First Objections, Next Suggestions and now change of goalpost… a conspiracy to delay PDPA?

“Person Who Knows”  (PWK)

“Nothing Personal about Data Protection Bill as JPC proposes to expand scope”… so says an article today in livemint.com

It is well known that there is a lobby of opponents to the PDPB and this media vehicle is part of such lobby which does not want the the Personal Data Protection Bill 2019 to be passed.

The main force behind this opposition are the multinational companies who are opposed to the “Data Sovereignty” principle and any hurdles to their continued exploitation of the Indian Personal Data market. They have the power to influence not only the media but also a section of the professionals and political parties to delay the passage of the Bill as long as possible. These articles are a reflection of such public relations exercise of creating a fake narration to mould amenable public opinion the way they want.

It is interesting to observe the sophisticated strategy used by these agencies to scuttle the Bill.

We can observe that initially there was opposition on the Bill particularly the Data Localization aspect. This was in the PDPA 2018 version.  When the Government buckled under the pressure of these MNC s and allowed free exploitation of personal data in the PDPB 2019 version, this objection became redundant. They these attackers switched to complaining about  “Excessive powers to the Government” and “Constitution of DPA by a committee of Secretaries”, and even roped in the support of Justice Srikrishna himself who was unhappy that CJI was not part of the DPA selection committee.

When JPC started hearing suggestions, some organizations tried to dilute the law by tinkering with the definition of “sensitive information”. They suggested that “Financial Information” should not be considered as “Sensitive” information so that no restrictions should apply for processing of financial information including transfer out of India. The Bill did not prevent transfer but only expected “Explicit consent” for such transfer and these opponents did not want even an “Explicit consent”.

The vested interests want financial information to be freed from restrictions so that they can continue to transfer financial information of Indian citizens abroad. If restrictions are placed, then “Data Laundering” like in the case of Trans Union silently taking over CIBIL with the connivance of the Banks would not have been possible. Even now, the privatization of the NPCI is recommended so that the entire UPI gateway can be spied upon.

The hypocricy of these agencies who oppose PDPB being passed is clear when we consider that at this point of time GDPR is pursuing a “Data Localization” policy by arm twisting the Data Exporters to obtain impossible assurances from the Data Importers of other countries to the extent that the only credible solution of EU data transfer is to set up a data center in EU itself. But these opponents donot have any objections to GDPR.

These opponents are typical “Pseudo Data Protection Proponents” who want India to give up all controls but are silent on GDPR trying to impose its colonial hagemony on India.

In this third wave of attack delaying the passing of the Bill, JPC was persuaded to listen to all business entities for their views.  Much of the precious time of the JPC was wasted on listening to business lobbying rather than how best to frame the law in comparison with GDPR or Singapore PDPA etc.

After these three waves of attack, it appears that a next wave of attacks is being planned represented by the above article in livemint.com.

If the story of livemint.com is true, it would mean that the JPC has been fully taken over by the “Delay Lobby” since the report suggests that

“The Personal Data Protection Bill is likely to undergo a complete transformation as the intent of the Bill is likely to get changed. Most of the members of JPC are of the view that the ambit of the Bill needs to be expanded and it cannot just be about personal data. JPC members are unanimous that PDP Bill should be about data and protection of data,”

This statement is attributed to a “Person in the know of development”…the mysterious and anonymous PWK.

The same person seems to also say

JPC is unanimous in its decision that purpose of the Bill should be redefined and more clearly defined. Some members feel that earlier the Bill was a little vague and needed improvement. Now the focus is on data, not just personal but also non-personal, sensitive and critical data as well,”

It appears that these quotes are “Planted” to create confusion and continue the work of the lobby to delay the Bill and finally get it into a shape where it can be questioned in the Supreme Court as not in conformity with the Puttaswamy judgment. I donot think the JPC is “Unanimous” though it may be the view of some opposition MPs who are supporting the vested business interests. The demand to invite more and more business entities to be interrogated in the JPC is also a conspiracy to delay the JPC activity since the very objective of JPC is not to interrogate FaceBook or Twitter etc but to correct the clauses of the Bill.

The current suggestion to change the intent of the Bill is nothing but a conspiracy to get the Bill scuttled.

I suppose members of the Committee like the Chairperson Mrs Meenakshi Lekhi, Mr Tejasvi Surya, Mr Rajeev Chandrashekar and others recognize that this Bill is important for multiple reasons.

I would like to highlight that the passage of the Bill is already delayed beyond reasonable limits and the recent data breaches in Big Basket, Lupin, Dr Reddy Laboratories, Dr Lal Pathlabs or Breachcandy hospital indicate that the industry needs to be reined as early as possible.

We should also appreciate that  it is a commitment of the Government of India to the Supreme Court that a robust privacy protection law would be passed in India at the earliest. But it is now 3 years since the Puttaswamy judgement and according to the mysterious  “PWK”, we are still not clear on what should be the focus of the Bill. He feels that this Bill should not be limited to the “Personal Data Protection” but include “Data Protection”.

Does PWK know that Information Technology Act 2000 already is a legislation that provides for “Data Protection” of both Personal and Non Personal Data and we donot need another so called “Non Personal Data Protection Act”?

Unfortunately some people are unable to understand the concept of “Anonymization” which is the wall that separates “Personal” data and “Non Personal” data and liberates the personal data from the need for protection and takes it to the realm of “Governance” where a regulation as suggested by the Kris Gopalakrishna Committee takes over to unlock the financial benefits. Many seem to confuse “Anonymization” with “De-identification” and hence feel that “Anonymous personal data” can be “De anonymized”. This concept is inherently wrong since “De-anonymisation” means a “Criminal re-discovery of identity parameters”. Just as any “Encryption” can be “Decrypted” by hackers using brute force or other methods, anonymisation may be de-anonymised but this is a crime that is required to be tackled separately and is being done in ITA 2000.

If we accept that the universe of “Data” contains “Personal Data” and “Non Personal Data” and “Non Personal Data” includes “Anonymized Personal Data”, then we have a clear role for three legislations namely PDPA for security of Personal Data, ITA 2000 for security of  Non personal data and Non Personal Data Governance Act (suggested by Kris Gopalakrishna committee) for the unlocking of financial benefits in the non personal data.

If “Non Personal Data Protection” requires to be strengthened we need to tinker with ITA 2000 and there is no need for any new Act. Even the often referred to “Cyber Security Act” is redundant and the planned objectives of such an act can be achieved through amendments to ITA 2000.

It would be interesting to know if this mysterious PWK can clarify why do we need a separate law for “Non Personal Data” related Governance or Security instead of focussing on the Personal data Protection.

The Puttaswamy judgement wanted a law on protection of “Information Privacy” and PDPB 2019 which is a follow up of PDPB 2018 (Not withstanding some differences) tries to achieve this.

If  the Government now tries to convert this into a “Data Protection Bill” which is not meant to protect “Privacy” of individuals but only protect “Data”, then there is every possibility  that  the Supreme Court may strike down the law as not in conformity with the Puttaswamy judgement.  The JPC is being led to a trap to change the focus of the law from “Personal Data Protection” to some thing else so that the same PWK  can later argue in the Supreme Court that the Government abandoned the “Information Privacy” as suggested by the Supreme Court.

The JPC has to be careful because there is every indication that there are sympathizers to the “Delay PDPB Lobby” within the Government advisors as is evidenced by some earlier incidents.

We recall that some time back a piece of a shoddy note on “Encryption”  was issued by some official in MeitY and was subsequently withdrawn causing an embarrassment to the Government.  (An enquiry was ordered on the incident, details of which never came out).

Similarly notifications under section 69 of ITA 2000 as well as Intermediary Guidelines , the notification on Crypto currency ban, have all been issued and withdrawn as if it is a game of  one step forward and two steps backward.

There appears to be a clear conspiratorial strategy  by vested interests in creating more embarrassments to the present Government since it lacks conviction and is easily swayed by the views of these lobbies.

The livemint report is indicative of a similar attempt. From all angles the suggestion to change the focus of the Bill appears to be a “Conspiracy” to scuttle the PDPB 2019. While other countries in the world are working on how to tackle the uncertainties in business arising out of the Schrems II judgement, these suggestions are driving India back instead of moving forward.

We may now expect in the next wave of friendly suggestions that

“it is not enough to change the focus of PDPB 2019 from Personal Data to Non Personal Data but make some amendments to the constitution itself so that under Article 21 we can add Privacy as a separate fundamental right rather than relying on the 9 member Supreme Court decision.”

This can effectively postpone the bill until the next Parliamentary election and BJP gaining the necessary majority for Constitutional amendment.

The motivation behind the planting of this story with insinuations reflected in the article  is indicated in the  same report which suggests that JPC is likely to hold three sittings in the near future to finalize the bill. This ppears to have created panic amongst the camp that wants to scuttle the bill which has prompted it to come up with this  ridiculous fake plant.

I hope, Mr Gyan Varma to whom the article is credited should reveal his anonymous source namely the PWK who appears to be creating this “Fake Narration”.

Alternatively I wish  the JPC Chair person should come forward and deny the report.

We are expecting that the Bill will be presented in the Parliament in February as confirmed by Mr Ravi Shankar Prasad during the Bengaluru Tech Summit 2020 and it will be passed into law in the coming session.

Naavi

(P.S: Some corrections were made to the earlier version of this article to provide better clarity)

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.