Control rather than Privacy

News: The Puttaswamy judgment and the Justice B.N. Srikrishna committee report led to the introduction of the Personal Data Protection Bill of 2019. 

The bill was sent to a joint parliamentary committee for further scrutiny, which has now submitted its report.  

Although there are some concerns regarding the same. 

What are the concerns regarding the joint committee report on personal data protection bill? 

Greater compliance burden on private sector: Report has divided the digital world into two domains — government and private, and puts a greater burden on private sector to comply with the privacy norms while almost exempting the state from the same. 

– Clause 35 exempts government agencies from the entire Act itself. Clause 12 states that personal data can be processed without consent for the performance of any function of the state. The issue is that this is an umbrella clause that does not specify which ministries or departments will be covered. 

In one of the clause of the bill, it states that, “harm includes any observation or surveillance that is not reasonably expected by the data principal”. This means if that someone faced a data breach situation as a consequence of their own action of say suppose installing an app or a software then the privacy clause will not apply there. This clause can be used against the data principals. 

Data protection authority: The act also talks about a Data protection authority (DPA). The conditions of appointment of the DPA also raise concerns. 

Although the Justice Srikrishna committee report provided for a judicial overlook in the appointments of the DPA, the  bill approved by the committee rests the  power to appoint the panelists vests with the Central government. 

Clause 86 bounds the authority to follow the directions of the Central Government under all cases, and not just on questions of policy. 

Also, appointment of the authority violates the principle of federalism. Because the issue involves internal data flow and the States are key stakeholders in the process. Apart from this ‘public order’ is an entry in the State List (which can be one of the reasons on which directions to allow processing of data can be issued), this makes involving states also important. 

Non-personal data: The committee has included the non-personal data within the ambit of the Bill. 

This will put a lot of burden on the MSME sector and small businesses, as technical processes involving data-sharing are very expensive.  

Government-constituted panel headed by S. Gopalkrishnan also opposed the idea of including non-personal data in the Bill as Mandatory data localisation will according to some estimates squeeze the economy by 0.7-1.7%.  

Source: This post is based on the article “Control rather than Privacy” published in The Hindu on 10th Jan 2022 

Print Friendly and PDF