12 Dec 2019
Know Your Bill: What is the Personal Data Protection Bill?
The Bill, that is a subject of debate, seeks to allow the processing of personal data without the consent of the owner for "reasonable purposes."
Here's what the Bill is about.
First, we must understand how the Bill defines data
The Bill classifies data into three broad categories: personal, sensitive personal, and critical personal.
'Personal data' is defined as data- any characteristic, trait, attribute or feature- that can help identify a person.
'Sensitive personal data' includes information pertaining to finances, biometric, health, caste/tribe, sex life, sexual orientation, transgender/intersex status, etc.
Personal data is defined as 'critical' as and when the Centre pleases.
What is the Personal Data Protection Bill supposed to be?
The Bill restricts the storing/processing of personal data by entities without the explicit consent of an individual. However, there are no restrictions on where it is stored/processed.
It states that 'sensitive data' can be transferred outside India (with explicit consent), but it must be locally stored in India.
Critical data, on the other hand, may only be processed and stored in India.
So, what are the issues with the Bill?
The problems with the Bill start with the exceptions listed within, which allow the Centre to bypass the aforementioned restrictions.
The Bill empowers the Centre to allow the processing of personal data without an individual's consent for "reasonable purposes," including prevention of unlawful activities, whistle-blowing, debt recovery, etc.
The Centre is also allowed to exempt any government agency from the application of the Bill.
Critical data may be transferred abroad on certain conditions
Further, according to the proposed legislation, the Centre may allow the transfer of critical personal data outside India in case of health services or emergency services where "such transfer is necessary for prompt action."
Centre may ask companies to produce anonymized data
Under the proposed legislation, the government shall establish an authority called the Data Protection Authority of India.
In consultation with the authority, the Centre may ask a company for any personal data anonymized or other non-personal data (data that is not classified under 'personal data').
This can be done "to enable better targeting of delivery of services or formulation of evidence-based policies."
Privacy Bill also mentions voluntary social media verification
The Bill also enlists a method for large social media platforms to voluntarily verify their accounts by submitting government IDs. This is largely viewed as a means to keep social media trolling in check by decreasing the anonymity of users.
However, some claim this can enable profiling and targeting of users, as reports suggest users who do not get verified will be reported.
For companies, even non-personal data is wealth, argues expert
Now, Khaitan & Co. partner Supratim Chakraborty, who specializes in data privacy, said, "For companies, even non-personal data is wealth and such a legal provision is likely to cause panic at big technology companies."
However, a government official argued that such data is "also wealth for the society"—e.g. Uber helping improve public transport constraints—adding that subsequent rules will clarify on payment for such data.
Privacy Bill violates Right to Privacy, claims Opposition
The Opposition has also raised the concern that the Bill violates the Right to Privacy.
In a milestone verdict in 2017, a nine-judge Supreme Court bench held that an individual's privacy is a fundamental right.
Mozilla Corporation's Policy Advisor also deemed the Bill a "significant threat to Indians' privacy."
Cyber Security Leader at EY India, Jaspreet Singh, cautioned the Bill is a "double-edged sword."