The third working session at the Bar Association of India's Seminar on the Personal Data Protection Bill, 2021 held on 3rd May 2022 at New Delhi and looked into the data governance and criminal law aspect of the data protection bill. The session was chaired by Shri Shyam Divan - Senior Advocate & Vice President, BAI. He started the discussion introducing all the speakers.
Mr. Rajeev Dutta is a senior advocate at the Supreme Court. He is also an arbitrator and mediator for multiple national and international dispute resolutions. He is the country representative for India at the International Bar Association Mediation committee. Mr. Dutta noted that a lot of tinkering has been done with the bill that was drafted by the BN Srikrishna committee, and this process of evolution will continue at the hands of the joint parliamentary committee. He invited the attention of the panel to the question of how this bill will affect the working of the courts. The impugned bill would potentially give rise to a stream of litigations and that would mean that advocates need to be well versed with all aspects of the bill. Mr. Dutta believes that as litigators, we have two articles of the constitution etched in our minds; Article 21, and Article 20(3). He marked the unanimous Puttaswamy judgment as the starting point of this conversation and laws on data privacy. The Supreme Court had stated that the right to privacy can only be limited by state action, and this bill can be seen as a step in that direction. He emphasised that this bill must ensure three things:
- State action has to come from a legislative mandate
- Such action must pursue a legitimate state interest, and cannot be arbitrary
- The action must be proportional to the cause both in its nature and extent, and ought to be the least intrusive of all alternative means.
The purpose of the PDP bill is to prevent the breach of privacy and to classify data into personal, sensitive and critical to provide adequate protection for each. Mr. Dutta noted a few merits of the bill; all personal data offline and online shall require the explicit and informed consent of the individual before it is analysed or shared. Further, section 6 of the bill restricts data collection to be done only to the extent necessary for the purposes of processing such personal data. Section 7 gives detailed contents of the notice that is to be given to the data principles to inform them about the processing specifics.
Uday Prakash Warunjikar
Mr. Uday Warunjikar is the President of the Consumer Courts Advocates Association, Maharashtra and is the Vice President of the BAI. He started the discussion taking the panel to few examples of personal data breaches that have been happening across the country. Cases of identity theft via Aadhar details for committing fraud was recounted to emphasis the need for a data protection legislation. The need for specific legislations grows with a developing society. In the absence of the IT Act, 2000 offences of that nature would have to be filed as trespass under the Indian Penal Code. Similarly, the current legal framework lacks proper legislation to deal with data breaches and privacy. Section 66E of the IT Act punishes privacy violations on the internet, and Section 43A punishes negligent handling of personal data, however, these provisions prove insufficient and having a specific legislation like the current bill is imperative. Mr. Warunjikar noted that "No law is perfect; it will be ever developing". This bill being passed will also have a huge impact on our neighboring states that do not have a legislation on data protection so far. It will become a benchmark that countries like Bangladesh, Cambodia, Sri Lanka, Fiji, Kuwait etc. can take inspiration from while drafting their own laws on the matter.
He concluded his speech noting a major flaw we have seen in recent cyber offenses, wherein the victim and the injury is proven, but the accused remains untraceable. The electronic evidence provisions must be read in line with the recent technological developments to enable maximum justice delivery in such matters.
Ms. Anita Gurumurthy is the founding member and executive director of 'IT for change'. She leads the research on economy, data, AI governance and the feminist aspect of digital justice. She is associated with many international organizations including the United Nations Secretary-General's 10-Member Group in support of the Technology Facilitation Mechanism.
Ms. Gurumurthy's discussion on the bill was on lines of public interest and social justice. India's data governance approach is focused on utilizing the economic value of data. The inherent tension that exists in data laws is that they implicate natural rights like that of right to personhood but must also make provisions for utilizing data as a resource. The question that arises is "How do you govern something that belongs to everybody?". Data about a single person is not valuable as it is; it attains value when the data about a group of individuals get tied with certain non- personal data to predict consumer habits and natural trends. She went onto analyze the developments and issues that were seen in five years of the GDPR implementation in the EU to emphasis on what the impugned bill could do better. India needs to come up with a specific law that gives clarity on economic governance like the EU Digital Markets Act. In comparing the Indian PDP Bill with the EU's GDPR, Ms. Gurumurthy made certain observations First, on informed consent: Clause 35 gives unrestrained powers to the Union to exempt the consent requirements. This is not in line with the practices followed under GDPR. Second, the Right of employers vs. Right of workers: The PDP bill allows for invasive use of non-personal data of employees like that of delivery food app workers; their locations and other intimate details. In the GDPR the rights of workers are protected against those of the employers. Article 88(1) of GDPR enforces the larger framework of labor rights enjoyed by workers. Thirdly, she emphasized the risks involved with anonymized and Pseudonymized data. Fourth, the need for protecting group rights. The GDPR is individual centric and has failed in this aspect and therefore, big group data is viable to exploitation by big corporations.
Finally, the conversation around data collection is being limited to the issue of data privacy. While privacy is a real concern, the long-term problems of data collection is that it kills autonomy of the society and its culture. The impact of large corporations creating products modelled to alter your needs based on your data, will be that soon the society will become an outcome of the products they use, rather than the individual qualities each person possesses.
Ms. Vrinda Bhandari is an Advocate at the Supreme Court. She is an NLSIU rank holder, who went onto do her Master's in Public Policy from Blavatnik School of Government and BCL from the University of Oxford. Ms. Bhandari started her discussion noting Justice DY Chandrachud's plurality opinion on the Puttaswamy judgment where the fundamental right to privacy was reinstated, "The creation of such a regime requires a careful and sensitive balance between individual interest and legitimate concerns of the state." The test of whether the current PDP bill is complete, must be done against this statement. Regardless of the specifics within the bill, it is important that India passes a data protection bill and set-in motion the creative process of law. The ever-expansive use of technology and surveillance calls for a law that can protect a citizen's fundamental right in those aspects. There are a few broad problems with the current PDP Bill. First, The avoidance of surveillance reform: The BN Srikishna committee report had noted that there is no general law in India today authorizes non- consensual access to personal data or intersection of personal communication. However, the 2018 PDP Bill nor the 2021 PDP Bill makes any provisions that protects citizens against mass non -consensual surveillance. The centralized monitoring system, NATGRID still remain unreformed even with the new bill. The lack of parliamentary/ institutional backing on intelligence agencies also remain unsolved. The preamble and long title of the new 2021 Bill has been changed and now reads "to ensure the interest and security of the state". Ms. Bhandari emphasizes that a data protection law that has come in the aftermath of the Puttaswamy judgment should aim to protect individual privacy and should not be seen as a national interest/ security legislation. Second, on exemption clauses: Considerable dilutions have been made in the exemption clauses from what the BN Srikrishna committee had suggested in their report, which were tethered to the ideas of legality, necessity and proportionality. Finally, the Data Protection Authority under the bill has been tasked with many powers, and this must not be restricted to a small six member team. The requirement for an independent panel is of utmost importance, and we must take inspiration from what is done in other countries, like the UK where there are free open competitions to decide who can be part of such a committee.
Also read https://www.livelaw.in/events-corner/personal-data-protection-bill-2021-bar-association-of-india-cambridge-analytica-data-ted-cruz-campaign-eu-general-data-protection-regulation-2016-198699
Also read https://www.livelaw.in/events-corner/data-protection-bill-2021-commercial-industries-bar-association-of-india-nasscom-general-data-protection-regulation-198889