JOIN USData Bill offers blanket exemptions to State, its agents, says Derek O'Brien
The Personal Data Protection Bill, 2019 has attracted a lot of attention and public interest. A Joint Committee of Parliament was set up to scrutinise it and it has submitted its report. Seven MPs submitted dissent notes to the report. One of them, Trinamool’s Parliamentary Party Leader in Rajya Sabha Derek O’Brien spoke to DH’s Shemin Joy on the proposed legislation.
Has the Bill been improved by the Joint Committee, which has MPs from Lok Sabha and Rajya Sabha as well as from different parties?
The Joint Parliamentary Committee on Personal Data Protection on November 22, 2021, adopted its report, on which it had been deliberating since 2019. The committee chose to retain some highly controversial clauses of the 2019 bill, which provide the government with unbridled and sweeping powers. As many as seven of the 30 members of the panel, including Trinamool Congress Lok Sabha MP Mahua Moitra and me, expressed formal dissent to the final report of the Committee. But more than the provisions themselves, it’s the functioning of the Committee that’s concerning. The Committee held multiple in-person consultations during a pandemic year, making it difficult for those outside Delhi to attend panel meetings.
Also read: Changes needed to ensure robust privacy law
One of the concerns was Clause 35. Does it undermine the bill?
Clause 35 exempts any agency within the Centre from all or any requirements of the law in the name of “sovereignty,” “friendly relations with other governments,” and “State security.” The Bill provides for these exemptions without proper safeguards. The Committee failed to act on the concerns raised and amendments moved by the members to rectify the shortcomings of this clause. The Bill aims to offer blanket exemptions to the State and its agents, either in perpetuity or for a limited length of time. Thus, it is in violation of the Fundamental Right to Privacy as established by the Supreme Court of India’s nine-judge panel in Puttaswamy (2017). It also establishes two parallel universes: one for the private sector, where it would be applied strictly, and one for the government, where it is replete with exemptions, carve outs, and escape clauses.
Is the bill giving an upper hand for the government in deciding which of its organisations should be under the ambit of the Bill?
A Data Protection Authority (DPA) that is constituted by the Central government makes it an extension of the government. For instance, the selection process for members and chairperson of the DPA has heavy involvement of the Central government under Clause 42. This makes the whole process of grievance redressal opaque. The bill gives the government overreaching powers over the Data Protection Committee. This severely affects the autonomous functioning of the DPA. An independent body of non-State actors is more likely to be an objective body. Some important questions that the Committee has left unaddressed are: who will the Central government appointed members of the Data Protection Authority be? On what parameters will they be selected? How will their autonomy be ensured?
Also read: Personal data bill and dissent
Concerns are raised over possible misuse. Do the provisions in the bill drafted by the committee lead to misuse?
Some recommendations by the committee are definitely problematic and the members have expressed their dissent to this. The effect of the bill and some of the recommendations of the Committee is such that in many cases the government can act as a judge in its own cause, given the amount of control they exercise over the Data Protection Authority. The bill gives unqualified powers to the government and fails to incorporate adequate safeguards. The Committee recognises that privacy is a fundamental right and must be treated as absolute in that regard. However, the bill fails to incorporate the same.
Should non-personal data be part of the bill?
One of the core concerns we raised in the committee was regarding the inclusion of non-personal data within the scope of the Personal Data Protection Bill 2019. While it is important that non-personal data also be regulated, it should not be a part of this Bill. Non-personal data is outside the scope of the current bill. Being a highly technical area to govern and regulate, non-personal data warrants a separate framework. In fact, a separate expert committee was set up for this purpose headed by Kris Gopalakrisnan.
That Committee has submitted its report. Now it is on the government to follow the proper legislative procedure for drafting a legislation for the regulation of non-personal data. The ambit of the Personal Data Protection Bill 2019 and the jurisdiction of the Data Protection Authority become unduly wide by the inclusion of Non-Personal Data. The Personal Data Protection Bill 2019 has hastily added in non-personal data without fully understanding the technological ramifications. I do not support this.