Naavi.org

We have just discussed the editorial in Times of India today and now we also have an editorial in Economic Times with similar sentiments expressed about the PDPB. In fact this editorial is direct in expressing its intention because it suggests “Don’t Rush Personal Data Protection Bill”…. “Hasten..slowly…”

A few days back we saw similar reports appearing in two different publications namely livemint.com and moneycontrol.com both carrying the same view but under two different bylines, indicating clearly that it was a planted story by a PR firm.

Now two editorials of two different publications of the same group writing on the same day about the need to delay PDPB indicates another PR exercise where the two editors have written what the PR firm wanted them to write. It is disappointing to see Economic Times editorial being so compromised.

While “Hasten…Slowly” phrase indicates that the editorial perhaps has not been written by a person who is of the editor caliber, there are many statements in the editorial which is factually incorrect.

One of the comments made is

“The Personal Data Protection Bill (PDPB), right now under consideration by a Joint Parliamentary Committee (JPC), is big, in its sweep, intent and implications, particularly for future competitiveness of the economy, in terms of data being available to train algorithms that would drive artificial intelligence, even as individual citizens are protected from harm arising from misuse of their data.”

We donot know what the editor wants to say here. Is he saying that PDPB should not cover use of AI or Big data for processing personal data? or Is he confusing the non personal data governance act which is only a recommendation now by the Kris Gopalakrishna Committee ?.. Does he not know that all data protection laws consider “Profiling” as regulated personal data?

Another comment made is…

“The JPC would do well to hasten slowly, and take on board the suggestions of as large a swathe of stakeholders as is possible. Right now, civil society groups, several large companies and even some members of the committee complain that they have not been given a chance to present their views.”

The suggestion is that JPC should give opportunity to more companies to depose before the committee. It must be remembered that the PDPB 2018 version was first placed for public comments in December 2018, then PDPB 2019 was placed for public comments in December 2019, and now we are in December 2020. All this time there were opportunities for companies to express their views and send it to the committee. It was not necessary for these companies to  wait for a personal presentation before the committee. If so far they did not have any comment to make, then there is no reason why they should now be expected to have comments to be directly presented to the committee so that 30 parliamentarians of the committee already constrained by the Covid situation should spend more time in hearing to the lobbying of these companies. Industry associations like Nasscom, FICCI etc have made their presentations reflecting the business views and hence the editorial comment does not make sense.

Then comes the expression of ignorance by the Editor in the comment…

“Unlike Europe’s General Data Protection Regulation, India’s PDPB subsumes collection of data under processing of data. While the goal of limiting collection and processing of personal data in proportion to the purpose at hand might, at a glance, not be compromised by a bar on disproportionality in processing, there could well be certain cases, in which it makes sense to separate collection from further processing, so as to limit the scope of unintended permission for processing of data beyond collection.”

This comment indicates that the author is unaware of how GDPR and all other data protection laws define “Processing”. Every law defines “Collection” as “Processing” and it is unbelievable that the editor has not checked the definition of processing in GDPR.

Another comment made is …

“The wording of the regulation should not give scope for babus to penalize companies for no fault of theirs. Giving a detailed notice on data collection and obtaining consent might sound noble, but is likely to be observed more in the breach vis-à-vis illiterate or semi-literate or time-starved rural folk.”

It is necessary for the editor of the premier Financial news paper of the country to understand that in PDPB, no “Babu” is authorized to impose any penalty. All penalties are decided by the “Adjudicator” who is a quasi judicial authority and his decision may be reviewed by an Appellate Tribunal and subsequently by the Supreme Court. Without knowing the provisions of the Act, the publication has made comments.

One more adverse comment made in the editorial is about the minors. It says…

“Financially autonomous youngsters who are not yet 18 need their parents’ permission for their data to be collected, whereas social media accounts merely require reaching the age of 13.”

This is a ridiculous statement which indicates that the editorial appears to be a “Proxy Editorial” written by some body with no proper understanding of the Bill. While the age of minority is a matter of general law, just because social media wants to open out to 13 year old teens, there is no reason that Indian law need to be changed.

Lastly the editorial ends with another foolish statement that “Holding those who collect data responsible for the accuracy and completeness of the data is unreasonable“. Does the editor mean that data accuracy need not be insisted? why should such exemption be given only in Indian law where as more than 130 countries who have adopted such laws insist that data should be accurate?. In fact this is already a requirement under Section 43A of ITA 2000 and not a new provision.

The comment also states as a footnote ” Distinctions between sensitive data and critical data, as well as between being forgotten and data erasure, seem overkill that will wrongside companies“… once again broadcasting the ignorance of the author about  data protection legislation.

Finally the editorial links this editorial with the TOI editorial stating ” All this is over and above the untrammelled access of the State to personal data that the law provides for.”

Overall it appears that this editorial as well as the TOI editorial has been written not by the respective editors but by some PR executive because the editors cannot be so naïve and uninformed.

It is shameful that these large publications have started selling out even the editorials to the PR causes of companies.

I am sure that the readers will see through this PR game and the credibility of these publications will be seriously eroded.

Naavi

“

Privacy Protection has always been a matter of interest to the Privacy Activists. Business has always been against Privacy being protected too rigorously since it would hurt their profitability.

News papers are no longer the “Fourth Pillar” of democracy and publications like Times of India were one of the first of the print publications which became a fully commercialized news vendor. TOI regularized soft porn and front page advertising pushing news to be a secondary objective of the publication.

Further as could be seen in the recent instance of onslaught on Freedom of Press by the Maharashtra Government in the Arnab Goswami Case, Times Group did not take an unequivocal stand to protect the freedom of Press.

I remember that in 1975, when Mrs Indira Gandhi imposed press censorship as part of the emergency, most publications left their editorial blank to register their protest. Indian Express at that time was in the forefront of the resistance against press censorship. Subsequently, HINDU was also strongly in support of freedom of press to the extent that it was a gold standard of journalism.

But today, neither Indian Express nor Hindu is an independent publication and cannot consider them better than the motivated publications supported by those who oppose any positive developments that happen in our country.

TOI on the other hand has always held it’s commercial interests as a priority and Naavi.org itself has pointed out in earlier occasions how TOI took an unreasonable stand in spreading false narrative about Information Technology Act.

Now as the Personal Data Protection Bill 2019 is appearing to be close to being finalized by the JPC, and all the PR Campaigns in Print.com, or Moneycontrol.com have been found insufficient to shake up the resolve of JPC which is having 5 meetings between today and day after tomorrow to finalize the Bill, TOI has come up with an editorial with caustic  remarks about the Bill.

Let’s analyze the editorial, a copy of which is available here to understand why the editorial lacks credibility.

The head line to the editorial proclaims “Granting Government Sweeping Exemptions from protecting Personal Data is Wrong”. The statement per-se is fine. But in this context, it is implying that the PDPB is wrong.

The editorial says

“the section on exemptions grants extraordinarily wide latitude to the Centre to be exempt from any or all provisions of the legislation. The Centre has to be merely satisfied that it is “necessary or expedient” in the interests of sovereignty and integrity of India, public order, among other things, for exemptions to kick in for any agency of the government.”

The editorial continues with its opinion that

As it stands the legislation effectively nullifies the fundamental right to privacy, and may not withstand judicial challenge.

In this context, EU’s tests for necessity and proportionality in exemptions are relevant.

The data protection laws in the EU specify that cross-border transfer of data is permissible if the recipient has adequate standards of protection. Poor drafting of the legislation will cause Indian firms to miss out on big opportunities and have a negative impact on jobs.

Besides protecting India’s economic interests, which too are integral to national security, the legislation also needs to adhere to the letter and spirit of the Supreme Court ruling on privacy.

The editorial is referring to the Section 35 of the PDPB which states as follows:

35.Power of Central Government to exempt any agency of Government from application of Act

Where the Central Government is satisfied that it is necessary or expedient,—

(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,

it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.
Explanation.—For the purposes of this section,—
(i) the term “cognizable offence” means the offence as defined in clause (c) of section 2 of the Code of Criminal Procedure, 1973;
(ii) the expression “processing of such personal data” includes sharing by or sharing with such agency of the Government by any data fiduciary, data processor or data principal.

It is necessary for the critics to remember that the Supreme Court judgement (Puttaswamy Judgement) upheld the Right to Privacy  as part of Right to Life and Liberty under Article 21 of the Constitution which says “No person shall be deprived of his life and personal liberty except according to procedure established by law“.

The “Procedure established by law” is always treated as including the “Reasonable Restrictions” under Article 19(2). It also includes the “Legitimate interest” of the public other than the person whose Privacy we are discussing since that person is also a citizen of the country and he has a right to “Security” (which could be in conflict with the Right to Privacy of the subject).

Hence “Right to Privacy” should always be balanced with the Duty of the Government to protect the Rights of other Citizens who could be harmed if “Right to Privacy” is considered as an absolute Right.

It may be noted that Section 35 of PDPB 2019 actually does not use the entire canvas of exemption that could be availed under the “Reasonable Restrictions” permitted under Article 19(2) since it omits

” decency or morality or in relation to contempt of court, defamation”  or

“incitement to an offence” except “any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order”

Hence Section 35 has imposed restrictions on the Government more than what they could have gone away with and this should be appreciated.

The only thread of argument that requires debate is whether the words

”  is satisfied that it is necessary or expedient”

is different from the words

“necessary for, and proportionate to, such interests being achieved” (Version of PDPA 2018)

This distinction is one of semantics.

“Necessity” is there in both the versions and hence it is not the word being objected to.

What is omitted in the Bill is “Proportionate to such interests being achieved” and it uses the word “Expedient” instead.

What is “Proportionate” in a given circumstance is what is “Required to be done to achieve an objective”. As long as some thing is considered “necessary”, what is considered expedient is proportionate to the objective.

Hence branding the Bill as “Nullifying the fundamental right to privacy”, “Loophole” are incorrect and an exaggerated motivated interpretation.

The Editorial therefore needs to be treated as an attempt at mis-information.

The editorial seems to respect the EU GDPR and let us now see what Article 2(d) of EU GDPR says.

It states

” This Regulation does not apply to the processing of personal data:

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”

In this article, which is the “Competent Authority”, what does it mean by “Prosecution of criminal offences” and “Execution of criminal penalties” or “Prevention of threats to public security”?. is relevant to see if there is any binding that guarantees that this provision cannot be used by a Government agency to appropriate powers which are not available in GDPR.

We may observe that Indian provision restricts use of exemption only to such of the offences which are cognizable and related to the “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order” as against the GDPR provision which is open to be used for any criminal offence or even for execution of a criminal penalty.

Further the Indian law has a Article 19(2) guidance on the procedure to be followed in using the exemption (Eg: Supreme Court decision in PUCL Vs Union of India -1997″ regarding the use of Indian Telegraph Act.) But in GDPR, there is no guidance to who is the “Competent Authority” and what should be the procedure .

Besides, Indian law has an immediate quasi judicial oversight in the form of Adjudication and a legal oversight of the Appellate Tribunal followed by the Supreme Court, where as, GDPR does not provide such judicial oversight to challenge any wrong order .

If therefore any Government department orders disclosure of information in violation of the principle of necessity and expediency, the data fiduciary or the data principal has an opportunity to invoke judicial remedies of the Supreme Court after adjudication and appellate tribunal.

Hence the concerns of the editorial that there will be a grave danger to the Privacy and violation of the Supreme Court order are misplaced.

Overall, the editorial is an attempt to mis-inform the public and allow the opposition members in the JPC to raise a ruckus to disturb the proceedings of the JPC with a view to prevent the finalization of the Bill.

As we know through the politics of protests, if some body is motivated and is not willing to be convinced we better ignore and proceed.

We urge the JPC to ignore such motivated attacks and proceed with the finalization of the Bill which has already been delayed beyond reasonable period just to satisfy opposing views.

Naavi

Not withstanding the wishes of many to delay the passage of PDPB 2019, it appears that the JPC is determined to complete its work this week and present their recommendations to the Cabinet. This is indicated by the fact that the JPC has scheduled 5 meetings in the

next 3 days to discuss clause by clause consideration of the Bill. It had already been indicated that about 50 of the sections had already been discussed and finalized and hence the remaining 49 sections are due for discussion in these 5 sessions at 10 sections per session.

Hopefully the JPC will be able to complete its task as scheduled.

It is therefore time for all the doubting Thomases that they gear up to be compliant in time. The biggest challenges that the industry will face in this direction is

a) Resistance to Change

b) Unlearning the GDPR Concpets

c) Adopting to the multi compliance management scenario

Resistance to change is a universal problem and when disrupting new legislation is implemented, there will certainly be difficulties. However, I feel this will be a greater problem for the Government, Manufacturing entities and the Small entities  while the IT companies who are already adopted to GDPR may accept and adopt to the new legislation without much of resistance.

However, while those entities for whom Privacy Protection through Data Protection is new will be able to learn the tricks of the trade from PDPA implementation, the IT Companies who are already aware of GDPR and other data protection laws will have another kind of difficulty namely “Unlearning the GDPR Concepts”.

Many of the concepts in PDPA could be different from GDPR and those who are expecting it to be a clone of GDPR will find erring on the wrong side when they think “Being compliant with GDPR is also being compliant with PDPA-India”

The concept of Privacy By Design Policy, Registration with DPA, Mandatory Consent, the Sandbox system, the Section 37 exemption, the Adjudication system etc may pose challenges of their own to those professionals and companies who cannot think beyond GDPR.

Lastly, the Indian Companies will try to act like a personal data hub and be required to be compliant with multiple laws simultaneously. In such a scenario, if they stick to ISO 27701 as a solution for compliance, they could find themselves wanting. They need to quickly get on board the PDPSI system (Personal Data Protection Standard of India) which is being drafted by FDPPI. (Foundation of Data Protection Professionals in India).

These and other details are being discussed today at the PrivSec webinar at 3.15 pm (1st December 2020)

Attendance is by registration here.

When we discuss implementation of data protection particularly in a country like India, we often speak about the need to change the “Culture” and “Attitude”. Hence a lot of emphasis is placed on training, building awareness etc.

While there is no doubt that Indians by nature have a low priority for Privacy and often hold “Security” or even “Freedom of Expression” and “Right to Information” in a higher pedestal and are willing to sacrifice Privacy for Security or Free Speech or Information, there is also a need to flag that “Privacy Protection” is also not in the culture of the business organizations who are expected to be responsible for Privacy Protection.

Privacy is a human right concept and hence its protection is far away from the core business objectives. But today “Privacy Protection” is discussed only in the context of “Data Protection” since “Privacy” is sought to be protected through Data Protection since we follow the belief that the “Right to Privacy” can be guaranteed by “Protecting the Right to determine the use of personal information at the choice of the data principal”. Hence Privacy Protection is seen as “Data Protection” (More precisely the Personal Data Protection)

Data Protection has to be implemented by a Data Processing Company which is essentially a commercial organization that is answerable to its shareholders to make profit. For them, Data is a commodity, a raw material from which a profitable business proposition has to be constructed. Hence any data protection obligation is always a burden on the company and given an option every business entity would like to avoid data protection legislation, though it is not a good political statement to make.

Just as making a statement about the inequalities in our Constitution arising out of appeasement politics, Corruption in Judiciary, are considered politically incorrect, businesses consider that opposing data protection legislation is not politically correct and hence all of them say they welcome Data protection Bill. …but they say they have some suggestions here and there.

Recently these “Friendly Suggestions” have gone to the extent of suggesting that “Personal Data Protection Bill” should be revised to make it a “Personal and Non Personal Data protection and Governance Bill”. While the statement is laudable, we know that the Kris Gopalakrishna Committee report on Non Personal data governance is still to be fully analyzed and converted into a proposition of a Bill. On the other hand, Personal Data Protection bill has gone through the Srikrishna Committee, PDPA 2018, PDPA 2019, several rounds of public consultations and the JPC discussions. Hence the Personal Data protection Bill is almost ready to be finalized. On the other hand Non Personal Data Governance Bill requires at least an year to develop. Non Personal Data Protection is anyway already available through Information Technology Act 2000/8.

The suggestion to include Non Personal Data Governance in the Personal Data Protection Bill is therefore a sinister design by the opponents of the Bill to delay the passage.

The conspiracy behind this suggestion which should be the handiwork of some business entities with the help of political opponents is evident because of the identical press reports appearing in different media.

We have already highlighted the report that appeared in livemint.com. Now we can look at the report in moneycontrol.com  which is a replica of the livemint report indicating that there was a press release by some interested parties which has been faithfully reproduced by these publications. The report is categorical that the JPC is unanimous in its decision to revise the scope of the Bill.

The fact that this is fake news planted by vested interests is evident from the fact that JPC has now set up a  series of meetings on a daily basis to discuss the bill clause by clause and finalize it for presentation in the Parliament at the beginning of the Budget session.

The Economic Times today has reported that “JPC split over draft data privacy law, Govt Access” and also an interview with Mrs Meenakshi Lekhi who is the chairperson of the Joint Parliamentary Committee working on the finalization of the Bill.

The fact that any bill proposed by BJP will be opposed by Congress and TMC is well known and hence it is not surprising that the “JPC is split”. This article appears to be a blancing piece since Mrs Lekhi’s interview did not support the fake narrative that further consultations are required.

We may note that ET had just a couple of days back said that more consultations were required with the “Civil Society” since 90% of the discussions were with others. The argument reminded me of the proverbial Panchatantra story of the Monkey and the Cats quarrelling for a piece of Roti that once this side had more and the other time the other side was more. It is a clever suggestion but unfortunately there is no credibility for such stories.

What is more relevant are the observations of Mrs Lekhi which clearly indicates that JPC is unlikely to delay the finalization of the Bill. The opposing views of the members if any will be documented and they may move amendments to the Bill in the Parliament when the Bill is tabled. Then the Parliament may accept or reject the amendments and pass the Bill.

The most contentious part of the Bill  could be

a) Whether the Section 35 on exemptions from the provisions given to the Government agencies should be tinkered with or not

b) Whether Sections 33 and 34 on restrictions on transfer of data outside India should be changed or not

c) Associated with the Data Localization aspect, should the definition of Sensitive Personal information should leave out financial information, etc

It is obvious that the MNCs want to take out the data from India to their country so that they can squeeze the monetary value out of it to the extent possible. The way CIBIL was taken over by Trans Union , how NPCI is sought to be privatized indicate the surreptitious way in which “Data Sovereignty” principle is being given a go by as the vested interests lobby for favorable policies from the Government.

At present with the views of Mrs Lekhi as expressed in the ET article indicate that she is fully aware of the “Games People Play” and will see through the “Yes..But..” objections from the industry as well as the “Straight Criticisms” of the opposition political parties.

We can therefore expect that the PDPB is likely to be an Act soon and probably the Section 35 will be retained without a change and Section 33/34 may be made stronger to incorporate the Data Sovereignty principle. The suggestion of leaving out the financial information from the “Sensitive” character may also be dumped.

We may note that in the last few months, GDPR has adopted a strong Data Localization stance and there is no reason India should not maintain its own Data Localization stand. The Exemptions provided to Government under Section 35 are limited to the extent of permitted by Article 19(2) and there will be a due process. PDPB is better equipped to handle Schrems II objections of the EUCJ than the US privacy shield since the grievance redressal in PDPB is supported by an Adjudication and Appellate Tribunal  and also an exemption can be availed under Section 37 for data processed under GDPR contracts.

Indian law is therefore ready to meet the international expectations with confidence and despite the opposition from the local quarters, it is robust enough to be passed through.

Any law will have scope for improvements firstly through the regulations and later through amendments if necessary. Hence the time for waiting for further changes in the Bill as is being discussed now is past.

Let’s wait for the Bill to be passed into law soon.

Naavi

There is an email in circulation about Bal Aadhaar which looks as follows:

The hyper link leads to a website www.yojanakhabar.com looking as follows:

The website is registered by an Arizona resident as indicated below:
This appears to be a “Phishing Website” and action is required to initiate Cyber Crime complaint against the Registrant who is assisted by the intermediary the Registrar.

I have notified UIDAI and I expect they initiate action failing which there will be lack of due diligence from their side also.

It is in such cases that I am seriously against the “Privacy Protection” of domain name registrations supported as a system by ICANN.

It is time some Court declares that Privacy Protection of domain name registration information is against public policy. This should be a compulsory disclosure requirement for all domain name registrants.

Indian Government can pass a notification under Section 79 of ITA 2000 to direct browser owners like Google or Microsoft to flag websites whose domain name registration information is not made public as a website of an “Unverified Owner” . Websites with digital signature of the server obviously would be exempted from this since the verification would be the responsibility of the server digital certificate issuing authority.

Naavi

“Person Who Knows”  (PWK)

“Nothing Personal about Data Protection Bill as JPC proposes to expand scope”… so says an article today in livemint.com

It is well known that there is a lobby of opponents to the PDPB and this media vehicle is part of such lobby which does not want the the Personal Data Protection Bill 2019 to be passed.

The main force behind this opposition are the multinational companies who are opposed to the “Data Sovereignty” principle and any hurdles to their continued exploitation of the Indian Personal Data market. They have the power to influence not only the media but also a section of the professionals and political parties to delay the passage of the Bill as long as possible. These articles are a reflection of such public relations exercise of creating a fake narration to mould amenable public opinion the way they want.

It is interesting to observe the sophisticated strategy used by these agencies to scuttle the Bill.

We can observe that initially there was opposition on the Bill particularly the Data Localization aspect. This was in the PDPA 2018 version.  When the Government buckled under the pressure of these MNC s and allowed free exploitation of personal data in the PDPB 2019 version, this objection became redundant. They these attackers switched to complaining about  “Excessive powers to the Government” and “Constitution of DPA by a committee of Secretaries”, and even roped in the support of Justice Srikrishna himself who was unhappy that CJI was not part of the DPA selection committee.

When JPC started hearing suggestions, some organizations tried to dilute the law by tinkering with the definition of “sensitive information”. They suggested that “Financial Information” should not be considered as “Sensitive” information so that no restrictions should apply for processing of financial information including transfer out of India. The Bill did not prevent transfer but only expected “Explicit consent” for such transfer and these opponents did not want even an “Explicit consent”.

The vested interests want financial information to be freed from restrictions so that they can continue to transfer financial information of Indian citizens abroad. If restrictions are placed, then “Data Laundering” like in the case of Trans Union silently taking over CIBIL with the connivance of the Banks would not have been possible. Even now, the privatization of the NPCI is recommended so that the entire UPI gateway can be spied upon.

The hypocricy of these agencies who oppose PDPB being passed is clear when we consider that at this point of time GDPR is pursuing a “Data Localization” policy by arm twisting the Data Exporters to obtain impossible assurances from the Data Importers of other countries to the extent that the only credible solution of EU data transfer is to set up a data center in EU itself. But these opponents donot have any objections to GDPR.

These opponents are typical “Pseudo Data Protection Proponents” who want India to give up all controls but are silent on GDPR trying to impose its colonial hagemony on India.

In this third wave of attack delaying the passing of the Bill, JPC was persuaded to listen to all business entities for their views.  Much of the precious time of the JPC was wasted on listening to business lobbying rather than how best to frame the law in comparison with GDPR or Singapore PDPA etc.

After these three waves of attack, it appears that a next wave of attacks is being planned represented by the above article in livemint.com.

If the story of livemint.com is true, it would mean that the JPC has been fully taken over by the “Delay Lobby” since the report suggests that

“The Personal Data Protection Bill is likely to undergo a complete transformation as the intent of the Bill is likely to get changed. Most of the members of JPC are of the view that the ambit of the Bill needs to be expanded and it cannot just be about personal data. JPC members are unanimous that PDP Bill should be about data and protection of data,”

This statement is attributed to a “Person in the know of development”…the mysterious and anonymous PWK.

The same person seems to also say

“JPC is unanimous in its decision that purpose of the Bill should be redefined and more clearly defined. Some members feel that earlier the Bill was a little vague and needed improvement. Now the focus is on data, not just personal but also non-personal, sensitive and critical data as well,”

It appears that these quotes are “Planted” to create confusion and continue the work of the lobby to delay the Bill and finally get it into a shape where it can be questioned in the Supreme Court as not in conformity with the Puttaswamy judgment. I donot think the JPC is “Unanimous” though it may be the view of some opposition MPs who are supporting the vested business interests. The demand to invite more and more business entities to be interrogated in the JPC is also a conspiracy to delay the JPC activity since the very objective of JPC is not to interrogate FaceBook or Twitter etc but to correct the clauses of the Bill.

The current suggestion to change the intent of the Bill is nothing but a conspiracy to get the Bill scuttled.

I suppose members of the Committee like the Chairperson Mrs Meenakshi Lekhi, Mr Tejasvi Surya, Mr Rajeev Chandrashekar and others recognize that this Bill is important for multiple reasons.

I would like to highlight that the passage of the Bill is already delayed beyond reasonable limits and the recent data breaches in Big Basket, Lupin, Dr Reddy Laboratories, Dr Lal Pathlabs or Breachcandy hospital indicate that the industry needs to be reined as early as possible.

We should also appreciate that  it is a commitment of the Government of India to the Supreme Court that a robust privacy protection law would be passed in India at the earliest. But it is now 3 years since the Puttaswamy judgement and according to the mysterious  “PWK”, we are still not clear on what should be the focus of the Bill. He feels that this Bill should not be limited to the “Personal Data Protection” but include “Data Protection”.

Does PWK know that Information Technology Act 2000 already is a legislation that provides for “Data Protection” of both Personal and Non Personal Data and we donot need another so called “Non Personal Data Protection Act”?

Unfortunately some people are unable to understand the concept of “Anonymization” which is the wall that separates “Personal” data and “Non Personal” data and liberates the personal data from the need for protection and takes it to the realm of “Governance” where a regulation as suggested by the Kris Gopalakrishna Committee takes over to unlock the financial benefits. Many seem to confuse “Anonymization” with “De-identification” and hence feel that “Anonymous personal data” can be “De anonymized”. This concept is inherently wrong since “De-anonymisation” means a “Criminal re-discovery of identity parameters”. Just as any “Encryption” can be “Decrypted” by hackers using brute force or other methods, anonymisation may be de-anonymised but this is a crime that is required to be tackled separately and is being done in ITA 2000.

If we accept that the universe of “Data” contains “Personal Data” and “Non Personal Data” and “Non Personal Data” includes “Anonymized Personal Data”, then we have a clear role for three legislations namely PDPA for security of Personal Data, ITA 2000 for security of  Non personal data and Non Personal Data Governance Act (suggested by Kris Gopalakrishna committee) for the unlocking of financial benefits in the non personal data.

If “Non Personal Data Protection” requires to be strengthened we need to tinker with ITA 2000 and there is no need for any new Act. Even the often referred to “Cyber Security Act” is redundant and the planned objectives of such an act can be achieved through amendments to ITA 2000.

It would be interesting to know if this mysterious PWK can clarify why do we need a separate law for “Non Personal Data” related Governance or Security instead of focussing on the Personal data Protection.

The Puttaswamy judgement wanted a law on protection of “Information Privacy” and PDPB 2019 which is a follow up of PDPB 2018 (Not withstanding some differences) tries to achieve this.

If  the Government now tries to convert this into a “Data Protection Bill” which is not meant to protect “Privacy” of individuals but only protect “Data”, then there is every possibility  that  the Supreme Court may strike down the law as not in conformity with the Puttaswamy judgement.  The JPC is being led to a trap to change the focus of the law from “Personal Data Protection” to some thing else so that the same PWK  can later argue in the Supreme Court that the Government abandoned the “Information Privacy” as suggested by the Supreme Court.

The JPC has to be careful because there is every indication that there are sympathizers to the “Delay PDPB Lobby” within the Government advisors as is evidenced by some earlier incidents.

We recall that some time back a piece of a shoddy note on “Encryption”  was issued by some official in MeitY and was subsequently withdrawn causing an embarrassment to the Government.  (An enquiry was ordered on the incident, details of which never came out).

Similarly notifications under section 69 of ITA 2000 as well as Intermediary Guidelines , the notification on Crypto currency ban, have all been issued and withdrawn as if it is a game of  one step forward and two steps backward.

There appears to be a clear conspiratorial strategy  by vested interests in creating more embarrassments to the present Government since it lacks conviction and is easily swayed by the views of these lobbies.

The livemint report is indicative of a similar attempt. From all angles the suggestion to change the focus of the Bill appears to be a “Conspiracy” to scuttle the PDPB 2019. While other countries in the world are working on how to tackle the uncertainties in business arising out of the Schrems II judgement, these suggestions are driving India back instead of moving forward.

We may now expect in the next wave of friendly suggestions that

“it is not enough to change the focus of PDPB 2019 from Personal Data to Non Personal Data but make some amendments to the constitution itself so that under Article 21 we can add Privacy as a separate fundamental right rather than relying on the 9 member Supreme Court decision.”

This can effectively postpone the bill until the next Parliamentary election and BJP gaining the necessary majority for Constitutional amendment.

The motivation behind the planting of this story with insinuations reflected in the article  is indicated in the  same report which suggests that JPC is likely to hold three sittings in the near future to finalize the bill. This ppears to have created panic amongst the camp that wants to scuttle the bill which has prompted it to come up with this  ridiculous fake plant.

I hope, Mr Gyan Varma to whom the article is credited should reveal his anonymous source namely the PWK who appears to be creating this “Fake Narration”.

Alternatively I wish  the JPC Chair person should come forward and deny the report.

We are expecting that the Bill will be presented in the Parliament in February as confirmed by Mr Ravi Shankar Prasad during the Bengaluru Tech Summit 2020 and it will be passed into law in the coming session.

Naavi

(P.S: Some corrections were made to the earlier version of this article to provide better clarity)