After it introduced a Personal Data Protection Bill in December 2019 to protect people’s personal data, India said it would set up a data protection authority to do the job.
At the time, some of the initial concerns around it – including an increase in the cost of doing business as well as pushback on a clause that empowered the government to ask a company to hand over its data, anonymised, for policy-planning purposes – were well publicised.
Soon after, the bill was referred to a joint parliamentary committee, with members from across the political spectrum, to analyse it and suggest modifications based on concerns raised by different stakeholders, including government agencies, businesses, activists and data security experts.
The committee, after many delays, tabled a report in Parliament in mid-December with suggestions on how to tweak the bill. And the battle lines have already been drawn.
What is the biggest change the committee has proposed?
Among the 56 amendments suggested, probably the most significant is a proposal to include non-personal as well as personal data, increasing the scope of the bill substantially and, as a result, changing its name to Data Protection Bill, 2021.
The bill lists about six categories to define personal data, including an individual’s name, mobile number, biometrics – anything that can identify a person. Any information beyond this, which cannot identify an individual, is considered non-personal.
In our technology-dependent world, there is no shortage of non-personal data being generated every minute of every day, from online searches an individual makes to map directions a commuter pulls up to the number of users of an app in an area, or the number of people commuting between two destinations.
This is the first time the legislature of any country has tried to regulate such information, Salman Waris, partner at TechLegis Advocates & Solicitors in New Delhi, tells Al Jazeera. In other words, the government wants to treat non-personal data as a community resource it can monetise in the form of licensing its use, similar to the telecom spectrum, he adds.
And this could have a “massive impact” on businesses that capitalise on this data now that its use can be regulated, says Waris, and they are likely to contest this provision.
What are some of the other areas of concern?
The committee has given the government broader powers to exempt its agencies from the rules on grounds as wide-ranging as national security, public order, sovereignty and integrity of India, and friendly relations with foreign states, among others.
The blanket exemption has taken “the punch away from the legislation”, says Waris, turning it into “a legislation directed at the private sector, making two parallel regimes”.
This also goes in the face of Indian citizens’ right to privacy, a fundamental right that came on the back of a 2016 ruling by the country’s top court, warns Waris.
The bill further adds that while companies have to inform the regulator of data breaches, they are not compelled to inform the person whose data has been breached. Companies, loath to admit weaknesses in their system, can hardly be counted upon to volunteer that information. “How is the user, whose data may have been leaked, supposed to fix that if [she] has no idea that happened?” says Waris, calling the whole exercise “self-contradictory”.
The bill also targets social media platforms and suggests designating them “publishers” instead of intermediaries. A publisher is held accountable for all content published on its platform and does not get the safe harbour protections intermediaries have, under which they are not liable for content posted by their users. The move can have a serious effect on free speech as it may encourage social media platforms like Facebook and Twitter to actively censor content to avoid legal trouble, experts warn.
Did they get anything right?
The amended bill has introduced a sunset clause under which the new rules will kick in two years after the bill is signed into law, giving companies time to prepare, a useful change from the past when the rules applied immediately.
The bill also says that data of minors – those under the age of 18 – can be processed only in certain circumstances and with parental permission. Not all stakeholders are pleased with the committee keeping this rule, which is vastly different from the United States where parental consent is only needed for those under 13.
Moreover, the fact that India, a data hub thanks to its information technology services sector and call centres, is finally planning a data protection bill is a big step. It will help the country get the stamp of being a “data secure” nation from the European Union, reducing compliance measures for Indian companies doing business there, Waris says.
What are the next steps?
The Data Protection Bill could be accepted as is or amended further by the Ministry of Electronics and Information Technology, which will eventually table it in parliament.
It needs to pass both houses before it becomes law but, given that the ruling Bharatiya Janata Party has the majority in both houses, that is not expected to be difficult – in spite of some opposition members of the committee issuing dissenting notes objecting to some, or all, of the bill.
That said, it is only a matter of time before we see legal challenges to the bill, which will determine its final form when it comes into effect.