an independent body but by a handful of people, mostly bureaucrats, selected by the government.
Civil society groups have criticized the open-ended exceptions given to the government in the Bill, allowing for surveillance.
There is a blanket power of exemption from all provisions of the law (including access to personal data without consent, citing national security, investigation and prosecution of any offence, public order) in favour of a government agency.
A new watchdog without teeth, with no functional autonomy, would mean governments are legally immune from charges of data-mining.
Justice (Rtd) BN Srikrishna, who headed the committee that formulated the original draft of the Bill, has reportedly called it “a piece of legislation that could turn India into an Orwellian state”.
Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash.
Many are concerned with a fractured Internet where the domino effect of the protectionist policy will lead to other countries following suit.
Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
Allowing the government to force companies to transfer non-personal data raises serious intellectual property concerns, and can still threaten users even if they’re not individually identified.
Need for data localization:
Will help law-enforcement access data for investigations and enforcement.
Proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
Many domestic-born technology companies, which store most of their data exclusively in India, support localisation.
Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
Increase the ability of the Indian government to tax Internet giants.
Arguments against data localization:
Security and government access are not achieved by localisation. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
Many are concerned with a fractured Internet (or a “splinternet”), where the domino effect of protectionist policy will lead to other countries following suit.
It hampers to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
Protectionism may backfire on India’s own young start-ups that are attempting global growth.