Personal Data Protection Bill 2019: The Need For A Balancing Act Between Privacy For Indian Citizens And Allowing Enterprises To Grow
Justice(Retd) BN Shrikrishna at a Panel Discussion on Personal Data Protection Bill I (Photo Credit: LatestLY)

Mumbai, January 17: Personal Data Protection Bill (PDPB) – as the name suggests, has been envisaged to manage the copious amounts of data being generated by Indians who are the world’s highest consumers of mobile data. Indians are consuming an average of 9.8GB per month, according to a 2019 report by Swedish telecom equipment maker Ericsson.

The Bill’s original author is Justice (Retd) BN Shrikrishna who also heads the Financial Sector Legislative Reforms Commission. At a discussion organised jointly by the Indo-American Chamber of Commerce and National Association of Software and Services Companies (NASSCOM), a panel consisting of the eminent jurist himself and 13 members from various stakeholders of society discussed the original bill and the version that was introduced in December 2019 by Union Minister of Information Technology Ravi Shankar Prasad. Two dominating strains of thought emerged from the discussion with advocates and civil society members calling for absolute protection of privacy of an individual while those representing corporate India calling for a bill that allows for enterprise for how else is India to achieve the valuation of a $1 trillion digital economy?

The Personal Data Protection Bill envisages a framework to articulate and legislate who would control the collection, processing, storage, usage, protection, disclosure and erasure of personal data of Indians.

An Interactive Meeting On Personal Data Protection Bill. From L-R: Lokesh Manikonda (Novartis), Yatish Rajawat (Centre for Civil Society), Rajyalakshmi Rao (IACC), Harish Mehta (NASSCOM), Justice BN Shrikrishna, and Krishnanand Bhat (SKP)

The First draft of the PDPB Bill authored by Justice Shrikrishna was written before the Supreme Court’s judgement in 2019 which defined the right to privacy as a fundamental right of an Indian citizen. But the first draft of the bill was prescient enough to incorporate this right in 2018 itself. Justice Shrikrishna at the event spoke to LatestLY and explained that laws like the European Union’s (EU’s) General Data Protection Regulation (GDPR) put the individual’s privacy first and hence India needs to learn from the European experience rather than implementing a lax law and filling up the loopholes later.

However, Justice Shrikrishna was critical of the current government’s redrafting of the bill which was introduced in the Parliament on December 11, 2019. The draft of the PDPB introduced by Union Minister Ravi Shankar Prasad did away with the provision that requires parliamentary legislation to access private data by law enforcement agencies. The 2019 Bill also provides Central government the power to exempt its agencies from application of provisions of the Act. Hence Justice Shrikrishna said this provision is bound to get challenged in the Supreme Court and should get challenged else India risks becoming an “Orwellian State.” Read: Referring Personal Data Protection Bill to Joint Panel Sets 'dangerous Precedent' Says Shashi Tharoor

NS Nappinai, a senior advocate who has extensive experience in Cyber laws raises three points of concern – i) the bill creates a regulatory authority called Data Protection Authority of India; ii) the bill talks about profiling on the basis of data; and iii) data of minors. Nappinai questioned the provisions of the PDPB which embodies the DPA with “god-like powers” when it comes to dealing with personal data and sensitive personal data. She also raised a concern with the terminology “profiling” used in the Bill which according to her should be replaced with “marketing” as “profiling” has security connotations and should absolutely not be allowed. Continuing in this vein Nappinai referred to two cases in the past in which minors have become unwitting contributors to the data gathering and the Bill has a convoluted manner of dealing with who can gather data of minors, for what purpose, and by whose permission.

Meanwhile, Deepak M Sharma, Digital Officer with Kotak Mahindra Bank broke down how data is being looked at by the Fin-Tech Sector. He said “India is becoming data rich before becoming economically rich and hence this data presents a lot of opportunity.” “India still does not have a credit rating system for every Indian present in the economy and hence personal data is the only way a financial agency can judge when it comes to lending and repayment capacity,” he explained. He also suggested putting in place measures to centralise the KYC data of bank customers which would bring down transaction costs for businesses. He also raised the point that individuals are making the choice of convenience which raises the issue of open data versus privacy, so how does state regulate this choice? For example, those using taxi aggregator services like Ola and Uber are allowing these platforms to access and retain travel data as well as “personal data” as defined by the Bill for the convenience of service.

Another voice representing Corporate India was Navin Surya, Chairman, Fintech Convergence Council. Surya pointed out that most conversations around privacy was regarding commercial exploitation of consumer data but consumers are embracing the digital economy despite formal control mechanisms being missing. He warned that there wasn’t enough conversation around protecting data from criminal activity. He also highlighted that most corporates are bearing the cost of data duplication and hence streamlining of data needs to be thought about in the PDPB.

But what about data and healthcare? Lokesh Manikonda, India head, Novartis Social Business provided a real-life example of how leprosy in India was making a comeback but was being diagnosed in later stages as dermatologists were unable to make a correct diagnosis in many cases. This was happening as the doctors were not familiar with the skin deteriorating patterns as the disease had been eradicated to a great extent over the past three decades across most Indian cities and hence data being generated from patients needed to be shared for the public good. He then raised the question that in a country which is still uneducated, how does the healthcare sector bring about data emancipation?

However, there was some consensus that “the Bill is in the right spirit” as articulated by Krishnanand Bhat, CISA, Nexdigm (SKP). Bhat argued since the law has come after data liberalisation, the country needs regulation and not monitoring. He said the Bill presented in Parliament is draconian when it comes to allowing law agencies complete access and also has grey areas such as the formation of the DPA, which are a cause for concern.

But, as is with new legislation, the Bill will continue to be a work in progress especially with the near future heralding the age of 5G and hence the law will need to change as the needs demand, concluded Rajyalakshmi Rao, National President of IACC who was the brain behind this powerful session on the PDPB.