“So again we just hope that it is sort of, I mean, it is going to be constitutionally tested and let’s hope that there the judiciary is able to its job and somewhere it takes in the concerns of the general public,” Ritesh Pandey, Member of Parliament, said while giving the keynote address at MediaNama’s Decoding India’s Data Protection Bill 2021 discussion last week.
In his address Pandey said that he expects the DPB to be legally challenged, he also touched upon aspects of the bill he believed were still problematic, his expectation for the future of the data protection regime, and more.
The Joint Parliamentary Committee’s (JPC) report on the DPB contained a dissent note from Pandey which he further elaborated on in his keynote address. The report, which contains clauses related to the use and processing of data by private and government bodies, safeguards in case of breaches, etc., could significantly shape the final iteration of India’s Data Protection Act which would have wide-ranging impacts on individuals rights, functioning of private companies, government projects and more.
MediaNama’s discussion on the Data Protection Bill 2021 was organised with support from Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support a MediaNama discussion, please let us know here.
Independence of the DPA paramount for welfare
A selection committee comprising the cabinet secretary, attorney general, MeitY secretary, Secretary of the Department or Ministry of legal affairs will appoint the DPA and its members. A director of an IIM, IIT, and an independent expert will also be nominated to this committee, according to the Bill.
“Restricting interference of the executive in the operation of the DPA is of paramount importance of the welfare of data principle,” Pandey said, saying that the executive is one of the largest data fiduciaries in the country a DPA has to govern. According to him, checking the undue influence of any parties, including the central government, was key to ensure the Indian technology industry’s growth as well.
Recommendation: The Cabinet Secretary, a Supreme Court Judge, and an Industry and academic expert should be a part of the selection committee appointing the members and chairperson of the DPA, Pandey said referring to his dissent note in the JPC’s report. Further, the two experts should be confirmed by Parliament as well.
State-level DPA can let States get competitive
The Bill lays down that a DPA formed by the Union government, with a seal, perpetual succession and the ability to hold, seal or dispose off property.
State-level DPA’s could empower the states to create regulations as per their suitability to attract businesses and earn revenue, Pandey said. Talking about his interaction with State bureaucracy, he further said that:
“When I was in Bangalore…it was sort of mentioned by the state bureaucracy there, about how much of their revenues are dependent on these IT companies and how they would want, you know to give them a lot of space to do their business and not have a lot of regulations for them to compete and to survive and move forward,” Pandey said, adding that Bangalore was not just competing with a Maharashtra or UP but the Silicon Valley.
Recommendation: A State-level DPA could make the data protection regime work in a better way, according to Pandey. Further he said that it would also reduce the burden of complaints on DPAs and make it easier for principals to file complaints.
Age of consent in bill problematic
“Every data fiduciary shall process personal data of a child in such manner that protects the rights of the child” and “the data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations,” the Bill states.
According to Pandey the current provision of the bill regarding the age of consent was problematic for the following reasons:
- Access for women: While children from an educated, upper-class household could likely have good access to internet, with the chance to get meaninful consent (from their parents, as laid out in the bill) in rural areas young women have to go online in secret because of stigma around it, Pandey said. Further, such households also often share smartphones with young women being given the least access.
- Developmental psychology: A child at the age of 6 or 7 is not the same at 14, Pandey argued.
Recommendation: 14 years should be the age of consent.
Need safeguards for protection of children’s data
The bill bars fiduciaries from profiling, tracking, or behavioural monitoring, or targeting advertisments at children. They also cannot undertake any other processing of personal data that can cause ‘significant harm to the child’
The considerations around parity of digitisation and consent should be balanced with more security for children’s data, according to Pandey. This is because, he says that even after the enactment of the bill there may be parents who would not be aware of consent and thus there need to be measures to secure children’s data.
Recommendation: While pushing for safeguards, Pandey said the restrictions for processing of data by guardian data fiduciaries should operate from a ‘standard of reasonableness’ than a ‘restrictive standard of prevention of harm’.
Section 35 hands government a cop-out
Under Sec. 35, the Central Government has the power to exempt any government agency from all or any of the provisions of the Data Protection Act for various reasons.
According to Pandey, this essentially hands the government a cop-out. Further, in the abscence of safeguards as laid down under
“The Srikrishna report (had) recognised that unfettered access to personal data by the state without adherence to establish safeguards such as necessity and proportionality is potentially unconstitutional,”he said.
Recommendation: Pandey hoped that a full judicial scrutiny could add checks and balances to this.
Other comments on the bill
Verification of users impinges on privacy: In response to a quesiton on whether the requirement for social media intermediaries to withwe verify users or lose their safety from third-party content liability is an infringement of their privacy as it collects IDs, Pandey agreed.
He said that the clause came up as committee members had had their own experiences of people posting information about them and they wanted to curb hate by keeping people accountable for what they say.
“There were examples like you can’t go and suddenly abuse and call somebody names and even harass women out on the street and get away with it. Whereas on the web you can sort of because nobody can trace you down for the say and especially on these social media platforms and everything and it takes….even though there are legislations in place it just takes way too much time,” Pandey said.
Bill must be compatible with international regimes: Pandey said the following 4 parts of the DPB, challenge its adequacy for allowing cross border data flow:
- “Clause 35, which gives blanket exception to the Central Government
- Clause 37, which allows the Central Government to give exemptions to certain data fiduciary that’s outside of India
- Clause 50, which curtails the independence of DPA
- Clause 19 which perplexing mandates for data fiduciaries to share anonymized data with the Central Government”
According to him this compatibility is important to also encourage foreign investment in the technology sector.
JPC chairman believes dissent notes politically motivated
In an interview with MediaNama, P.P. Chaudhary a Lok Sabha MP and the chairperson of the JPC on the DPB between July and December 2021 said that he believes the dissent notes on jpc’s report were politically motivated.
“And I would not like to say is whether the member is competent but to my mind these are not the D-I-S-S-E-N-T note, these are D-E-C-E-N-T notes. So I term these as they, if you remove the political outcome, then basically they are not dissent notes but decent notes,” he said during the interview.
Atleast seven dissent notes were submitted by members against the committee’s report on the bill. These were by Congress MP’s Gaurav Gogoi, Jairam Ramesh, Manish Tewari, and TMC MP’s Mahua Moitra, Derek Obrien and others. Objections in the notes ranged from those against the provisions of the bill to those against the functioning of the JPC’s deliberations.
- Data Protection Bill: Financial data, non-personal data and algorithmic transparency should be regulated separately #NAMA
- Data Protection Bill: Lower age of consent, limit data portability, strengthen data breach rules, and introduce more grounds for processing data #NAMA
- A Complete Guide To The Data Protection Bill, 2021
- Data Protection Bill 2021: How Data Fiduciaries Must Handle The Personal Data Of Children
- Data Protection Bill 2021: What Is The Protocol When Data Breaches Occur In India?
- Data Protection Bill 2021: What Are The Obligations Of Data Fiduciaries?