It's been a year since the Indian Government introduced the Personal Data Protection Bill, 2019 in the Parliament, however there is still much confusion as to the actual enactment and implementation of the final version of the legislation. The Indian rules surrounding data protection are still a legal quagmire and the law seems to be still stuck in Parliamentary procedure and formalities currently said to be in final stages of parliamentary review -being examined by a Joint Parliamentary Committee. To complicate matters further, various parallel initiatives towards data regulation by different Govt. Departments increasingly create a possibility of growing into a disparate jungle of conflicting regulatory initiatives rather than promoting innovation and facilitating new businesses. Most recently on 16 December 2020, the Ministry of Electronics and Information Technology ("MEITY") constituted Committee of Experts on Non-Personal Data ("NPD") released its revised report recommending the introduction of legislation governing NPD. Earlier in December 2020, a member of the Joint Parliamentary Committee representing the government went on record to claim that the Personal Data Protection Bill would not be passed in the current form and that "the bill in itself is not something that is working. ....And that the committee is ...going to redraw the bill".1
While the stated object of the Bill was to provide for protection of personal data of individuals, and establish a Data Protection Authority to implement the same, however with numerous terms and concepts still left undefined and to complicate matters further recent regulatory initiatives introducing new sectoral policies/ draft regulations around different types of data and how it is handled, processed and protected put in the public domain by different Government departments create more confusion and unnecessary complications than facilitating the ease of doing business in India.
However, individual's fundamental right to privacy - the very purpose of the Bill stands a high chance of being jeopardized with the Bill providing the government with unregulated and broad powers to exempt its agencies from the provisions of the Bill for certain circumstances. Besides, discretionary powers to the executive branch of the government must be accompanied by clear and specific guidelines for the executive to exercise the power. This cardinal rule is ignored by the Bill where in the procedure, safeguards and oversight mechanism to be followed for surveillance the same is said to be prescribed in the rules made by the Government itself.
Furthermore, as per Section 3(2), anonymised data is defined as data that has undergone an "irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified". In this regard, it may be noted that irreversible anonymisation is impossible, and in the absence of provisions in the Bill prescribing standards for anonymisation and penalties for breach; the State's right to access anonymised personal data is an invasion of right to privacy over personal data.
The Bill lacks many necessary safeguards that are needed to protect the right to privacy and also significantly, dilutes right to privacy and increases State power to surveillance without creating adequate checks and balances and this is a big concern since the proposed framework is unlikely to protect privacy adequately. This is likely to have disastrous consequences for the stated objective of protecting individual's personal information and privacy. It is perhaps this lack of clarity of vision that is much need to enable policymakers in resolving the competing interests of the ability of individuals to exercise their right to privacy and the need for community data to facilitate bottom-up innovation, the private sector's ever increasing appetite for personal data, and the State's function and surveillance agendas.
While the present legislative endeavor may be perceived as light at the end of a dark tunnel of regulatory flux concerning data protection and privacy in India, however it may be too little coming too late. Already the Government has taken so much time to formulate and implement the proposed legislation that it has lost the initiative and technological developments have already changed the techno-legal landscape.
In a sense we can already see the early signs acknowledging this fact with Committee of Experts on Non-Personal Data (Community Data) recommending the introduction of legislation governing NPD to be enforced by an NPD authority (NPDA) and lays down key principles to be incorporated in the NPD Legislation in its revised Report dated 16th of December 2020, to much bewilderment of the civil society and the industry at large. By the time companies will figure out ways to reconfigure systems to be compliant with the proposed Indian Personal Data Protection legislation and there would already be in place another Data Legislation that dealing with Data and requiring compliance with a completely different set of obligations.
The exact text and copy of the report can be downloaded from here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.