When we discuss implementation of data protection particularly in a country like India, we often speak about the need to change the “Culture” and “Attitude”. Hence a lot of emphasis is placed on training, building awareness etc.
While there is no doubt that Indians by nature have a low priority for Privacy and often hold “Security” or even “Freedom of Expression” and “Right to Information” in a higher pedestal and are willing to sacrifice Privacy for Security or Free Speech or Information, there is also a need to flag that “Privacy Protection” is also not in the culture of the business organizations who are expected to be responsible for Privacy Protection.
Privacy is a human right concept and hence its protection is far away from the core business objectives. But today “Privacy Protection” is discussed only in the context of “Data Protection” since “Privacy” is sought to be protected through Data Protection since we follow the belief that the “Right to Privacy” can be guaranteed by “Protecting the Right to determine the use of personal information at the choice of the data principal”. Hence Privacy Protection is seen as “Data Protection” (More precisely the Personal Data Protection)
Data Protection has to be implemented by a Data Processing Company which is essentially a commercial organization that is answerable to its shareholders to make profit. For them, Data is a commodity, a raw material from which a profitable business proposition has to be constructed. Hence any data protection obligation is always a burden on the company and given an option every business entity would like to avoid data protection legislation, though it is not a good political statement to make.
Just as making a statement about the inequalities in our Constitution arising out of appeasement politics, Corruption in Judiciary, are considered politically incorrect, businesses consider that opposing data protection legislation is not politically correct and hence all of them say they welcome Data protection Bill. …but they say they have some suggestions here and there.
Recently these “Friendly Suggestions” have gone to the extent of suggesting that “Personal Data Protection Bill” should be revised to make it a “Personal and Non Personal Data protection and Governance Bill”. While the statement is laudable, we know that the Kris Gopalakrishna Committee report on Non Personal data governance is still to be fully analyzed and converted into a proposition of a Bill. On the other hand, Personal Data Protection bill has gone through the Srikrishna Committee, PDPA 2018, PDPA 2019, several rounds of public consultations and the JPC discussions. Hence the Personal Data protection Bill is almost ready to be finalized. On the other hand Non Personal Data Governance Bill requires at least an year to develop. Non Personal Data Protection is anyway already available through Information Technology Act 2000/8.
The suggestion to include Non Personal Data Governance in the Personal Data Protection Bill is therefore a sinister design by the opponents of the Bill to delay the passage.
The conspiracy behind this suggestion which should be the handiwork of some business entities with the help of political opponents is evident because of the identical press reports appearing in different media.
We have already highlighted the report that appeared in livemint.com. Now we can look at the report in moneycontrol.com which is a replica of the livemint report indicating that there was a press release by some interested parties which has been faithfully reproduced by these publications. The report is categorical that the JPC is unanimous in its decision to revise the scope of the Bill.
The fact that this is fake news planted by vested interests is evident from the fact that JPC has now set up a series of meetings on a daily basis to discuss the bill clause by clause and finalize it for presentation in the Parliament at the beginning of the Budget session.
The Economic Times today has reported that “JPC split over draft data privacy law, Govt Access” and also an interview with Mrs Meenakshi Lekhi who is the chairperson of the Joint Parliamentary Committee working on the finalization of the Bill.
The fact that any bill proposed by BJP will be opposed by Congress and TMC is well known and hence it is not surprising that the “JPC is split”. This article appears to be a blancing piece since Mrs Lekhi’s interview did not support the fake narrative that further consultations are required.
We may note that ET had just a couple of days back said that more consultations were required with the “Civil Society” since 90% of the discussions were with others. The argument reminded me of the proverbial Panchatantra story of the Monkey and the Cats quarrelling for a piece of Roti that once this side had more and the other time the other side was more. It is a clever suggestion but unfortunately there is no credibility for such stories.
What is more relevant are the observations of Mrs Lekhi which clearly indicates that JPC is unlikely to delay the finalization of the Bill. The opposing views of the members if any will be documented and they may move amendments to the Bill in the Parliament when the Bill is tabled. Then the Parliament may accept or reject the amendments and pass the Bill.
The most contentious part of the Bill could be
a) Whether the Section 35 on exemptions from the provisions given to the Government agencies should be tinkered with or not
b) Whether Sections 33 and 34 on restrictions on transfer of data outside India should be changed or not
c) Associated with the Data Localization aspect, should the definition of Sensitive Personal information should leave out financial information, etc
It is obvious that the MNCs want to take out the data from India to their country so that they can squeeze the monetary value out of it to the extent possible. The way CIBIL was taken over by Trans Union , how NPCI is sought to be privatized indicate the surreptitious way in which “Data Sovereignty” principle is being given a go by as the vested interests lobby for favorable policies from the Government.
At present with the views of Mrs Lekhi as expressed in the ET article indicate that she is fully aware of the “Games People Play” and will see through the “Yes..But..” objections from the industry as well as the “Straight Criticisms” of the opposition political parties.
We can therefore expect that the PDPB is likely to be an Act soon and probably the Section 35 will be retained without a change and Section 33/34 may be made stronger to incorporate the Data Sovereignty principle. The suggestion of leaving out the financial information from the “Sensitive” character may also be dumped.
We may note that in the last few months, GDPR has adopted a strong Data Localization stance and there is no reason India should not maintain its own Data Localization stand. The Exemptions provided to Government under Section 35 are limited to the extent of permitted by Article 19(2) and there will be a due process. PDPB is better equipped to handle Schrems II objections of the EUCJ than the US privacy shield since the grievance redressal in PDPB is supported by an Adjudication and Appellate Tribunal and also an exemption can be availed under Section 37 for data processed under GDPR contracts.
Indian law is therefore ready to meet the international expectations with confidence and despite the opposition from the local quarters, it is robust enough to be passed through.
Any law will have scope for improvements firstly through the regulations and later through amendments if necessary. Hence the time for waiting for further changes in the Bill as is being discussed now is past.
Let’s wait for the Bill to be passed into law soon.