Excerpts as published:
What’s your take on the provisions in the bill?
Privacy legislation is always a complicated legislation. You have to balance the interest of privacy activists who want their rights protected, business people who want total freedom so they can exploit, and the government that wants as much control as possible. The preamble of the bill recognizes these three stakeholders. Whatever you do, someone will be happy and someone won’t be. That’s what is playing out here. But overall, I think they’ve done reasonably well.
How does this bill compare with its counterparts in the West, like the General Data Protection Regulation (GDPR) in the European Union?
GDPR has principles of processing. So do we. GDPR has rights [for citizens]. So do we. Except that, in the ‘right to forget’, we are a little more circumspect than the EU. In EU, it’s more or less automatic. In India, we say it is subject to adjudicator’s decision, which is a quasi judicial authority that can take decision on this. This reduces the burden on the judiciary. If the adjudicator’s decision is not acceptable, one can approach an appellate tribunal. If that’s not acceptable, one can approach the courts.
There are concerns that some of the provisions in the bill allow for significant state surveillance.
The Bill will empower government for certain things. Section 35 and 36 allows certain security agencies to process data for surveillance. They are, however, not allowed to misuse this data.
Article 19 of the Constitution also provides reasonable restrictions, where the government allows itself similar exemptions in cases of ‘decency’, ‘morality’, ‘defamation’. Based on the constitution, the government can use ‘incitement to offence’ and ‘public order’ for surveillance. These terms are generic and can be misused.
As per this Bill, the offence has to be related to matters of ‘national security, sovereignty, integrity of the state’, not things like ‘decency’. So in my view, this reduces the surveillance powers of the government.
One of the reasons for concern is the possible broad interpretation of ‘integrity of state’.
I understand. But some parts in the Indian Penal Code also give draconian power to the police. Even they misuse it many times. This is more reflective of persons in charge of the legislation. We can only have deterrence. Likewise, you can’t omit this law on speculative grounds, saying the government might misuse it. The law can provide a framework. If someone wants to misuse it, punish them separately.
How desirable do you think data localisation is, as mentioned in the Bill?
Right now, there is no data localization in the legislation. ‘Non-sensitive personal information’ can be transferred, so can the ‘sensitive information’, subject to explicit consent. Only ‘critical information’ cannot be transferred but we don’t know what constitutes that. There is no restriction on transfer of data.
When we’re talking of having one data centre in India, it will act as a back-up data centre. There is an economic cost for businesses. But I don’t believe the industry will suffer.
Will having a data copy in India affect the way a law enforcement agency can access a person’s data?
For a law-enforcement agency to access someone’s data, it needs to be for law-enforcement reasons. They have to send a notice, identify investigating officer, identify the reasons for which it is done, and tomorrow if police officer is going beyond their normal duty and collect the information, there’s always a possibility that the written request will be questioned in court of law. But if someone wants to ignore the procedures, that is what the private sector – the data centre owner – has to resist. Agencies can’t come and directly take away data.
Is there a possibility of misuse by state agencies, with data being more accessible than earlier?
I have been working in field of cyber crime for 20 years. When we want information for investigation, Google and others don’t give data. If you get an abusive or obnoxious email, you’d need the IP address to find out who sent it. But they will often not reveal the address. In a way, they’re protecting the abuser. I don’t buy this idea that if data is in India, there will be a problem. I don’t trust Facebook or Google.The possibility of misuse exists but both arguments have to be considered on a case-by-case basis.