Here is a copy of an article published in India Legal.
An Equilibrium view of PDPB 2019
Let’s not forget that even Privacy has its boundaries. The Right to Privacy is fundamental but not absolute. But often even wise men get carried away with their obsession as is indicated by the copious criticism being heaped on the Personal Data Protection Bill-2019 (PDPB-2019).
It is to be remembered that “Privacy” as a concept is a “State of Mind” and a “feeling of being Left alone”. Neither the Supreme Court or any experts have been so far able to define it precisely and it remains an enigma of its own. Now trying to protect an enigmatic concept through regulation of the “information” surrounding the factors that influence the “mental state” is not easy. Further, ensuring that the regulations satisfy the entire population, each of whom have a different “State of Mind” does pose an impossible challenge.
The conflict between” Privacy” of one person and the “Security” of the other is eternal. Any Government of the day needs to have its hands free for “Intelligence gathering” which includes surveillance without which the country is unsafe and we the citizens of the country are unsafe. “Security” is therefore as much a fundamental right as “Privacy” is and a legislation like PDPB-2019 cannot be looked at only with a myopic view as if “Privacy” is an absolute right.
Rejecting the right of the Government to maintain national security through regulated invasion of Privacy will be disturbing the mental peace of millions of other honest citizens for whom the person standing next to him in a crowd could be a terrorist. It is only the faith that there is a security screening that today we travel in air with a safe feeling that the probability of the plane being hijacked or blasted out in the sky is remote. This feeling of “Safety” is as much important for most citizens as the “Feeling of Privacy” some body else would like to have.
Instead of being only critical, it is therefore necessary to examine the draft bill recognizing the presence of the multiple stake holders such as the Individual, the Corporate, the Government, the Law enforcement etc all of whom have different perceptions of how Data Protection legislation should be.
In the past, here have been several failed attempts to pass a similar law and each time the conflict between Privacy Rights and National Security requirements have caused the proposals to be aborted. Additionally in recent days the industry has developed huge stakes in processing of data and harnessing value therefrom and the Privacy legislation presents a huge hurdle to such business interests who also exercise their own pressure on the legislation.
If the legislation ignores the needs of all stakeholders and takes into consideration only the views of “Privacy Activists”, the country may not become an “Orwellian State” but it is sure to become a “Chaotic State” where terrorism will race ahead and business development may significantly suffer.
Is Government becoming a Big brother?
According to the draft PDPB 2019, section 35, Central Government has retained some powers to exempt itself from all or any of the provisions of this Act.
|35. Power of Central Government to exempt any agency of Government from application of Act
Where the Central Government is satisfied that it is necessary or expedient,—
(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,
It is this provision which is being criticized by all as dangerous and potentially turning India into an Orwellian State.
It may however be observed that the section is drafted clearly to indicate that it is only when the Government is satisfied that “It is necessary or expedient” in the “Interest of sovereignty and integrity of India, security of the state and friendly relations with foreign states, public order or preventing incitement to the commission of any cognizable offence” that this provision can be invoked. Even in such a case there has to be a direction in writing to a specific agency and this would always be available for judicial review.
It must be noticed that the reasons under which the provision can be invoked omits “decency or morality or in relation to contempt of court, defamation” which are other reasons provided under article 19(2) of our constitution as reasons for which the fundamental rights can be over ridden.
The Government has therefore been restrained in adding this contingent provision and it must be treated as an “Enabling Provision” which has to be present in the law if the Government has to perform its duty to protect the citizens of India.
All the Privacy and Data Protection Professionals who always hail everything “Foreign” as better, may to note that even the EU GDPR under Article 23 provides similar exemptions.
What the PDPB 2019 contains is therefore reasonable and in tune with the Government’s own obligations to the society. We should stop nitpicking on whether the safeguards on paper are adequate or not speculate. The details of how this power may be exercised would be in the rules to be notified later and we need to wait for it.
Constitution of the DPA
Another area of criticism has been that the Data Protection Authority (DPA) and whether it would consist of people who are independent and represent the stake holders.
According to section 42 of the proposed act,
“The Chairperson and the Members of the Authority shall be persons of ability, integrity and standing, and shall have qualification and specialised knowledge and experience of, and not less than ten years in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security or related subjects”
The earlier draft had suggested the Chief Justice of India in the selection panel which has been omitted and this has given rise to the concern that possibility that the choice of the Chairman and the Members could be motivated by the Government’s concerns or by the industry lobby.
The earlier draft had also suggested maintenance of a “list of 5 experts”. It was not clear if this was supposed to be an “Advisory Group” to guide the DPA and has been omitted.
Industry people know that there is no Government Secretary who has 10 years experience in the field of data protection etc and is of less than 65 years of age to qualify to be appointed for the DPA. Even in the private sector there are not many with such experience and who would take up the assignment. So there is a difficulty in the constitution of the DPA with right persons and this needs to be recognized.
It is hoped that the Government will not look to bring foreigners and NRIs who may have the necessary experience but having no commitment to Data Sovereignty of India. We can keep our fingers crossed that the right people will be found at the right time for this onerous but responsible position.
Positive elements of the Bill to be hailed
Beyond the criticisms that have surfaced, there are a couple of positive features that the new version has brought in which needs to be recognized and hailed.
One such provision is section 40 suggesting the creation of a “Sandbox” so that start ups can benefit by a limited time exemption from the obligations under the Act while they test innovative technologies.
Another provision is section 37 which recognizes the need to exempt the BPOs in India who only process personal data of foreign citizens on the basis of a contract with a foreign Data Controller and provides for a suitable notification as may be required. This was necessary for all those companies who were maintaining “Off Shore Data Processing Facilities” which needed to comply with the data protection laws of the respective countries and would have considered the over lapping of the PDPA jurisdiction difficult to manage.
Further, retaining the innovative definition of the role of the “person who determines the means and purpose of personal data” as the “Data Fiduciary” and the subject as “Data Principal” the credit for which should go to Justice Sri Krishna calls for appreciation. Additionally thinking of a role for “Consent Manager” could be another innovation which the industry will welcome.
Taking an equilibrium view therefore we must conclude that the new Bill has tried to improve upon the earlier version and the fears and concerns are perhaps inevitable but not completely valid.