PDPB 2019 (Personal Data Protection Bill 2019) was in its current draft stage since December 2019. In the last two years, the JPC held an incredible 78 meetings of which the first 66 were chaired by Mrs Meenakshi Lekhi who was subsequently promoted as a Minister and the rest by Shri PP Choudhary who took over as the next chairman later on.
At the end of this exercise, a new version of PDPB now titled Data Protection Bill 2021 (DPB 2021) emerged and is now before the Parliament.
When the legislative history of PDPB 2021 is written, it is necessary to understand how the exercise which started with the suggestion of the Supreme Court judgement in the Justice Puttaswamy case resulted in the Government forming the Justice Srikrishna Committee which came up with PDPB 2018, which later became PDPB 2019 with the incorporation of public comments and which has now taken the new avatar of DPB 2021.
It is the privilege of the Parliamentarians to draft the law in whatever manner they think fit and we in the industry have to be accept it and move forward. In the professional circles, we can continue to debate what improvements could have been done and what mistakes could have been avoided, but for a Bill which has taken so long to see the light of the day, it would be cruel if we start delaying its adoption further raising demands for more correction.
The exercise for an exclusive Personal Data Protection Bill first started with the Personal Data Protection Bill 2006 (See a copy of the Bill here)
This means that after the ITA 2000 was introduced on 17th October 2000 containing Section 43 which imposed penalties for failure of an organization to protect data (both personal and non personal), the first attempt at an exclusive personal data protection law was initiated with the PDPB 2006. It has now taken 15 years for PDPB 2006 to evolve into DPB 2021. During this long period of gestation, it was evident that the Business did not want the shackles of the law and any provision on “Surveillance” which the Government wanted to be included in the Bill came to be criticised as an undemocratic move and faced the opposition of the Habitual Nay Sayers and genuine privacy activists acting together.
As a result the Personal Data Legislation remained in the background.
Since the nudge from the Supreme Court in 2017, it has taken 4 more years to reach the current state and during this time there have been a consistent attempt to suggest changes one after the other to the extent that no consensus could be arrived at and the adoption of the bill is delayed at each stage.
Even the current version which will be before the Parliament will have 7 members out of 30 in the JPC submitting dissent notes and the Tech industry already announcing that they will challenge the law in the Supreme Court once it becomes the law.
Even if 2 years time would be given by the act for implementation, it is likely that most of the industry will use the time to wait for the Supreme Court to come up with its decision on the challenge and continue to drift in implementation of the law. The Government would have it’s own trademark “Respect” for the “Pending Supreme Court Verdict” and perhaps focus more on the other pressing matters rather than getting the law cleared in the Supreme Court.
It is therefore a time of uncertainty ahead of us on the implementation schedule of the law. It is unfortunate that even Pakistan and China can now boast of “Personal Data Protection Laws” similar to GDPR or CCPA or Singapore PDPA 2012 while India is still unable to get the legislation through.
The undersigned however has been clearly advocating that the personal data protection is embedded in Information Technology Act 2000 particularly after the amendments of 2008 which introduced Section 43A and 72A.
Industries may ignore but the law is clear that penalties can be imposed for not protecting sensitive personal data under Section 43A or 72A by the Adjudicators under ITA 2000. ITA 2000/8 compliance is therefore the current “GDPR of India”.
When PDPB 2018/2019 was drafted, the legislative intent was clear that the new Bill will replace Section 43A of the ITA 2000/8 and therefore the current Personal Data Protection under ITA 2000/8 would transform into 98 sections of PDPB.
ITA 2000/8 was a single law which protected both personal and non personal data misuse and it was expected to continue its role as “Non Personal Data Protection Law” even after PDPB was enacted. However, the intervention of the Kris Gopalakrishnan Committee in between suggesting a “Non Personal Data Governance Act” (NPDGA) has confused the legislators to an extent that an idea to merge the proposed PDPB 2019 with the future NPDGA into one law and re name PDPB 2019 as Data Protection Bill 2021 (DPB 2021) has gained acceptance.
Whether this was a wise move or not only time will tell. But the Supreme Court may feel that…”we wanted you to bring in Personal Data Protection law to protect Privacy but you are ending up with designing a Cyber Security law by combining Personal Data Protection and Non Personal Data Protection into one law and also perhaps introducing Non Personal Data Governance through administrative guidelines from the Data Protection Authority in the coming days.”
As a result, the focus expected of a law to protect Privacy may get diluted when DPA tries to take over the work of Director General of CERT IN and start taking up Cyber Security issues instead of focussing entirely on Personal Data protection issues.
Consequent to this change in the legislative intent behind PDPA 2021, Section 1 (Name Clause) has been modified. More importantly, Section 2 on “Applicability” has also been modified.
In section 2 the following amendments have been made
|Current PDPB 2019||Proposed PDPB 2021|
The Provisions of this Act shall apply to the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law; [Section 2(A)(b)]
shall not apply to the processing of anonymised data, other than the anonymised data referred to in section 91. [Section 2(B)]
The Provisions of this Act shall apply to the processing of personal data by any person under Indian law [Section 2(b)
the processing of non personal data including anonymised personal data. [Section 2(d)]
Anonymised data by definition means data in such form that the Data Principal cannot be identified as per the standards of anonymization prescribed by the authority. Unless therefore the Authority falters in fixing the Anonymization standard, “Anonymised personal data” has no relevance to the “Privacy Protection” required under the Constitution and the Supreme Court Judgement.
The JPC has however bought the idea that “Anonymization” can be broken by use of certain techniques and therefore added it in the legislation for personal data.
However, it is necessary for us to remember that even “Encryption” and “”Digital Signature” which have special status in law can be broken by hackers and if the “Anonymisation Standard” is defective, the problem is like having a low level of encryption and finding fault with the concessions given to the breach of encrypted data or digital signature.
Calling “Anonymised Data” as requiring regulations under Personal Data protection is like treating all “Encrypted Data” as “Unencrypted” data and all “Digitally signed document” as “Undigitally signed”.
Hence the inclusion of the words “including anonymised personal data” in Section 2(d) is unimaginative.
We can argue that even if Section 2(d) says DPA 2021 is applicable for Anonymised Personal Data, only if there are other provisions in the law about “Anonymised Personal Data”, we should consider it important and otherwise we can forget it.
However, this has opened the possibility that an imaginative DPA can place regulations on “Anonymised Personal Data” which may create issues for the Big Data Industry or the Data Science field.
In case the regulation is only that “Consent” should be obtained for “Anonymisation”, it is not difficult to implement it.
But blocking “Anonymisation” as a right of the Data Fiduciary would seriously hurt the “Monetization Prospect” of “Anonymised Personal Data” which is actually a “Non Personal Data”. This could be considered as an infringement of the fundamental right to carry on a business which does not affect the Right to Privacy of any person whose personal data is anonymised.
In a way the law has given into the perceived power of the hackers and considered that “Anonymisation” is not possible and hence anonymised personal data should not be available for monetization.
Instead of caving into the power of hackers, the Government should have considered increasing the penalty for “Reidentification of the De-Identified Information” from an imprisonment of 3 years to some thing around 10 years. This would have increased the deterrence and mitigated the risk of de-anonymisation of anonymised personal information.
In the long run, this will be a point to regret. Coupled with the section that requires the algorithm of processing to be made transparent and hardware and software used in personal data processing to be “Certified”, the Data Analytics industry and Big Data Industry would find it suffocating to carry on their activities. On the other hand these provisions donot add anything additional to the protection of Privacy.
The Government therefore appears to have opened a breach to let the Judiciary find fault with the drafting of the legislation.
At this point of time it appears that this cannot be remedied except by reverting Section 2 to the previous version and deleting the provision on hardware software certification as well as the algorithmic transparency. All these responsibilities to the extent it adversely affects the Privacy of an individual can be implemented under the concept of “Data Fiduciary” and does not require the amendments as proposed.
As regards “Reporting of Data Breach of Non Personal Information”, it was a responsibility already assigned to the CERT IN. There was perhaps no justification to take over the responsibility of the CERT IN in this respect.
If there was a concern that some data fiduciaries could report a personal data breach as non personal data breach to the CERT IN and avoid scrutiny by the DPA, a provision culd have been inserted for sharing of all data breach reports made to CERT IN with DPA along with a comment/assurance from the CERT IN director that no personal data breach is suspected in the reported data breach.
If these issues had been addressed, there was no need to change the perspective of the law from “Personal Data Protection” to “Non Personal Data Protection”.
However, from the compliance perspective, we must accept the changes as it would be finally passed by the Parliament and include the “Non Personal Data Protection and Governance” as part of Personal Data Protection compliance.
(The above are the personal views of Naavi and does not represent the views of any organization.)