Last week, the Union government withdrew the Personal Data Protection Bill 2019, which has been in the woods for five years. The Bill had undergone intense scrutiny by a Joint Parliamentary Committee (JPC) that proposed 81 amendments and 12 recommendations to the Bill. After the withdrawal of the Bill, Telecom Minister Ashwini Vaishnaw promised a new comprehensive Bill for public consultation.
Supreme Court judge Justice BN Srikrishna headed the committee that prepared the first draft of the Personal Data Protection Bill in 2018. In an interview to Preetha Nair, he says the way forward is to have a general law enacted by Parliament strictly laying down the objectives for abridging the fundamental right of privacy laid down in the Puttaswamy judgment.
Excerpts:
Do you welcome the withdrawal of the Personal Data Protection Bill 2019? If so, what were your concerns about the Bill?
Yes, it is welcomed. I have already publicly criticized the 2019 Bill and its JPVC modification as going against the law laid down in Puttaswamy judgment and that we would become an Orwellian State with Big Brother snooping on us freely. It would have been likely declared unconstitutional as infringing the Fundamental Right to Privacy under Article 21.
You have pointed out that the Bill diverged from your draft bill 2018. How much has the 2019 Bill changed from your committee recommendations?
It is like chalk and cheese. It is a basic tenet of the Constitutional law that there can be no abridgement of a fundamental right except by a valid Act of legislature. The 2019 Bill allowed that to happen by a mere self-serving declaration of the executive.
There has been strong criticism over exempting government agencies from the Act on the grounds of ‘public order.’ The criticism was fully justified. There must be some guidelines indicated by a parliamentary enactment as to its content or else our personal data will be acquired by the mere ipse dixit of a vague declaration by the interested executive.
The doctrine of proportionality also requires that there must be justification for acquiring personal data without the consent of the data principal and that there was no better way of meeting the objective to be declared by the legislature for doing so. The principle is that one does not swat a fly by using a sledgehammer.
Big tech companies have opposed the Bill for its provision of ‘mandatory data localization’. What is your view?
This fear was exaggerated. If there is a constitutionally valid legislation that authorizes the executive to acquire personal data for a valid reason and if that data is sitting on a server out of the country, the local manager would throw up his hands, as it would be beyond his reach. However, to urgently validate the reason for collecting the required data, the government would have to deal with the foreign government by reaching out under the tardy process of Mutual Legal Assistance Treaty, which usually takes about two years to produce results. As a compromise, the committee recommended that even if all such data was held abroad, a live copy should be maintained within India so that urgent access to such required data, when needed, can be had within India. The lobbying against it was powerful enough for the government to buckle down.
A lot of effort went into extensive public consultations for the 2018 draft. How imperative is it to have consultation?
The law is intended to be people-centric and for their benefit. Parliament in theory intends to debate the pros and cons of all laws before passing them, after taking into consideration all views against the Bill. Since Parliament has no time for such meticulous details, a special committee was formed to go into all consultations with stakeholders. That should be a must whenever such new legislation is intended to be passed by Parliament.
Are you satisfied with JPC recommendations?
Not at all. If the 2019 Bill were to be passed, even with the 84 amendments suggested by the JPC, the basic flaws would remain. Further, the Data Protection Authority would be a captive of the government instead of being an independent body comprising experts and professionals.
You have also objected to the JPC recommendation of having a single law for personal and non-personal datasets. How damaging will it be for privacy concerns?
It would be damaging both ways. First, it is only personal data privacy that is declared to be a fundamental right. No such sanctity is attached to Non-Personal Data (NPD). While the JPC recommendation did not improve upon the protection of personal data privacy rights, it made the situation complex by introducing the NPD.
IT Minister Aswini Vaishnaw has promised a new draft in tune with principles of privacy. How would you envisage the new Bill?
The best way forward is to have a general law enacted by Parliament strictly laying down the objectives for abridging the fundamental right of privacy by following the triple Constitutional parameters laid down in the Puttaswamy judgement. It is an exercise of balancing three interests. First, fundamental rights of the people; second, the requirements of national security and finally the needs of trade and business so as to improve the economy. In my view, primary importance should be given to the first, then the second and then the third objective. That is the least that can be done in a country wedded to the principle of social justice.