India had introduced a personal data protection bill in December 2019 to protect the personal data of individuals and said it would set up a data protection authority to do the job.
At the time, some of the initial concerns around it–including an increase in the cost of doing business as well as a push back to a clause that empowered the government to ask a company to hand over its data, anonymised, to plan policies–were well publicised.
Soon after, the bill was referred to a joint parliamentary committee, with members from across the political spectrum, to analyse its proposals, and suggest any modifications based on the concerns raised by the different stakeholders, including government agencies, businesses, activists and data security experts, among others.
The committee, after many delays, tabled its report in parliament in mid-December with suggestions on how to tweak the bill, and already the battle lines have been drawn.
What is the biggest change the committee has proposed?
Among the 56 amendments suggested, probably the most significant change in the bill is a proposal to include non-personal data in addition to personal data, increasing the scope of the bill substantially, and as a result, changing its name to Data Protection Bill, 2021.
The bill lists out about half-a-dozen categories to define personal data including an individual’s name, mobile number, biometrics–anything that can identify a person. Any information beyond this which cannot identify an individual is treated as non-personal data.
In the technology-dependent world we live in, there is no shortage of non-personal data being generated every minute of every day, from the Google searches an individual makes to the directions on Google maps that a commuter pulls up to the number of users of an app in an area, or the number of people commuting between two destinations.
In other words, the government wants to treat non-personal data as a community resource that it can monetise in the form of licensing for the use of that data, similar to telecom spectrum, Waris adds.
What are some of the other areas of concern?
The committee has given the government broader powers to exempt its agencies from the rules on grounds as wide-ranging as national security, public order, sovereignty and integrity of India, and friendly relations with foreign states, among others.
The blanket exemption has taken “the punch away from the legislation,” says Waris, turning it into “a legislation directed at the private sector, making two parallel regimes”.
This also goes in the face of Indian citizens’ right to privacy, a fundamental right that came on the back of a 2016 ruling by the country’s top court, warns Waris.
The bill further adds that while companies have to inform the regulator of any data breaches, they are not compelled to share that information with the person whose data has been breached. Companies are loath to admit weaknesses in their system and can hardly be counted upon to volunteer that information. So “how is the user, whose data may have been leaked, supposed to fix that if [she] has no idea that happened,” says Waris calling the whole exercise “self-contradictory.”
The bill also targets social media platforms and suggests designating them as “publishers” instead of intermediaries. As a publisher, a platform will be accountable for all the content published on it and will be exempt from the safe harbour protections that intermediaries have under which they are not liable for the content put out by their users. The move can have a serious effect on free speech as it may encourage social media platforms like Facebook and Twitter to actively censor content to avoid legal trouble, experts warn.
Did they get anything right?
The amended bill has introduced a sunset clause under which the new rules will kick in two years after the bill is signed into law, giving companies sufficient time to prepare for the upcoming changes, a useful tweak from earlier when the rules were to apply immediately after getting assent.
The bill also says that data of minors–those under the age of 18–can be processed only in certain circumstances and with parental permission. Not all stakeholders are pleased with the committee keeping this rule, which is vastly different from the United States where parental consent is needed just for those under the age of 13.
Moreover, the fact that India, a data hub thanks to its information technology services sector and call centres, is finally planning a data protection bill is a big and important step. It will help the country get the stamp of being a ‘data secure’ nation from the European Union, reducing the compliance measures for Indian companies doing business in EU nations, Waris says.
What are the next steps?
The Data Protection Bill could be accepted as is or amended further by the Ministry of Electronics and Information Technology, which will eventually table it in parliament. It will need to be passed by both houses before it can become law. But given that the ruling Bharatiya Janata Party is in the majority in both houses, that’s not expected to be a problem. This even though some members of the opposition who were on the committee have issued so-called dissenting notes objecting to some parts or, in some cases, all of the bill.
That said, it’s only a matter of time before we see some legal challenges to the bill, and that will determine the final set of rules when they come into effect.