The Personal Data Protection (PDP) Bill 2019 – critical in shaping the country’s privacy framework – is currently being considered by a special Joint Parliamentary Committee (JPC).
The JPC’s its initial depositions have primarily focused on engagement with government bodies and industry experts. On Thursday, August 27, the Internet Freedom Foundation (IFF), a non-profit organisation with the mission of advancing digital rights in India, wrote to the JPC, urging it to consider widening participation and bringing in a diverse range of independent voices to depose before it.
The PDP Bill was introduced in the Lok Sabha by Union Minister of Electronics and Technology, Ravi Shankar Prasad, on December 11, 2019. The JPC, which was formed on December 12, 2019, in order to review the bill, was expected to give its report by the last week of the Budget Session of 2020. This was delayed due to the ongoing pandemic.
The PDP Bill governs the processing of personal data by the government, companies incorporated in India, and foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The bill categorises certain personal data as sensitive personal data, including financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
On August 24, 2017, the Supreme Court, in the matter of Justice K.S. Puttaswamy vs Union of India, famously referred to as the Puttaswamy Judgement, reaffirmed “privacy” as a fundamental right under Part III of the Constitution of India. It directed the Government to bring about a robust data protection regime. The Expert Committee on Data Protection chaired by Justice B.N. Srikrishna was constituted by the Ministry for Electronics and IT on July 31, 2017.
The report was criticised for its flawed composition and issues of conflict of interest. The committee released its report and proposed the Personal Data Protection Bill, 2018 on July 27, 2018.
The PDP Bill, 2018 was open for comments in a consultation organised by the Ministry for Electronics and IT (MeitY) till October 10, 2018. However, the comments, changes made to it, the reasons behind it, and who made them, were not made public by the ministry. These changes were forwarded to the Union Cabinet and the proposed legislation was introduced in the Lok Sabha as the PDP Bill, 2019.
The IFF released a public brief and analysis of the PDP bill in January, 2020. The analysis pointed out the issues and loopholes in the bill, including a lack of clarity on the objectives and the preference given to private and fiscal interests over data protection. It pointed out that there exist broad conditions which can make the government and other entities collect data without consent, also denying essential services. “The provisions with regard to social media entities using government IDs for verification is completely misplaced. It would have several harms, increase surveillance and profiling,” it said.
If implemented, the legislation will have significant impact on several issues, including the National Population Register (NPR), given that NPR deals with the personal data of the citizens of the country. Three broad categories of data have been collected for NPR – demographic data, biometric data, and ‘know your resident’ data, which includes things like passport number, Aadhaar number, voter ID number, driving license number, and mobile number.
Therefore, NPR will contain a large amount of sensitive personal data in the form of biometric data and official identifiers. However, according to IFF, the NPR does not follow data protection principles and implementation of the PDP Bill might lead to improper handling of this data.
The implementation of the PDP Bill will also have a significant impact on workplace surveillance. IFF pointed out that in its current form, Clause 13 of the PDP Bill 2019 allows processing of personal data. which is not classified as sensitive personal data, by employers without the consent of the employee. It is intended for the purposes of recruitment or termination of employment, provision of any service or benefit to the employee, verification of attendance, and any other activity relating to the assessment of the performance of the employee.
“If personal data is processed by the employer for any of these purposes, the consent of the employee is not necessary if seeking consent would be inappropriate due to the nature of the employer-employee relationship or if it would involve a disproportionate amount of effort on part of the employer,” the organisation said.
In a letter addressed to Meenakshi Lekhi, the chairperson of the JPC, IFF pointed out that a greater diversity of participants in the process is required to deal with the issues and loopholes that persist in the bill, and that the committee should ensure that personal data of citizens is not exploited for financial gains.