Parliament must tighten the framework, and move quickly to usher in a data protection architecture in India.

On Monday, after almost two years of deliberation and scrutiny, the Joint Committee of Parliament on the Personal Data Protection Bill, 2019 has finalised its recommendations, likely to be tabled in the upcoming winter session of Parliament. The Bill seeks to usher in a data governance architecture in India that fills an existing void in the institutional framework. It seeks to put in place safeguards to protect personal data, ensure privacy, and bring about transparency and accountability in data management. However, several members of Parliament from political parties such as the Congress, Trinamool Congress and the BJD have submitted dissent notes, objecting to specific provisions. These concerns, as well as the recommendations by the committee, need to be thoroughly examined.

Of particular concern are Sections 35 and 12 of the draft legislation. Under Section 35, the Centre can exempt from the application of all provisions of the Act any agency of the government when it is deemed to be in national and public interest. Equally concerning is Section 12(a)(i) which creates the space to exempt the government from provisions of consent, allowing it to collect personal data without individual approval. The Opposition members have argued, rightly so, against the provision of blanket exemptions, more so without the creation of an oversight mechanism. As some have suggested, seeking parliamentary approval may be a more prudent approach. At the very least, considering the far-reaching ramifications of such sweeping exemptions, these provisions need to be scrutinised in greater detail. Adequate safeguards must be put in place to protect the right to privacy, and prevent the misuse of personal information.

In its recommendations, the committee has favoured widening the ambit of the personal data protection bill, bringing in non-personal data under its scope. While privacy concerns revolve around personal data, if data is non-personal, and anonymised, then should a similar regulatory architecture be adopted for non-personal data as well? Further, while the committee also favours bringing in data collection by electronic hardware under this law, why should a specific distinction be drawn between hardware and software? Then there are suggestions for bringing all social media intermediaries under the ambit by redesignating them as social media platforms. While the committee has suggested all social media platforms (which do not act as intermediaries) be treated as publishers, what about provisions under the IT Rules? According to reports, there also seems to be a concerted push towards data localisation, though whether or not it will be implemented in a graded manner, depending on the sensitivity of data, is unclear. Parliament must scrutinise these matters in greater detail, tighten the framework, and move quickly to usher in a data protection architecture in India.

This editorial first appeared in the print edition on November 24, 2021 under the title ‘Terms of privacy’.

Source: Read Full Article