UNLIMITED POWER OF THE STATE
Chapter VIII of the PDP Bill, 2019 which talks about exemptions gives a wide variety of power to the government. In this, Sections 35 and 36 give the government too much power in respect to the handling of citizen’s data. Via Sections 35 and 36, the government and its agencies are exempted for reasons of national security. Also for the integrity of the nation, preventing any offense, investigation purposes and relation with foreign state. These sections augment the surveillance power of the government; there is no mention of a safeguard in the bill.
The 2018 draft states such an exemption to follow certain conditions as laid down in Puttaswamy v. Union of India which were (a) authorized by law; (b) in accordance with the procedure laid down by the law; and (c) necessary and proportionate.[1] These powers have also stemmed from criticism that the PDP Bill doesn’t follow the proportionality test. The large powers bestowed on the central government without specifically defining the process are a counter to the three-fold criterion set out in Puttaswamy; it is difficult to determine whether a valid or proportionate purpose is achievable.[2]
Under Section 35, the Government excludes from DPA, surveillance authority, and law enforcement agencies. Additionally, the government also excludes these entities from all the provisions for transparency and accountability set in the PDP Bill. Consequently, the data principal involved may never be informed of the handling of his data by law enforcement authorities and/or supervisory bodies. Thus not be able to lodge a lawsuit with the DPA.
This kind of power is alarming to many; the state has the power of law which private parties cannot attain even if they collect the data.[3]This makes citizens vulnerable to the power of the state. Justice B.N. Krishna who headed the drafting committee of the bill also had addressed the same.[4]
DATA PROTECTION AUTHORITY (DPA)
The bill by section 41 sets up the Data Protection Authority. The DPA empowers to establish and manage different legal requirements; like defining regulatory requirements, notification, consent process, and enforcing fines for violations. But the body has some major faults starting with.
The DPA is to have a chairperson. At max 6 whole-time members were at least one of them should have qualifications and experience in law. Here unlike other statutory authority there is a lack of part-time members on its board. This will deny DPA having independent ideas and opinions from professionals, experts and others. They can help it greatly considering the concept and application will still be new in the Indian scenario. While the draft requires the DPA to employ advisors and specialists to assist it in discharging its duties (Section 48). It is somewhat different from providing critical voices in the DPA’s management. Furthermore, the history of other regulators suggests that regulations of this type are usually used to recruit analysts and experts at the entry-level. Rather than others who may be in a position to implement policies at the top level.[5]
Looking at section 42 of the bill, it can be seen that the election of all the members is by the executive committee only who are-
(a) the Cabinet Secretary, who shall be Chairperson of the selection committee;
(b) the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs; and Establishment of Authority
(c) the Secretary to the Government of India in the Ministry or Department dealing with the Electronics and Information Technology.
VAGUE TERMS/ UNCERTAINTY
A legal framework can only be efficient when the legal terms provided are precise. The bill contains many terms that create uncertainty such as security of the state. Public order is also vague. These terms can be used by the authority to bend the situation to their need. Other terms include; the definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’. Also the ability of the government to define further categories of sensitive personal data, the inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’.[6]
References:
[1] Pallavi Bedi, Does the Personal Data Protection Bill, 2019, protect citizens’ privacy from government surveillance? https://www.medianama.com/2020/01/223-pdp-bill-2019-government-surveillance/
[2] Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill; 2019 introduced in Lok Sabha on 11 December 2019”. January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).
[3] Business Today, Personal Data Protection Bill 2019: Unrestrained power to central government may undermine privacy, https://www.businesstoday.in/current/policy/personal-data-protection-bill-2019-central-government-power-may-undermine-privacy-of-citizens-people/story/392186.html
[4] “They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.” The Economic Times, Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna, https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms
[5] Smriti Parsheera, Regulatory governance under the PDP Bill: A powerful ship with an unchecked captain?, https://www.medianama.com/2020/01/223-pdp-bill-2019-data-protection-authority/
[6] Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade, Comments to the Personal Data Protection Bill 2019. The Centre for Internet and Society, https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019
0 Comments