Listen to this article:
After nearly two years of deliberations and a few changes in its composition, the Joint Parliamentary Committee on December 17, 2021, submitted its report on the Personal Data Protection Bill, 2019.
The report also contains a new version of the law titled as, “The Data Protection Bill, 2021.”
Concerns regarding the wide power and almost blanket exemption given to the Union government under Clause 35 to exempt any government agency from the ambit of the bill continue and have further been cemented by the insertion of a non-obstante provision in Clause 35 which reads: “Notwithstanding anything contained in any law for the time being in force.”
The only amendment is the insertion of a caveat that the procedure should be just, fair and reasonable.
These concerns have also been highlighted in the dissent notes attached to the report. In this article though, we have highlighted certain other areas of concern of the Bill.
Inclusion of non-personal data within the Bill
One of the first recommendations of the JPC is to change the name of the bill from ‘Personal Data Protection’ to ‘Data Protection’, as according to the JPC, it is impossible to demarcate between personal and non-personal data, and therefore it is important to have a one single legislation dealing with both datasets. The JPC report has recognised that real possibilities exist of identification and subsequent profiling of individuals from non-personal data and anonymised data.
However, unfortunately, it does not seem to recognise the power of the state when it comes to processing of non-personal data and re-identification of anonymised data sets.
On the contrary, exemption/unrestricted power has been provided to the Union government to frame policies for the digital economy. Clause 92 (1) of the Bill states:
“Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non personal data including anonymised personal data.”
On a plain reading of this provision, it appears as if a carte blanche has been given to the Union government to empower the different departments to frame policies which could be contrary to the provisions of the data protection law. Considering that the Union government is the custodian of a large data set of non-personal data sets; across different sectors such as health, financial data, it is concerning that such a wide unrestricted power has been vested with them. Such clauses also go against the assertion made by the JPC in its report and in the preamble of the Bill that data protection must be privileged over data economy interests.
Non-consensual processing of personal data
The grounds for non-consensual processing of personal remain as problematic as in the 2019 Bill.
As per Clause 12, the state does not need to conform to the consent principle, if such processing of personal data is necessary for the state to provide: (a) any service or benefit; (b) issuance of any certificate, license or permit.
It is problematic that the Bill continues to grant the state the power to bypass the consent principle to process personal data to provide any or all services and benefits. It is also pertinent that any discussion on the ambit of this clause does not find any mention in the report (it has been highlighted in a few of the dissenting notes).
It is further concerning to note that instead of diluting the provision and including the conditions of proportionality and legitimate state aim for non-consensual processing of personal data (as articulated by the Supreme Court in K.S. Puttaswamy v Union of India), the Bill has expanded the entities which can process personal data without consent. It now includes quasi-judicial authorities within such a framework.
The JPC has in the report highlighted the power asymmetry between an employer and an employee and had observed “as the employer collects all the data of all the employees, and there is a trust relation between them, which the Committee think should be respected. Therefore, there should be an equilibrium in processing of data of employee and its use/misuse of data by the employer…”
It is disappointing that this statement did not translate into any specific amendment/dilution of Clause 13 (2) and the employer continues to have right to process personal data( not sensitive personal data) without the consent of the employee, when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.
The only amendment made to the provision is the addition of the line “and can reasonably be expected by the data principle” when it comes to non-consensual processing of personal data for the purpose of employment. The Bill continues to use the terms ‘employer’ and ‘employee’, and as the pandemic has shown us, there has been a great increase in the use of ‘gig workers’ by the different organisations and there have been several instances of the workers privacy being comprised.
Currently such workers do not fall within the ambit of definition of employment, so the protection afforded to the data and privacy of such workers under the Bill still remains unclear.
Dilution of the powers of the Data Protection Authority
An independent and robust data protection authority is the hallmark of a strong data protection regime; unfortunately, the Bill has through its various iterations continued to dilute the independence and powers of the Data Protection Authority (DPA).
As per the 2019 Bill, the selection committee for the appointment of the members of the DPA would comprise entirely of the members of the executive, raising concerns about the independence of such a selection body, and though the Bill appears to have addressed this concern in a limited manner, by including the Attorney General and an independent expert in the selection committee, the underlying concern regarding the independence of the DPA still remain.
The 2018 Bill had expressly stated that the salaries, allowances and other terms and conditions of service of the chairperson and other members of the DPA would not be varied to their disadvantage during their term. This provision had been deleted under the 2019 Bill and this Bill; thereby giving the Union government the power to reduce the salary or amend the terms of appointment to the detriment of the members of the DPA.
Further, under the 2019 Bill, the DPA was bound by the orders of the Central Government on “questions of policy.”- with the Central Government also having the power to decide whether a question is one of policy or not. Unfortunately, under 2021 Bill the powers of the DPA have got even more diluted as under Clause 87(2) of the Bill, the DPA will now bound be by the directions of the Union government on all matters, and not just on questions of policy.
Considering the wide exemption given to the Union government to bypass the privacy and data protection mechanisms, such further dilution of the authority of the DPA is very concerning.
The JPC and the Bill recognise the importance of privacy and the need to protect all facets of data; however, unfortunately, this is only for the private actors. The expansion of the scope of the encroachment of privacy by government actors continues and the accountability of the state in protecting our privacy continues to elude us.
Pallavi Bedi is a Senior Policy Officer at CIS, where she works on privacy and data protection.