New Delhi: India’s personal data protection (PDP) Bill, which was approved by the cabinet recently, is set to be placed in parliament this week.
The Bill draws its origins from the Justice B.N. Srikrishna Committee on data privacy, which produced a draft piece of legislation that was made public in 2018.
Since then, the contents of the final Bill have been mostly a secret, with it being circulated to MPs on Tuesday afternoon.
Most experts, including retired Justice Srikrishna, believe that the Bill should not be passed without being first sent to a parliamentary committee for further review.
The new PDP Bill also contains three key clauses that were not previously included in the Srikrishna draft version and have raised some concern amongst technology companies and privacy experts.
These include sections that will allow the Centre to ask any “data fiduciary or data processor” to hand over anonymised personal data or “other non-personal data” that will allow better governance or targeting of citizen welfare services.
The relevant section of the Bill reads:
91. (1) Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do not govern personal data.
(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.
Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.
Companies like Amazon and Flipkart have raised concerns over this issue, while others like Uber are more agreeable as it anyway provides bulk travel data through its service ‘Uber Movement’.
The final Bill also asks social media intermediaries, like Facebook and Twitter, to allow Indian users to “voluntarily verify” their accounts in a manner that can be prescribed in the future.
This method of voluntary verification has not been laid out by the Bill. It merely states that any user who voluntarily verifies his account “shall be provided with such demonstrable and visible mark of verification”.
Section 28 of the Bill notes:
(3) Every social media intermediary which is notified as a significant data fiduciary under sub-section (4) of section 26 shall enable the users who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed.
(4) Any user who voluntarily verifies his account shall be provided with such demonstrable and visible mark of verification, which shall be visible to all users of the service, in such manner as may be prescribed.
In background briefings, IT ministry officials say that this provision will help stop online trolling, but it is not clear how this will be possible if the process remains “voluntary”. Legal experts have raised concerns that mandating a means of verification prepares the ground for possible legislative interventions in the future that may make this authentication process mandatory for all Indian social media users.
Finally, the Narendra Modi government appears to have backed down from its strict stance on data localisation, which required all technology companies to store a copy of their user’s “personal data” on Indian soil.
The draft Srikrishna Bill noted that every data fiduciary had to ensure the storage of one copy of personal data on a “server or data centre located in India”.
This provision has not only attracted criticism from Silicon Valley-based companies, but it also figured as a significant bone of contention in the trade talks between New Delhi and Washington DC.
The final Bill slightly reverses India’s stand, noting that “sensitive personal data may be transferred outside India”, but should continue to be stored within the country.
“The sensitive personal data may only be transferred outside India for the purpose of processing…” the Bill notes, while adding that this doesn’t apply to ‘critical personal data’.