Data Bill gives dangerous power… Orwellian, says author of first draft

After a public consultation process, a committee led by the former judge released the first draft of what is commonly called the “privacy Bill” in July 2018. The Bill is the country’s first attempt to protect individual rights by regulating the collection, movement and processing of data that is personal, or which can identify the individual.

Justice Srikrishna’s draft required entities to store a copy of all personal data, even non-sensitive and non-critical data, in India. The new version of the Bill, reworked by the Information Technology Ministry, removed the mirroring requirement of personal data and allowed sensitive data to be stored abroad with government approval. Big technology companies have been critical of several requirements laid out in both versions of the Bill so far.

Explained: Data, their types, and other terms described in India’s PDP Bill

The personal data mirroring requirement, Srikrishna wrote in the note, “was with the objective that, if there be necessity for accessing such data at short notice, it would be impossible to follow the MLAT process to get it as that would take at least 18/24 months”.

Justice Srikrishna’s draft required entities to store a copy of all personal data, even non-sensitive and non-critical data, in India. (Express file photo)

The Mutual Legal Assistance Treaty (MLAT) is the extensive process that Indian authorities have to follow in order to receive information from an American company for law enforcement purposes. Even American industry associations have recognised the need to adapt the mechanism for the speed of digital technologies. However, critics of the Bill argue that storing the data within the country’s borders does not necessarily enable increased access to data.

In addition to leniency given to foreign companies, Justice Srikrishna also said that the “Government can always dominate the Data Protection Authority’’, and exemptions made for government surveillance have “sinister implications”.

Opinion | Personal Data Protection Bill strikes a discordant note on ‘non-personal data’

The new Bill shifts many powers from the Data Protection Authority to the central government, such as determining the definition of sensitive personal data. It also removes the original draft’s independent committee that appoints DPA members, giving government officers appointment powers instead.

In addressing the clause giving the government the power to direct any entity to provide all their non-personal data, Justice Srikrishna calls it “a dangerous trend”.

Justice Srikrishna also said that the “Government can always dominate the Data Protection Authority’’, and exemptions made for government surveillance have “sinister implications”. (Express file photo)

“This vague and generalized declaration will provide a carte blanche to access non-personal data from citizens and business entities,” he said.

Also read | Experts say Personal Data protection Bill 2019 strong, but call social media verification ‘disastrous’

He also took issue with the government’s power in notifying social media intermediaries as “signified data fiduciaries” who have more stringent obligations under the law. As he has previously said publicly, he said the “vague” exceptions given for government surveillance are a violation of the right to privacy and the potential introduction of an “Orwellian State”.

Opinion | Don’t rush into bad law: Giving India the data protection law it deserves

The Bill, cleared by the Cabinet on December 4, 2019, was referred to a 30-member committee set up for the specific purpose of deliberating on it on December 12, 2019. The committee has met twice so far and is currently collecting public comments.