The Indian government has always found some reason or the other to need full control and unbridled access to citizen data. And if the draft data protection bill did little to reign in the government’s sweeping grab for this data, a Parliamentary committee that was tasked with deliberating upon the bill has barely scratched the surface.
The Joint Parliamentary Committee (JPC) that had been studying the Personal Data Protection Bill, 2019 for two years, recently adopted its final report with a set of recommendations to the bill after consulting with various stakeholders from the government and industry. The report will be presented in the upcoming Winter session of Parliament.
The crux of the matter is simple. Going into the hands of the JPC, the data protection bill had some contentious clauses that exempted the government from key provisions in the bill. ‘National security’ was the catch all reason given for most cases.
The JPC was expected to be the nadir. But far from providing the appraisal and checks that were demanded, it has adopted a report that kowtows to the government viewpoint unflinchingly, a member of the committee that Entrackr spoke to said, on condition of anonymity.
However, at least seven MPs of the total 30 members of the committee have filed formal dissent notes against some of the final recommendations in the committee’s report.
Earlier this month, Entrackr had exclusively reported on some of the recommendations made in the committee’s report.
Minor, vague recommendations
At heart are three contentious proposals of the data protection bill. First is clause 35, which allows the government and its agencies to gain blanket exemptions from complying with any and all provisions of the bill for purposes of “security of the state”, “friendly relations with foreign states” and “public order”.
To that end, the JPC’s report, led by BJP-MP PP Chaudhary, says that there is precedent for allowing the government such exceptions, but limits the government’s actions to a “just, fair, reasonable and proportionate procedure”.
“While there is some sort of limitation, the way the [JPC’s] recommendation is worded gives the entire process a sense of vagueness. Exemptions should be an aberration, not the norm,” said another member of the committee, requesting anonymity.
Congress MP Jairam Ramesh in his formal dissent note revealed that he had pitched for increased legislative control over the government’s exemptions. He had suggested that the government would have to “get Parliamentary approval for exempting any of its agencies from the purview of the law”. His suggestion was not taken up in the final version of the report.
Clause 35, in fact, was severely criticised by Justice BN Srikrishna, who had chaired the drafting of the first version of the data protection bill in 2018.
Surveillance over consent
Second is the absence of any meaningful surveillance reform in the bill. In particular, clause 12, which essentially allows the government to skip consent-based data collection, again for national security purposes.
“Many non-BJP members of the committee had called for deleting this clause altogether. Why should a democratically elected government be allowed to bypass consent?” the second committee member quoted above said. The committee in its final report, however, has retained the clause.
Civil society has also vociferously criticised the lack of any surveillance reform in the bill. “Any meaningful, legislative attempt at safeguarding an individual’s digital privacy has to pair both data protection and surveillance reform. This is particularly true in India which suffers from a complete absence of either,” executive director of the Delhi-based rights group Internet Freedom Foundation tweeted.
In his dissent note, Ramesh wrote that the JCP’s report allows a period of two years for private companies to migrate to the new data protection regime but governments and government agencies have no such stipulation.
The all-empowered regulator
The third issue, sources pointed out, is the regulator. The Data Protection Authority (DPA) will act as the central regulator to handle all data-related incidents in the country. The core issue is the government’s say in the formation of the regulator.
The DPA is pegged to be a central regulator overseeing the enforcement of the data protection bill and has wide-ranging powers, including defining new types of sensitive personal data in consultation with the central government.
“The government has too much control over the formation of the committee and that should not be the case. It would have been ideal if the judicial route was taken to form the regulator,” the first person quoted above said.
However, this has to be seen in the context of the virtual standoff between the government and the judiciary when it comes to appointments to tribunals and all bodies requiring a person of law or otherwise. Often, the government has gone slow over the past few years, virtually bringing work at these to a standstill, and inviting threats of contempt from the highest court.
Entrackr had earlier exclusively reported that several state governments had asked the committee for a more decentralised regulator. Those requests haven’t been addressed in the JPC’s report. Several committee members had also made the same request, Entrackr has learnt. Again, central government reluctance is obvious here when one considers how confrontationist centre-state relations have been in recent times, thoroughly politicised and leading to logjams wherever both are required to cooperate.
In its final report, the committee does nothing to address the government’s control over the DPA, and only recommends that the regulator’s composition should have at least one technical expert. On top of that, the JPC’s report has recommended that the DPA listen to the government’s directions in all cases, and not just policy matters.
Thus, at its heart, the JPC’s final report simply parrots the core operating belief of the government, that it can do no wrong, and its motives should certainly not be questioned. And wrongs, once identified, should be covered up under the undefined enamour of ‘national security’ — not exactly the definition of a democratic regime, but perhaps even that definition has changed in the government’s view.
More from our coverage of the JPC’s draft report:
