The Economist published an article back in 2017 titled, “The world’s most valuable resource is no longer oil, but data.” These days, the topic has provoked a great deal of discussion, and “Data is the new oil”, a remark made by British mathematician Clive Humby back in 2006, has now become a part of the common refrain. The dynamics of modern civil liberty has changed now. The world is moving into the Orwellian era, where every movement is being monitored, not bodily movements but the likes and dislikes of an individual. We are in an era of data-profiling, where unregulated spying on the contents of one’s social media will easily help anyone figure out one’s religious affiliation, ideological stances and even sexual orientation, something that is inherent to one’s identity and is cherished across the world as sensitive information.
In a historic ruling, India’s Supreme Court brought us into a club of progressive countries such as the US, Canada and the UK that expressly guarantee privacy as a fundamental right. The verdict included informational privacy as a vital facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. The court pointed out to the Centre the need to examine and put in place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.
However, in the wake of the recent hoopla surrounding the Citizenship (Amendment) Act-related protests, the developments concerning the Personal Data Protection Bill 2019 have flown under the radar. However, considering the effect that this Bill will have upon being enacted, it demands acute scrutiny. It was introduced in the Lok Sabha, and thereafter referred to a Joint Parliamentary Committee. The public can offer suggestions and comments on the Bill till February 12; this provides us with perhaps the last chance to voice our opinions before it is presented for voting.
The EU’s General Data Protection Regulation (GDPR) has served as the blueprint for the PDP Bill, with several provisions bearing striking similarity, particularly those granting rights to individuals and those levying penalties. The Bill is a part of the government’s larger agenda to leverage the personal data of individuals, as evident from the draft e-commerce policy, the Aadhaar Act, the data localisation mandate issued by the Reserve Bank of India (RBI), and the upcoming National Level Blockchain Framework.
The PDP Bill is undoubtedly a major step forward in ensuring that Indians gain more control over their data. However, there are certain provisions that can be modified to better suit this purpose. A provision in point is Section 25, which allows the Data Protection Authority, the designated regulatory body, the discretion of informing an individual of breach of his/her data. Such a provision should be done away with, and leaks, whether minor or major, should be directly intimated to the concerned individual.
Additionally, vast powers have been conferred on the Centre, by which it may exempt any governmental agency from processing data as per the requirement of this legislation. Some of the grounds under which the government can do so is for public order, and in the interest of integrity and sovereignty of India. These grounds are extremely subjective and afford unobstructed flexibility to the government in exempting agencies. It would do well to recall the US government agency NSA’s clandestine snooping activities, which were exposed in 2013. To prevent a repetition of the same in India, we need to check this power of exemption of the government. The government has also been bestowed with the power to issue binding directions to the Authority as it deems fit. This directly hampers the autonomy of the body and makes it subject to political whims. The grounds for issuance of directions are also couched in similarly vague terms, which is another eyebrow-raising feature.
An observation of various sectors such as banking and insurance illustrate that the concerned authorities namely, RBI and IRDA, have formulated rules and regulations concerning data protection in that particular sector. For a seamless and comprehensive data protection law, it is imperative that such powers must reside solely with the Data Protection Authority. Moreover, with the latter consisting of technological experts, it is only natural that the guidelines regarding data protection be formulated by them. Currently, the Bill makes no clear mention of such provisions, and the same can be added.
In spite of these lacunae, this Bill is a landmark legislation, and was long due, considering the inefficacy of the Information Technology Act, 2000. A few modifications can set it on the right track. Precise drafting of provisions and a people’s privacy-centric approach can help it become a stellar piece of law. If due care is taken, it will go down in Indian legislative history as one of its biggest successes, else as one of its biggest blunders. Meanwhile, we must sustain our efforts to ensure that real transformation takes place where right to privacy is endorsed, respected and promoted for all. (Ashirbad Nayak, final-year student at NLU Odisha, contributed to this article)
The government has been bestowed with the power to issue binding directions to the Data Protection Authority, the designated regulatory body, as it deems fit. This directly hampers the autonomy of the body and makes it subject to political whims. The grounds for issuance of directions are also couched
in similarly vague terms
( Yogesh Pratap Singh is a professor of Law & Registrar (I/C), National Law University Odisha and can be contacted at yogesh@nluo.ac.in )