Privacy is one of the most vital parts of an individual’s freedom, but with the growing globalisation in the age of the internet — which has become the focal point in people’s lives — privacy has somewhat been thrown into a grey area. To regulate citizens’ privacy online, Union IT minister Ravi Shankar Prasad introduced the Personal Data Protection Bill 2019 in the Lok Sabha on December 11, 2019.
India’s technology policy and data rules are primarily governed by the age-old Telegraph Act 1885 and the IT Act 2000 — both considerably repressive laws that gave immense power to the state over citizens’ privacy and data. According to the government, the Personal Data Protection (PDP) Bill 2019 aims to protect citizens’ privacy and create a relationship of trust between the agencies that are processing the data and the individuals whose data is being processed.
Since the flow of data on the internet can be traced back to the originator using the IP address, in the recent past, the government’s across the globe have been found misusing their power by putting regular citizens under the scanner in the name of national security.
Also read: Has China turned into a dystopian nightmare?
Personal Data Protection Bill extends the powers of the government
Justice Srikrishna Committee submitted the report and a draft bill to the union IT minister Ravi Shankar Prasad on July 27 2018. And after the government scrutinised it for one and a half years, the revised draft bill was introduced in Lok Sabha (Lower House of Parliament) on December 11 2019, which in a way asked the state to be given more power — in a way that the government owns the citizen’s data.
According to the bill, any ‘non-personal data’ of the citizens should be accessible to the government to allow them to formulate better-targeted policies. The bill also sought to give exemptions to government agencies on the grounds of national sovereignty and integrity — a loophole that is being actively abused by governments worldwide, transforming into surveilled states.
Under the bill that soon can become an Act, the Central Government has the power to exempt any agency of government or any other company incorporated outside the territory of India with which they have a contract for the processing of personal data of data principals from the application of this Act.
Under clause 35 of the bill, the central government can exempt any agency from the application of this Act in the interest of public order, the security of the state, sovereignty and integrity of India, and friendly relation with the foreign country.
The exemptions also apply to prevent any incitement to the commission of any cognisable offence, which means that any person the authority thinks or has a doubt that they can commit a cognisable offence then they can be arrested without a warrant.
The bill allows the transfer of personal data across the border and sensitive personal data if the data principal gives the explicit consent for such transfer, but the critical personal data can only be processed in India. There are no restrictions on transferring data outside India.
Immense potential for abuse of power by the state
There is no concern for sharing of anonymous data, but in the PDP bill, 2019 clause 91(2) states that the central government can direct any data fiduciary or any data processor to provide the anonymised data or non-personal data for better targeting of delivery of services or formulation of evidence-based policies by the government.
As Justice Srikrishna said in an interview with the ITech law conference, the inclusion of non-personal data in the PDP Bill is dangerous. The non-personal data needs a separate law.
A speaker said if private companies like Facebook collect data, it does not concern the citizens as much, but it is more concerning if the government collects the data because the state is the only actor who is sanctioned to commit violence and use the force of law which private actors can’t.
As mentioned in this bill, the central government shall establish an authority called the Data Protection Authority of India, which will be set to make the citizens aware of data protection and prevent any misuse of personal data. Under clause 42 of the bill, it is mentioned that the central government will appoint the members of the authority; this is a huge concern for everyone. The data protection authority should be an independent regulator, as pointed out by Rama Vedashree, CEO of the Data Security Council of India.
With the current Personal Data Protection bill, the government seems ardent on gaining more power and also control over the lives of its citizens with the power to intrude their privacy at will. However, one important question that arises out of such a situation is, who watches those who watch us?
Who watches the watchdogs?
The data protection law should be made to protect the citizens’ right to privacy, and surveillance on citizens directly infringes their right to privacy. Section 69(1) of the Information and Technology Act, 2000 gave central government and security agencies power to intercept, decrypt, and monitor any information.
The Personal Data Protection bill was supposed to be an opportunity to correct the existing laws and the provisions that are infringing the right to privacy of the citizens. Still, the government seems to be wanting to exempt itself from all obligations and access more power over the citizens.
In an event, Justice B.N. Srikrishna said that the government regularly collected the data for quite a few years. In a public forum, Srikrishna noted that if the bill is passed in its current state, it will lead us to an Orwellian state.
The Personal Data Protection Bill is under review by a joint parliamentary committee headed by BJP MP Meenakshi Lekhi, who has asked for an extension till the second week of the monsoon session of parliament to submit the report.