(Mains GS 3 : Challenges to internal security through communication networks, role of media and social networking sites in internal security challenges, basics of cyber security)
Context:
- The joint parliamentary committee (JPC) reviewing the proposed Personal Data Protection Bill (PDPB), 2019 finalised its report recently.
The background:
- It has been more than three years since a draft Bill on personal data protection was crafted by the Justice Srikrishna Committee of experts and submitted to the Ministry of Electronics and Information Technology in 2018.
- The Joint Parliamentary Committee (JPC) was set up in 2019 to take up the personal data protection bill after parliamentarians were divided over several provisions of the law meant to give a legal shape to the Right to Privacy after it was made a fundamental right by the Supreme Court in 2017.
Key suggestions:
- The draft suggests stricter compliance requirements for companies while adding or tweaking clauses that provide for lighter obligations on government agencies.
- Draft also recommends that State have greater say in the legal mechanism that will be set up to safeguard personal and non-personal data.
- Companies will need to report a data breach within 72 hours, mandatorily disclose if information relating to a data principal (person or entity that owns the data) is passed on to someone else, and appoint senior management personnel as data protection officers who will ultimately be held responsible for lapses or violations.
- The rule about mandatory disclosure of third party sharing to the data principal need not be made in case it is for State functions (such as for offering benefits, or maintaining law and order) or to comply with a court order.
- Government departments will also be allowed to carry out an in-house inquiry to fix responsibility in the event of a leak.
The dissent notes:
- The draft falls short of the standards set by the Justice Srikrishna Committee to build a legal framework based on the landmark judgment, Justice K.S. Puttaswamy vs Union of India, on privacy.
- The key divergences from the Justice Srikrishna Committee’s draft Bill are in the selection of the chairperson and members of the Data Protection Authority (DPA) which shall protect the interests of data principals and the leeway provided to the Union government to exempt its agencies from the application of the Act.
- While the 2018 draft Bill allowed for judicial oversight, the 2019 Bill relies entirely on members of the executive government in the selection process for the DPA.
- As JPC member from the Rajya Sabha, Jairam Ramesh points out to the dangers of exemption on the grounds of “public order” as it is susceptible to misuse and not limited to “security of the state” which is recognised by other data regulations such as Europe’s General Data Protection Regulation as a viable reason for exemption.
Acquiring informed consent:
- The 2018 Bill allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process data in the case of matters relating only to the “security of the state”.
- It also called for a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”.
- The 2019 Bill adds “public order” as a reason to exempt an agency of the Government from the Act, besides only providing for those reasons to be recorded in writing.
Set principles:
- In October 2021, the Global Privacy Assembly, featuring Privacy Commissioners from over 19 countries including those from the European Union, Japan and the U.K., came up with a clear resolution on principles for government access to personal data.
- In its resolution, the Assembly asked for a set of principles on legal basis, the need for clear and precise rules, proportionality and transparency, data subject rights, independent oversight, and effective remedies and redress to the individuals affected.
Conclusion:
- The JPC’s adoption of the draft Bill has fallen short of standards protecting privacy rights of individuals against blanket misuse by the state.
- Thus, the Parliament needs to tighten the provisions further and bring them in conformance with the 2018 Bill.