A Bill which, if passed and made law, can have serious cascading effects on how India deals with data privacy has drawn criticism from a former Supreme Court judge who had a direct role to play in its initial draft.
The Personal Data Protection Bill, currently under scrutiny of a Joint Parliamentary Committee, has provisions that allow the State to have access to citizens’ personal data.
Justice (Retd) B N Srikrishna, a renowned jurist who chaired the expert committee that submitted a report and draft of the Personal Data Protection Bill to the government, said his “fundamental problem” with the current version of the Bill is whether “it is sufficient” for the State to have unfettered access to personal data of individuals in the name of security and sovereignty.
“If the State says, ‘In the interest of sovereignty of State I want to access all your personal data,’ is that sufficient? Is the law intended for that purpose?” Justice Srikrishna asked at a panel discussion on the Personal Data Protection Bill organised by Software Freedom Law Centre, India.
“This is nothing but giving a blank cheque to the State to say ‘You write whatever you want on that, signature is already there’,” Justice Srikrishna added.
Justice Srikrishna Committee had submitted the report and a draft legislation to Minister of Electronics & IT Ravi Shankar Prasad on 27 July 2018.
The Personal Data Protection Bill was introduced in Lok Sabha by Prasad on 11 December 2019. It was subsequently referred to a 30-member Joint Parliamentary Committee comprising both the Houses under the chairpersonship of BJP’s Meenakshi Lekhi.
While the draft Bill submitted by Justice Srikrishna Committee did not include non-personal data, the final version tabled in Parliament did.
‘Non-Personal Data’s Inclusion Surprising’
The discussion panel included Rama Vedashree, a member of the expert committee on data protection chaired by Justice Srikrishna. Both expressed concerns over specific provisions in the Bill, including the autonomy of the proposed Data Protection Authority and the inclusion of non-personal data.
Vedashree elaborated that the inclusion of non-personal data in the Bill “came as a big surprise” and “ultimately the Bill should operationalise the fundamental Right to Privacy. The current format of the Bill doesn’t not give that comfort to businesses or individuals.”
Vedashree iterated that the mandate provided to the Srikrishna Committee was very clear that the Bill would deal exclusively with personal data. “So, tweaking in the new provision that the government can request any data fiduciary for non-personal data is a big surprise and a big ambiguity that the industry will have to deal with,” she said.
Crucial Alterations for Government’s Benefit: Srikrishna
A major criticism of the Bill has been the conspicuous absence of surveillance reforms, an issue that remains unaddressed in the revised version tabled in Parliament.
Speaking on the issue, Justice Srikrishna said, “I was asked in a public forum and I said it leads to an Orwellian state where ‘Big Brother’ can snoop into anything that you do, look at everything that you do and take whatever you have in your pocket.”
“Are we heading for that? If the Bill goes through as it stands without sufficient safeguards, that is precisely where we are going to land,” he added.
Responding to a question from journalist Saikat Dutta, who moderated the discussion, on whether the Bill is a just a fig leaf for the government to do what it wants, Justice Srikrishna stated,
“Ultimately, whatever was crucial has been altered for the benefit of the government. According to a Sanskrit verse, ‘They tried to make an elephant but made a monkey of it.’”Justice (Retd) B N Srikrishna, Chairperson, Expert Committee on Data Protection
Autonomy of Data Protection Authority a Concern
Chapter IX of the Personal Data Protection Bill, as introduced in Lok Sabha, deals with the Data Protection Authority.
Rama Vedashree asked if the Data Protection Authority is empowered enough to act as an independent regulator. “Another big concern we have is the Data Protection Authority, which needs to be an independent regulator,” said Vedashree.
Stating that the Bill will impact the Right to Privacy of every citizen, and needs to be implemented and complied with every business, Vedashree asked if “the regulator is empowered enough, is it really a neutral ombudsman?”
Echoing her concerns, Srikrishna added, “Do you think he will be able to do it if he is just a nominee of the government? Even the Reserve Bank of India has not been able to do it, forget the DPA which is nominated by the government.”