control rather than privacy

In India, where personal data of citizens is at the mercy of companies and the government and where there is no privacy law, puttaswamy Holocaust and the report of the Justice BN Srikrishna Committee which led to Personal Data Protection Bill of 2019 A ray of hope came. But joint committee report The Bill has failed to provide for a strong draft law ensuring privacy of citizens. Instead, it has Designed an architecture for a monitoring state,

infallibility of the state

Under the Constitution, fundamental rights are enforced against the state and its instruments and not against private bodies. puttaswamy Holocaust suppose that Right to privacy is a fundamental right, However, the report divides the digital world into two domains – government and private – and is based on the assumption that the question of the right to privacy arises only where the operations and activities of private entities are concerned. Clause 12 of the Bill Provides exemptions for government and government agencies and section 35 exempts government agencies from the entire Act itself. Clause 12, which says personal data may be processed without consent to the performance of any function of the state, is an umbrella clause that does not specify which ministries or departments will be covered. In addition, the bill states, “loss includes any observation or monitoring that is not reasonably expected by the data principal”. This means that if you install any software in your computer and the software violates the principle of privacy and data is leaked, the complaint of the data principal will not be legally valid as the defense would be that ‘once when Once you have installed the software, you should reasonably expect this level of monitoring’. The government can use these provisions as a means of control and monitoring.

If transitional time can be given to private entities to comply with the Act, why should it not be extended to government entities? Why should they be given full exemption instead? The committee has failed to provide formidable firewalls to protect the privacy of individuals and also devised a mechanism for government control over personal data. The provisions are outside the jurisdiction of decisions on privacy.

For compliance with the provisions of the Act, a Data Protection Authority (DPA) should be appointed. The Bill explains in detail the functions and duties of a DPA. It is doubtful whether a single authority would be able to perform so many tasks efficiently. The terms and conditions of appointment of DPAs are also a matter of concern. Contrary to the Justice Srikrishna Committee report, which provided for judicial oversight in appointments of DPAs, the Bill delegates the responsibility of appointments to the executive. Although the report expanded the committee, the power to appoint panelists rests with the central government. While ensuring the protection of the fundamental right of the citizens, it is necessary that the authority to whom the responsibility has been entrusted should act independently. Clause 86 says, “The Authority shall be bound by the directions of the Central Government in all matters and not merely on questions of policy”. This obliges the DPA to follow the orders of the government. It undermines its independence and gives excessive control to the government. Furthermore, the appointment of authority violates the principle of federalism. There is internal data flow and states are the major stakeholders in this process. Even though the proposed central authority issues directions allowing processing of data on ‘public order’ basis, it is important to note that ‘public order’ is an entry in the state list. If the essence and essence of the law pertains to the state, it should be supervised by the state data protection authority.

Economic cost of non-personal data

One of the objectives of the bill is to promote the digital economy. But by including non-personal data under the ambit of the Bill, the joint committee has placed a heavy compliance burden on the economy. This will hit the MSME sector and small businesses hard as the technical processes associated with data-sharing are very costly. The government-constituted panel headed by S Gopalakrishnan also opposed the idea of ​​including non-personal data in the bill. It is estimated that mandatory data localization will squeeze the economy by 0.7-1.7%. This could invite similar measures by other sovereign countries that would impede the smooth cross-border flow of data.

The report has raised more questions than it has solved. In its current incarnation, the Bill is more about surveillance and control than privacy. At the time of passage of the bill, the loopholes should be plugged so that India can have a strong data protection law.

Jaiveer Shergill is a Supreme Court lawyer and National Spokesperson of the Indian National Congress.