The February 2022 Budget session of Parliament is all set to pass the Personal Data Protection Bill, 2019 originally introduced in December 2019 by then-Minister of Electronics and Information Technology, Ravi Shankar Prasad. The Bill seeks to guarantee the protection of personal data of individuals and provides for establishing a Data Protection Authority on the lines of a number of regulatory frameworks already present. Data protection is too complicated a subject to be decided by a mere voice vote by a political majority that may not be sufficiently informed of the consequences and seriousness of the issue.
Data mining essential, but murky too
The world of e-commerce survives and thrives on data mining to focus on retail trade, financial and investment decisions, communication and marketing strategies, understanding and influencing consumer preferences, pricing techniques and raking in corporate profits. A complex process of passing raw data through a combination of algorithms, statistical formulae, and database systems based on artificial intelligence provides a wealth of information far beyond the comprehension of governments and the finest security agencies. The murky side of data mining was exposed when the personal information, likes and dislikes and preferences of nearly 87 million Facebook users were used by Cambridge Analytica during the US elections in 2016.
The European Union (EU) woke up to the realities of the situation and found itself confronting the powerful arsenal of cyber power with a 1998 Data Protection Act formulated by the United Kingdom when computers were still struggling to replace typewriters and e-commerce was a distant dream. In May 2018, the EU brought in the General Data Protection Legislation (GDPR) to protect the fundamental rights and freedom of natural persons, control the unrestricted, free movement of personal data and especially safeguard the right of the individual to protect their personal data. This changed the way the digital world was conducting its business, as the law was applied to all the institutions within the EU and its trading entities, supply goods and services and citizens.
Let’s debate the nuances first
The 2019 Bill — greatly influenced by the GDPR — was referred to the Joint Parliamentary Committee (JPC), which has given elaborate comments on the provisions and come up with a Draft Data Protection Bill, 2021. Although it is not binding upon Parliament to consider all the suggestions, the draft is worth pondering over instead of passing the Bill in its original form. It would be ideal if the Bill could be made available in the public domain and discussed and deliberated upon as was done by the EU on the GDPR over four years.
An extensive debate with the participation of subject experts, security agencies, institutions of higher education, and identified stakeholders is necessary to fine-tune the provisions, expand the scope of protection, and at the same, not defeat the very purpose of data analysis for research and public welfare. The commercial exploitation of data should be seen as contributory to trade and commerce within the parameters of safety, security, and level playing field.
From this point of view, the Bill seeks to provide sufficient safeguards and power to remain with the DPA, which can be notified within 72 hours of the discovery of any data breach. The exact powers of the regulatory authority are not yet clear. For instance, if the data breach is detected long after it is done — say, months after the damage — what punitive action can the DPA take? Considering the fresh and new types of technically-powerfu ‘undetectable’ cyberattacks, ransomware, and data breaches, both personal and non-personal data breaches should be covered. The difference between the two is very thin, and many times merged into one source compressed in bits and bytes.
The Budget 2022 emphasises using blockchain technology and the issuance of digital currency by the Reserve Bank of India (RBI). It is, therefore, necessary for the Bill to recognise the Web 3.0 utilisation of altering the Web into a database and ‘multi-path interaction and sharing’ platform. Millions of terabytes of data can be transferred irretrievably within seconds, and the DPA will not be in a position to detect the breach for months at times.
Besides, the Bill provides that ‘critical data’ should be processed locally in India but ‘sensitive personal data’ may be transferred out of India for analysis and processing after retaining a copy. Sensitive data comprises genetic and biometric information, financial transactions, political preferences, racial and ethnic origins and even personal identification details of bank accounts. Such information, if leaked, can lead to greater misuse and fraud and hence should not leave the country of origin in any case.
Blanket immunity to govt is wrong
Besides commercial establishments and the e-commerce industry, data is an important part of national security in the hands of the government and security agencies. The Bill does provide immunity to such agencies involved in surveillance and gathering security-related information. Similar immunity needs to be provided for information regarding children and people who are vulnerable to unwanted exposure in social media.
Yet, any blanket immunity to the government and security agencies is also a double-edged sword. The regulatory body should be empowered to question the extent of immunity, its misuse, and possible violation of the fundamental rights of the people. National security should be the top-most priority of any government, but protection of personal freedom covered under the fundamental rights guaranteed by the Constitution is equally sacrosanct. No exemption, not even that of the government, can be absolute and unconditional.
The author is the former editor of ‘Organiser’. He tweets @seshadrichari. Views are personal.
(Edited by Humra Laeeq)