Looking at some of the criticisms that have come on PDPA2019, one cannot but feel that the experts in India appear to be easily swayed towards taking a negative view point on whatever the Government does. While the politicians have made it a habit to mislead the public and create a ruckus whether it is the Article 370, or Citizen Act Amendment, it is sad that this tendency is also seen in the criticism of a law like PDPA which should be seen more as a professional challenge.
We must recognize that drafting a Data Protection Law is a big challenge since this law tries to protect “Privacy” through “Protecting Personal Information”. “Privacy” itself is an enigma defying precise definition since it is a “State of Mind” of an individual and a “Feeling to be left alone”. This state of mind is uncertain and dynamic and changes in time for a given individual and for different individuals. The law is expected to protect this enigmatic concept in aggregation across the population. Hence satisfying every individual is not feasible.
Some individuals are highly concerned and secretive about themselves and some others are paranoid about security and suspect every person they see as a potential terrorist. Hence “Privacy Protection” of one is in conflict with the “Security Expectation” of another. Hence the Government has to balance the two differing views in the legislation.
Similarly the business is a stake holder in the legislation since “Data” is a valuable “Asset” from which several businesses can be generated.
Hence the legislation cannot pursue a myopic view of a “Privacy Activist” alone and has to reflect the views of a person who considers “Right to Security” as a fundamental right as much as the “Right to Privacy” and expects the Government to fulfill its duty in this regard.
The criticism of Justice Srikrishna included on Section 35 has to be seen in this context. In my opinion the section confines itself to within what Article 19(2) of the constitution provides as possible exception to a fundamental right and even here restricts the provision only to Security of State, Friendly relations with foreign states and Public order, leaving other issues like defamation, contempt of court etc. The provision should therefore be seen as a necessary and enabling provision as well as an international obligation. Branding it as “Creating a Orwellian State” is an exaggeration that should be avoided.
Similarly, going by the report of Hindu, there is also a severe criticism that the DPA may be constituted with Government Secretaries. This also seems to be a speculation only since the change made from the previous draft is only in the constitution of the committee that selects the DPA members and not the DPA itself. Now a committee of Secretaries will select the appropriate persons who need to have at least 10 years of experience in Data Protection. Such experienced persons are not in Government and hence Government secretaries cannot be appointed for this post. Also there is an age limit of 65 which puts most retired bureaucrats away. There are only a few persons in the industry who meet this criteria since the concept of Privacy itself is new in India.
We sincerely hope that the Government will not look at any imported professionals from abroad because experience relevant for the purpose could be available abroad more easily in EU and US than in India. But the “Data Sovereignty” concern should prevent this.
It is possible that the selection committee may not clearly distinguish the experience in “Privacy Protection through Information Privacy Protection” and “Information Security” and end up picking experienced CISOs as members of DPA. This if it happens reflects the ignorance of the selection panel rather than any lacuna in the law as drafted now.
Some might have been displeased that the CJI is not part of the selection panel and hence the criticism that DPA may be constituted with Government secretaries. We must realize that any committee in which CJI is a part has a time line for decision making which is not good enough to identify and appoint the members committee in the near future. The present constitution of the committee will ensure that DPA will see the light of the day within the next few months instead of being postponed indefinitely.
We have not forgotten that the Cyber Appellate Tribunal was kept defunct for 7 years at the expense of cyber crime victims because the CJI and the Ministry could not identify a proper candidate for the Chairmanship between 2011 and 2018 until the tribunal was merged with TDSAT. The present move of the Government is therefore justified to avoid delays.
Beyond such criticisms, no body seems to appreciate the positive features in the bill and if critics put across both the positive and negative features of the Bill then their words would carry better weight.
In this context we must recognize the following features that need special mention
- Bill defines the role of the Data Principal and Data Fiduciary as an elevated trustee relationship instead of the mere “Master-Servant” relationship if a Data Subject and Data Controller. Though Section 4 of the Act has been modified by the new Bill, the retention of the words “Data Fiduciary” and “Data Principal” are significant. (Credit for this goes to Justice Srikrishna)
- Bill identifies a role for a “Consent manager” who will be a Fiduciary with a limited objective.
- Bill recognizes the needs of Start ups to be free from stringent regulations during their test phase and recommends a “Sandbox” for their operations.
- Bill recognizes the needs of Indian BPOs who process only personal data of foreign citizens and provides a specific exemption.
- Bill recognizes the role of Social Intermediaries and brings them under the category of Significant data fiduciaries.
- Bill recognizes the role of Guardian Fiduciaries in the form of websites serving content for children which can be misused.
- Bill recognizes the concept of “Measurable Compliance Standard” by a concept of a “Data Trust Score” and mandates its disclosure.
- Bill has reduced the criminal offences to just “Re-identification” and therefore removed the dangers inherent in the earlier draft.
- The concept of annual data audit by an external auditor is also a novel concept.
- Concept of a responsibility for grievance redressal is also welcome
Though there are a few typographical errors and minor corrections which can be made, over all it is not fair to demonize the new version of the Bill.
In fact I was pleasantly surprised to hear a discussion about this Bill in the US which highlighted several of the above novel features . A link to this discussion is provided below.
It is unfortunate that we in India donot have a positive attitude to recognize the positive features of the Bill.
The Indian Bill has decided to place lot of responsibilities with the DPA and most of the concerns we are seeing now are premature speculations that the DPA will not do its job. I think we need to look optimistically at the constitution of the DPA before the next round of criticisms if any.
One thing we can suggest is that the Government should put up the list of prospective candidates to be selected to the DPA in the public domain and enable a background verification with public participation so that only the most elite of the Data Protection experts get into this key board.