Indian citizens were subject to a few serious incidents of data breaches in the past year in which their personally identifiable data including names, addresses and bank account numbers were publicly accessible.
Over 3.94 lakh cyber-security incidents were reported in 2019, according to information tracked by the Computer Emergency Response Team-India (CERT-In).
What is most alarming is the fact that the security breaches involved 48 websites of central and state governments.
And these were not isolated incidents.
Startups like OYO, Vedantu and Nykaa among many others also fell victim to cyber hacking exposing their users' data.
While the government had claimed to issue alerts and advisories regarding the data breach incidents, there is still no law in place to take care of consumer's data and protect their privacy.
After the Supreme Court expressed concerns over the breach of citizens’ right to privacy, the government formed committee drafted a Personal Data Protection Bill in 2018.
In December, the revised version of the bill - The Personal Data Protection Bill, 2019 - which will have an impact on how businesses collect data and the rights that users have over the data, was introduced in parliament by IT Minister Ravi Shankar Prasad.
Currently, the legislation is at draft stage and being examined by a 30-member team of the Joint Parliamentary Committee (JPC) which has invited comments from stakeholders by February 25. The JPC is expected to present the bill to the Lok Sabha by last week of the Budget Session.
When we compared the recommendations made in the revised bill vs the previous, we spotted multiple concerns including related to privacy and surveillance.
Surveillance fears
The Bill presented in the parliament overlooks the original draft submitted by the Justice Srikrishna-led panel in 2018 which had said that no data should be collected by the government until it was authorised by law.
Personal data can be processed without consent for medical, security and natural emergencies, employment-related purposes and other reasonable purposes.
"There is a very wide exemption given to government agencies for surveillance activities that require access to and processing of personal data. The exemption is two-fold, any agency can be exempted for this purpose, and these agencies can be exempted from any or all provisions of the Bill," said Smitha K Prasad, associate director at the Centre for Communication Governance at National Law University Delhi.
The government can also collect data of users without much restraint and use this data in opaque ways.
“There is no requirement for data to be processed securely, processed for limited purposes, or deleted after the intended use is completed," Prasad added.
Besides, the Bill does not stick to the Supreme Court ruling on the right to privacy in the Puttaswamy judgement which mandates government and authority to declare specific objectives for gathering or collecting personal data.
"The Bill dilutes individuals' control over their data by allowing the government to exempt any of its agencies from any or all the provisions of the Bill,” said Sreenidhi Srinivasan, senior associate at Ikigai Law, a technology-focused law firm.
A recent Pegasus-Whatsapp interception scandal can be taken as an example of this. Under the proposed Bill, the government could empower a security agency, such as the NSA, to undertake such an operation without contravening any laws.
No judicial member in the DPA committee
The Data Protection Authority (DPA) team majorly comprises secretaries from the Cabinet, Department of Legal Affairs and the MeitY.
This raises a major concern about the DPA being independent of the government.
“The current Bill is bereft of diversity in the composition of the Selection Committee. It will make the entire committee and appointment process very government centred. It carries the risk that the persons who are appointed as DPAs will again be people who will be predisposed towards the government’s interest. Given that the government is a large data protector, which will also be regulated by the provisions of the bill, it may raise issues of conflict of interest and institutional bias,” said Apar Gupta, advocate and executive director of Internet Freedom Foundation.
Impact on Companies
The Bill, if implemented in its current form, will have a three-fold impact on companies.
“It will bring up a level of legal compliance which did not exist earlier for the companies. Thereby requiring companies whenever they gather data of users to place clear notices to users what data is being collected and what purpose it will put towards use,” said Gupta.
Businesses will have to revamp their data handling practices.
"To be data bill compliant, companies will need to allocate budgets and prepare for compliance starting now” added Srinivasan.
In regard to the utilisation of the data by the companies, some companies can be exempted by the government.
“Some companies may be permitted by the DPA to go beyond the intended use and purpose for which consent was sought when personal data was gathered and devise more innovative uses of personal data,” added Gupta.
The Bill also does not provide an indicative timeline for compliance.
Inclusion of non-personal data
The Bill further does not offer any explanation for the inclusion of non-personal data. As per the new Bill, the government can ask any company to give it anonymised personal or non-personal data for policy formation and better delivery of services.
“This is a dangerous provision which can allow the government to come in and ask companies to turn over all data they hold, reasoning that they require it for public interest or surveillance,” said Gupta.
Last month, Justice Srikrishna had also argued against the inclusion of the clause saying that inclusion of non-personal data in the Bill is dangerous as it needs to be covered under a separate law.
Non-personal data includes any data other than personal such as weather data, e-commerce shopping data, traffic and food delivery data, among many others.
Restrictions on cross-border data
The Bill puts restrictions on the transfer of sensitive and critical personal data, not all personal data.
“The Bill also makes things more difficult for a company as it will have to to obtain approval of the DPA for cross border transfer of data. This could prove to be detrimental to India’s vision of improving the ease of doing business,” said Prasad.
As per industry observers, who have seen the Bill, the current compliances around storage and collection restrictions will also make things a bit difficult for startups, who would like to make their business around data.
Besides, there is no provision that allows for sufficient time to implement the important changes required under the Bill.
Kazim Rizvi, the founder of The Dialogue, a New Delhi-based independent think-tank, has been organising discussions around the issues arising out of the Bill and also appealed for the drafting of a comprehensive bill.
“We need proper rules, regulations and more large-scale reforms to ensure that citizens are not targeted and that privacy is not infringed on in an unconstitutional manner. The government must come up with a comprehensive set of laws which take into account the interest of Indian startups as well as the Indian tech industry,” he said.
As the Data Protection Bill, 2019 is nearing a finalized version, we now wait to see if the JPC takes a good look at the draft and addresses some of the concerns raised.