The COVID 19 lock down has delayed the meetings of the JPC on PDPB 2019 giving room to speculation whether the Government of India is developing cold feet on the passage of the bill which would make it more accountable for some of its activities such as the use of the Arogya Setu app.
We are aware that the MeitY has been in discussion with many business organizations, most of whom are MNCs now exploiting the weak Indian data system who donot want the law which could bring them into a greater legislative bind. From what has been seen in the case of submissions of NASSCOM and AFISMA/SIFMA, there is a lobby that is working on dilution of the Bill. Already the Government has given up on the Data Sovereignty concept by agreeing to allow free transfer of non sensitive personal data across the borders and conditional transfer of event he sensitive personal information despite the adverse impact of this move on law enforcement. Now if we take the recommendations of NASSCOM and ASIFMA seriously, the Government may have to re-draft the Bill again which means another round of public consultation and further delay.
It would be a tragedy if the JPC is used as an excuse to delay or permanently avoid the passage of the bill in its present form.
It may be noted in the AFISMA submission that there is a direct challenge to the sovereignty principle by suggesting that if the MNCs are already in compliance with GDPR, there should be no need for compliance of PDPA as if to suggest that the foreign laws still reign supreme in the Indian jurisdiction.
In the recent Kerala Government controversy against the US company Sprinklr, the so called GDPR compliant Sprinklr did not bat an eye lid before accepting the sensitive personal data of Indian citizens and processing it in USA knowing fully well that this was not ethical if GDPR was a best practice standard. They did not bother to advise the Kerala Government whose babus may not be aware of “Privacy Protection” and were under the pressure of the Corona crisis that the information can be easily de-identified and pseudonymized before it was transferred to Sprinklr. They did not even bother to bring to the specific notice of the Kerala Government the fact that the Jurisdiction clause of the standard terms of service provided by Sprinklr required the Kerala Government to seek remedy in a New York Court.
Sprinklr was therefore irresponsible as a “Data Fiduciary” and only tried to take commercial advantage of the situation either deliberately or because they were ignorant of the principles of Data Protection under GDPR or even their liabilities under Section 79 and 43A of the Information Technology Act 2000/8
It is such organizations in the Financial sector that the ASIFMA is trying to represent and argue for dilution of PDPA.
The JPC should therefore ignore such submissions and start finalizing the Act. If they still want to have meetings with experts, they should go for a Virtual Conference for which Zoom as modified may itself be sufficient or any other video conferencing tool which they consider as more secure.
I request the JPC to therefore to proceed with their discussions so that before the lifting of the lock down in the next 14 days, the final draft of the Bill is ready.