Column/ Personal Data Protection Bill, 2019 Na Vijayashankar

30 December 30, 2019

RIVACY has its boundaries.The Right to Privacy is fun-damental but not absolute.But often, even wise men getcarried away as is indicatedby the copious criticism be -

ing heaped on the Personal Data Pro -tection Bill, 2019 (PDPB-2019). “Pri -vacy” as a concept is a “state of mind”and a “feeling of being left alone”. Nei -ther the Supreme Court nor expertshave been able to define it precisely and it remains an enigma of its own.Trying to protect an enigmatic conceptthrough regulation of the “information”that in fluences the “mental state” is noteasy. Further, ensuring that the regula-tions satisfy every person who has a dif-ferent “state of mind” does pose animpossible challenge.

The conflict between the “privacy” ofone person and the “security” of anotheris eternal. A government needs to haveits hands free for “intelligence gather-ing”. This includes surveillance, withoutwhich the country and its people areunsafe. “Security” is, therefore, as mucha fundamental right as “privacy” andlegislation such as PDPB-2019 cannotbe seen myopically as if “privacy” is anabsolute right.

But rejecting the right of the govern-ment to maintain national securitythrough regulated invasion of privacywill disturb the mental peace of millionsof citizens who wouldn’t know if the

person standing next tothem is a terrorist. It isonly faith in security scree -ning that emboldens us totravel by air without a carethat the plane could gethijacked or bombed. Thisfeeling of “safety” is as im -portant for most citizensas “privacy”.

However, there hasbeen quite a bit of criticismof the Bill even from Jus -tice BN Srikrishna whoheaded the committee thatdrafted it. Parts of the Billwhich exempt governmentagencies from some or allprovisions are “dangerous”and can turn India into an“Orwellian State”, he said.“They have re moved thesafeguards. That is mostdangerous. The govern-ment can at any timeaccess private data or gov-ernment agency data ongrounds of sovereignty orpublic order. This has dan-gerous implications,”Justice Srikrishna report-edly said.

But it is necessary to ex -amine the draft Bill, recog-nising the presence of mul-tiple stakeholders such as

the individual, corporates, the govern-ment and law enforcement, all of whom have different perceptions of howthe data protection legislation shouldbe conceived.

In the past, there have been severalfailed attempts to pass a similar law andeach time, the conflict between privacyrights and national security has causedthe proposals to be aborted. Addition -ally, in recent days, the industry has de -veloped huge stakes in processing dataand harnessing value from it. Privacylegislation presents a huge hurdle tosuch business interests.

If the legislation ignores the needs of

An OrwellianState? There are concerns that the Bill is dangerous as it will givethe government access to citizens’ data. But is privacy asimportant as protecting a nation’s security?

P

| INDIA LEGAL | December 30, 2019 31

all stakeholders and takes into consider-ation only the views of “privacy acti -vists”, the country may not become an“Orwellian State” but is sure to becomea “chaotic state” where terrorism willrace ahead and business developmentmay significantly suffer.

But is the government becoming aBig Brother? According to Sec -tion 35 of the draft PDPB-2019,

the central government has retainedsome powers to exempt itself from all orany of the provisions of this Act. Section35 deals with the “Power of Central Gov -ernment to exempt any agency of Gov -

ern ment from application of Act”. Itsays: “Where the Central Governmentis satisfied that it is necessary orexpedient,—(i) in the interest of sovereignty and in -tegrity of India, the security of the State,friendly relations with foreign States,pub lic order; or(ii) for preventing incitement to thecommission of any cognizable offencerelating to sovereignty and integrity of India, the security of the State,friendly relations with foreign States,public order,

“It may, by order, for reasons to berecorded in writing, direct that all orany of the provisions of this Act shallnot apply to any agency of the Govern -ment in respect of processing of suchpersonal data, as may be specified in the order subject to such procedure,safeguards and oversight mechanism to be followed by the agency, as may be prescribed.”

It is this provision which is beingcriticised. It may, however, be observedthat the Section is drafted clearly toindicate that it is only when the govern-ment is satisfied that “it is necessary orexpedient” in the “interest of sovereigntyand integrity of India, security of thestate and friendly relations with foreignstates, public order or preventing incite-ment to the commission of any cogniz-able offence” that this provision can beinvoked. Even in such a case, there has

There has been amplecriticism of the Bill, even

from Justice BNSrikrishna, who headed

the committee thatdrafted it. He, reportedly,said that safeguards hadbeen removed which was

most dangerous.

Anthony Lawrence

32 December 30, 2019

Twitter: @indialegalmedia Website: www.indialegallive.com

Contact: editor@indialegallive.com

to be a direction in writing to a specificagency and this would always be avail-able for judicial review.

The reasons under which the provi-sion can be invoked omits “decency ormorality or in relation to contempt ofcourt, defamation” which are other rea-sons provided under Article 19(2) of theConstitution as reasons for which Fun -da mental Rights can be overridden. Thegovernment has, therefore, been res -trained in adding this contingent provi-sion and it must be treated as an “enab -ling provision” which has to be presentin the law if the government has to per-form its duty to protect citizens.

All privacy and data protectionprofessionals who hail anythingforeign may note that even EU

General Data Protection Regulation un -der Article 23 provides similar exemp-tions. What PDPB-2019 contains is,therefore, reasonable and in tune withthe government’s own obligations tosociety. We should stop nitpicking aboutwhether the safeguards on paper areadequate or not. Details about how thispower may be exercised would be in therules to be notified later and we need towait for it.

Another area of criticism is the DataProtection Authority (DPA) and whe -ther it would consist of people who areindependent and represent the stake-holders. According to Section 42 of the

proposed Act: “The Chairperson and theMembers of the Authority shall be per-sons of ability, integrity and standing,and shall have qualification and specia -lised knowledge and experience of, andnot less than ten years in the field ofdata protection, information technology,data management, data science, datasecurity, cyber and internet laws, publicadministration, national security orrelated subjects.”

The earlier draft had suggested thechief justice of India in the selectionpanel. This was omitted, giving rise toconcerns that the choice of chairmanand members could be motivated by thegovernment’s concerns or by the indus-try lobby. The earlier draft had also sug-gested maintenance of a “list of fiveexperts”. It is not clear if this was sup-posed to be an advisory group to guidethe DPA and has been omitted.

Industry people know that there isno government secretary who has 10years’ experience in the field of data pro-tection and is of less than 65 years ofage to qualify to be appointed to theDPA. Even in the private sector, thereare not many people with such experi-

ence who would take up the assignment.So there is a difficulty in the constitu-tion of the DPA.

It is hoped that the government willnot look to bring foreigners and NRIswho may have the necessary experiencebut no commitment to the data sover-eignty of India. We can keep our fingerscro ssed that the right people will befound at the right time for this onerousbut responsible position.

The draft also has some positive fea-tures which need to be recognised andhailed. One is Section 40 which suggeststhe creation of a “sandbox” so that start-ups can benefit by a limited time ex -emp tion from the obligations under theAct while they test innovative technolo-gies. Another provision is Section 37which recognises the need to exemptBPOs in India who only process person-al data of foreign citizens on the basis ofa contract with a foreign data controllerand provide for a suitable notification asmay be required. This was necessary forcompanies maintaining off-shore dataprocessing facilities who needed to com-ply with data protection laws of the res -pective countries and would have con-sidered the overlapping of PDPA juris-diction difficult to manage.

Further, retaining the innovative def-inition of the role of the “person who de -termines the means and purpose of per-sonal data” as the “data fiduciary” andthe subject as “data principal”, the creditgoes to Justice Srikrishna. Additionally,thinking of a role for “consent manager”could be another innovation which theindustry will welcome.

To take a balanced view, the Bill hastried to improve upon the earlier ver sionand while fears and concerns are inevi -table, they are not completely valid.

Column/ Personal Data Protection Bill, 2019/ Na Vijayashankar

Data Protection Authority and whether itwould have people who are independent

and represent the stakeholders is an areaof concern. One hopes the government

will not bring foreigners and NRIs.

CONTENTIOUS LEGISLATIONUnion minister Ravi Shankar Prasaddefending the Bill in Parliament this month

| INDIA LEGAL | December 30, 2019 33