Personal Data Protection Bill, 2019 must be suitably amended in view of recent technological leaps

The Bill in its current form runs the risk of turning redundant even before becoming an enactment as a lot of technological advancement has taken place in the last two-three years

Representative Image (Photo Courtesy: Social Media)
Representative Image (Photo Courtesy: Social Media)
user

Ashit Kumar Srivastava

It was in 2017 when the Supreme Court in KS Puttaswamy-I recognised the Right to Privacy as a part of fundamental rights. Further, it also realised that digital privacy is as important as spatial privacy.

Keeping this objective in mind, the Union government had appointed a Committee under the chairmanship of Justice B.N. Srikrishna for proposing skeletal legislation for filing a void in the discipline of data protection.

The Committee came up with its report and draft legislation in the form of the Personal Data Protection Bill, 2018.

It was a much-appreciated bill, mostly following the patterns of European Union’s General Data Protection Regulation (GDPR). However, there was criticism of the Bill for its blanket usage of the data-localisation provision. Apart from that, most of the Bill’s provisions were much inspired by the dignity jurisprudence of the GDPR.

In 2019, Parliament again revised the Bill and much deviation from the 2018 Bill was evident. The new Bill was denominated as PDP Bill, 2019.

The first deviation was the blanket provision of data localisation, which was substituted with partial data localisation. As per the 2019 Bill, only critical personal data needs to be localised within the country (however, there are exceptions to this; read Sections 33 and 34 of PDP Bill, 2019 for better understanding).

However, sensitive personal data can be transferred outside the country with some rider clauses (this is an obscure reflection of the Adequacy Mechanism of GDPR). Further, under Section 35, the government has the discretion to exempt an agency from the provisions of this Act. If so, it may do so by written order.

There is no unequivocal stand that a Data Protection Law is of much necessity, especially for a country with around 290 million social media users, 340 million messaging-application users and around 400 million search engine users.

These data reflect a vulnerable state for Indian citizens whose personal data can easily be siphoned off to a foreign land and utilised for micro-targeting advertising.

After the 2016 U.S. elections, western countries seriously calculated the risk that social media and search engine websites post for human dignity and have relentlessly worked in this discipline. The European Union created GDPR, while the US, though without a blanket Data Protection Law like GDPR, has sectoral laws to deal with matters of digital privacy. These include the U.S. Privacy Act, 1974, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act and Children Online Privacy Protection Act.


Therefore, India is undoubtedly on the right path. However, it is turning out to be a slow path, as it has been almost four years since the K.S. Puttaswamy-I judgment came and three years since the Srikrishna Committee came out.

This delay in the prospective Bill becoming an Act has impacted the digital privacy of millions of citizens, especially as foreign e-websites are not taking the existing data protection regime in India seriously.

This is especially so as the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Information Technology Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, are not adequate to handle the prowess of multinational corporations (something which even the Srikrishna Committee has accepted).

Therefore, a sound data protection regime is of much necessity. Interestingly, the Bill is still with the Standing Committee and is expected to be presented in the second part of Budget Session, 2021.

However, what is interesting to note is that the current PDP Bill runs the risk of turning redundant even before becoming an enactment as a lot of technological advancement has taken place.

With Blockchain gaining much space on the digital front, it has to be realised that the PDP Bill is a fiduciary-centric mechanism. This means it requires a third-party intermediary who will be held responsible for data manipulation.

However, blockchain technology is a peer-to-peer-centric mechanism, meaning there is no third-party intermediary. Thus, there would be no requirement of a PDP Bill for governing the Blockchain. With several forums turning into Blockchain, now there are Blockchain search engines and Blockchain social media websites.

The other issue which has recently cropped up in the absence of a sound data protection regime is WhatsApp’s change of terms of service and privacy policy. As per its updated privacy policy, the application has implicitly left two options to the user–either accept it or leave it.

Under this policy, it is stated that WhatsApp shares and receives information from other Facebook companies to help operate, provide, improve, understand, customise support and market their services and offerings.

However, this sudden change of privacy policy and its compulsive nature has raised legitimate fear in the minds of WhatsApp users across the globe that it can be utilised to micro-target them. Billionaire Elon Musk has even called out to people to shift to Signal (a messaging application). WhatsApp has maintained that the changes of privacy policy align with the Information Technology Act, 2000, and there is no privacy concern for private chats. Additionally, Facebook and WhatsApp are separate entities.

The Competition Commission of India (CCI) has taken suo-motu cognisance of this issue. It has claimed that Facebook would be a direct beneficiary of this updated policy and this would possibly lead to abuse of the dominant position by WhatsApp and Facebook. Invoking the Competition Act, the CCI has claimed that impediments in interoperability and the absence of any alternative will give WhatsApp a dominant position in the market.

It is time that requisite changes are made in the Data Protection Bill, 2019. Additionally, the technological leaps made in the last two to three years also need to be addressed knowing that they have the capacity of turning the law redundant.

(IPA Service)

Views are personal

Follow us on: Facebook, Twitter, Google News, Instagram 

Join our official telegram channel (@nationalherald) and stay updated with the latest headlines