Personal Data Protection Bill: Sorely needed, but what of ground reality?
A lot of excitement has been generated in the media about the new Personal Data Protection Bill being presented in the Parliament on Thursday.
A lot of excitement has been generated in the media about the new Personal Data Protection Bill being presented in the Parliament on Thursday. Some have called it a landmark bill, some have called it a proof of the government's commitment to the protection of the rights of the citizens and so on. However, it has been many years since the landmark Puttaswamy judgment by the Supreme Court declared privacy as an inalienable Fundamental right of all citizens was rendered. It took the government so many years to actually bring a bill to the Parliament after multiple attempts, which, for various reasons, were withdrawn or never considered to be put up for voting. Also, in the current version of the bill, a lot of underspecification leaves a lot of room for maneuvering by the government -- and in some cases the data protection board -- which as per the bill will be constituted by the government.
4 Points to Ponder
First of all, the composition of the data protection board is not specified, and it is unclear what the rules of the composition will be. If the board is not very strong, with representation from legal, policy, technology, computer science, law enforcement arena, and if the board is beholden to the government -- then it may not be very effective.
Second, the bill is not too specific about the compliance requirements of the organizations that collect the data of individuals. So, it is not clear on what basis the board will find the organizations liable -- except when a data breach is discovered in the dark web or somewhere on the Internet. Even then an organization may claim that the information did not necessarily leak from their systems, as many other systems may have the same citizen's data.
The third problem may be that the fines are no longer the 4% of the worldwide revenue of the organization found liable, but it is "up to" Rs. 250 crore. What parameters will be used to determine the amount of the fine? The 4% number was inspired by the GDPR and it takes into account the size of the organization that is responsible for the data.
Finally, I think that this time, the government is likely to push the bill through the Parliament without a proper discussion or any referral to the Panel on IT. A bill should be passed only after a thorough discussion on pros and cons, implementability, enforceability etc. If that does not happen, even after the bill becomes an Act, it will not be a consensus based act, and will be subject to various problems.
Privacy Protection and Ground Reality
One might still feel rather pleased with the fact that finally India has a Personal Data Protection Bill, and it was sorely needed. But there is another aspect of data protection that cannot be addressed by passing a law. That is people's attitude towards privacy and protection of personal information. We often find that even a courier delivery man asks for an Aadhaar card copy before delivering a package. Sometimes, hotels ask for an Aadhaar card for identity proof and then make a copy of it. It is unclear whether the hotels or other organizations that take a copy of our Aadhaar card actually destroy the information after the purpose is fulfilled. Large hotel chains (such as ITC hotels now make you sign a waiver if you provide them with Aadhaar card as a proof of address -- they prefer alternative forms such as driving license) and similar organizations may actually be careful and compliant to the PDP, but I doubt small hotels or small organizations, which often ask for our Aadhaar and other personal documents in digital form will be compliant.
Problem of Process
How will the enforcement work? Will there be any compliance and audit requirements that the data protection board will demand from all organizations? Will it be only based on complaints from individuals that would trigger some action by the data protection board?
Power of Protection
I think having a Data Protection Act is better than having none, but I do not think expecting all our data privacy woes to be over upon enacting the law is prudent. We may have to wait for a decade or so before public awareness spreads, and organizations become voluntarily compliant. Let's hope it happens sooner than that.
Sandeep Shukla is a professor in the Dept of Computer Science and Engineering at the Indian Institute of Technology-Kanpur (IIT-Kanpur).
Note: The views expressed by the author are his own and not necessarily those of HT Tech.