Exemptions in national interest must not extend to all provisions of the Personal Data Protection Bill, 2019, and must be granted by law rather than through executive orders, Observer Research Foundation (ORF) said in its submission to the Joint Parliamentary Committee. As per the submission, Section 42 of the 2018 Bill is a good point of reference as it made necessity and proportionality necessary conditions for exempted processing, thereby conforming to the 4-step test laid down in the Puttaswamy judgement. ORF also recommended that exempted government agencies must still be obliged to carry out “fair and reasonable processing”.
Inclusion of non-personal data in the Bill (under Section 91) has also been called “premature” in the submission as MEITY has constituted a committee of experts to come up with a “data governance framework” to focus on non-personal data. Without more provisions within this Bill and legislations in other fields, Section 91 “is unlikely to serve the stated objective of supporting public service functions”.
Check sweeping exemptions for government agencies
- Prevent information overload by employing employ judicial, executive and technological safeguards to prevent information overload. For instance, ORF cites research on US’ National Security Agency’s surveillance of phone metadata programme that reveals the programme’s “little discernible impact on preventing terrorism” and “disproportionate” drain on the agency’s resources. ORF also said that storing too much sensitive personal data makes agencies vulnerable to cyber attacks.
- Include independent oversight mechanisms within Section 35 itself instead of relying on executive orders for “better accountability and national security outcomes”. Investigations and oversight committee could be set up within the DPA itself. Public audits and mandatory submission of annual reports to Parliament are also necessary for oversight.
- Incorporate procedural safeguards within the Bill, or allow DPA to notify the procedure for granting exemptions.
- Narrowly define terms such as “sovereignty”, “integrity”, “state security”, “international relations” and “public order”, or the Bill would fail the standards laid down in the Puttaswamy judgement. ORF cited Baijayant Panda’s Private Member’s Bill introduced in 2017 that listed 5 grounds under which right to privacy could be curtailed, and Manish Tiwari’s Intelligence Services (Powers and Regulations) Bill, 2011, that listed 8 conditions to ascertain threats to national security as examples.
- Empower DPA: Powers to prevent misuse of personal data, and to specify codes of good data protection practices should rest with the DPA, not the central government.
Non-Personal Data needs more clarity
- Define grounds for access to non-personal data along with legislative standards because most businesses store mixed data sets, that is, they contain both perosnal and non-personal data, that are accorded differential protection depending on how they were collected. The industry, civil society and government must harmonise definitions of non-personal data to ease up data sharing mechanisms without undermining privacy rights.
- DPA must prescribe standards for anonymisation and penalties for breach, on the basis of type of data and level of risk, before state is given access to non-personal data.
- Include safeguards against secondary use of non-personal data or the law would not meet global adequacy standards which could result in limited cross-border data transfers to India, as per ORF.
- Conduct social impact assessment or ethics audit of data and check for biases before using it for public policy reasons.
- Establish regimes for data sharing between multiple stakeholders that consider impact on competition, intellectual property rights and cyber security. Under the Intellectual Property Rights regime, formalising ownership structures to assert control over data will be crucial. ORF cited EU’s 4 alternative models for sharing data between private sector and the government: “standardising data sharing contracts; data donorship models, similar to Corporate Social Responsibility (CSR) obligations; new intermediary institutions, such as data trusts; and regulatory models for public interest reasons in the fields of healthcare, finance, among others”.
Read all the other submissions made to the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, here.
Disclosure: Nikhil Pahwa, Founder and Editor of MediaNama, was a part of the round table discussion hosted by ORF on the basis of which it made its submission.