Policy advisory body CUTS International has demanded that the Personal Data Protection Bill must be sent to the Standing Committee on IT and released for public comments and adequate checks and balances. It added that judicial oversight is also required to ensure that exceptions do not become a rule.
The Bill also empowers the government to direct any data fiduciary or processor to be provided anonymized personal data or other non-personal data “to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government”.
There was no need to include non-personal data under the Bill. It is altogether a different issue and is currently being reviewed by an expert committee. The Bill should have refrained from commenting on non-personal data, Pradeep S. Mehta, Secretary General, CUTS International said.
The Bill became public even before its introduction in Parliament after it was circulated to the MPs for giving them an insight into the Bill for discussion in House after being tabled.
“The Bill differs in several aspects from the draft prepared by Justice B.N. Srikrishna Committee in 2018. One of the differences has been a dilution of the mandate of data localization (DL) to the exception of sensitive personal data and critical personal data. In other words, mirror copies of personal data (which is neither sensitive nor critical) need not be stored in India. The move comes after many civil society organizations and other stakeholders voiced their views against strict DL,” he said.
“We highlighted that unreasonable restriction on cross border data flow could have adversely impacted consumer welfare and exports of digital services from India, and are happy that the provisions have been diluted,” he said.
Several new provisions have been incorporated in the Bill. For instance, the definition of personal data has been expanded to include online and offline data about a natural person, “or any combination of such features with any other information”, and to include any “inference drawn from such data for profiling”. However, “passwords” have been removed from the list of sensitive personal data, CUTS said.
On the issue of comfort in data sharing by respondents, the consumer advocacy firm said it has launched a survey and it was found that different users perceive different information/ data differently and thus it was important to consider users’ perspectives while defining personal data and sensitive personal data.
“Unfortunately, passwords have been removed from the list of sensitive personal data, while the expansion of the definition of personal data is a welcome move,” noted Mehta.
According to the Bill, data fiduciaries may have to get their privacy-by-design policies certified by the Data Protection Authority. It introduces the concept of consent manager; which users can use to give or withdraw consent to the data fiduciary.
The Bill also provides for the creation of sandbox for innovation in artificial intelligence, machine learning by the impending Data Protection Authority. It has also expanded the right to correction to include the right to erasure, once the data is no longer necessary for the purpose for which it was processed. These are forward-looking provisions, but it needs to be ensured that stakeholders, including data fiduciaries, do not need to incur unreasonable costs, and are not unreasonably burdened.
A Regulatory Impact Assessment, comprising cost-benefit analysis of different provisions of the Bill is necessary. Social media intermediaries, classified as significant data fiduciaries, will now have to give account verification options to willing users, and such users will be given a visible mark of verification (such as blue ticks on Twitter and Facebook).
The Bill also provides that the composition of the selection committee for a recommendation of members of the Data Protection Authority will have government officials, instead of members of the judiciary, as envisaged in the previous version.
“This is unfortunate, given the need to ensure the independence of the Data Protection Authority. The Bill, unfortunately, opens up the possibility of sinecures for retired bureaucrats, which is not a good sign,” Mehta said.
“Diluting data localization is welcome, however, many new provisions about social media intermediaries, non-personal data and government being given exceptions for data processing require scrutiny from the lens of privacy implications, and impact on relevant stakeholders. The government should not rush into passing the bill, or hush stakeholder voices. He even suggested that the Bill should be sent to the Parliamentary Standing Committee on Information Technology for further deliberation, and adequate time be given for inclusive public consultations on these issues, among others,” he said.
With these provisions, the Government now holds ultimate rights and powers to seek user data to help make policies, the Personal Data Protection Bill which was circulated among the members on Tuesday showed.
But the concerns are on the exemption to government agencies.
The relevant section of the bill reads: “Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, in so far as such policy does not govern personal data. The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymized or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”
“Non-personal data” means the data other than personal data.
This may cause trouble for Facebook, Google, Amazon, Flipkart, Uber, and others who could be asked to share data for making policies by the government.
The bill will be introduced in the Parliament in the current session, but won’t be passed as the session concludes on December 13. It will be referred for further reviewing.
The Personal Data Protection Bill circulated to parliament members on Tuesday was eagerly awaited by top technology companies as it could affect the way they process, store and transfer Indian consumers’ data.
The bill’s latest version has a provision empowering the government to ask a company to provide anonymized personal data, as well as other non-personal data, to help target the delivery of government services or formulate policies.
The final Bill also seeks social media intermediaries, like Facebook and Twitter, to allow Indian users to “voluntarily verify” their accounts in a manner that can be prescribed in the future.
This method of voluntary verification has not been laid out by the Bill. It only states that any user who voluntarily verifies his account “shall be provided with such demonstrable and visible mark of verification”.
The bill also said large social media platforms should be required to offer a mechanism for users to prove their identities and display a verification sign publicly, a move that would raise a host of technical issues for companies including Facebook, WhatsApp, and Chinese app TikTok.
“Sensitive personal data”, which includes financial and biometric data, could be transferred outside India for processing, but must be stored locally, the bill said.
The Bill draws its origins from the Justice B.N. Srikrishna Committee on data privacy, which produced a draft of legislation that was made public in 2018.