A parliamentary joint committee on the Personal Data Protection Bill (PDP) finalised its recommendations on Monday. The most contentious parts of PDP relate to the extent to which government agencies have been exempted from it. Two aspects need to be kept in mind here. Details such as definitions matter hugely in drafting a law and the state does get exemptions to uphold sovereignty. PDP, however, suffers from loose language and expansive exemptions that practically keep GoI agencies outside the purview of the legislation. State agencies are among the biggest collectors of personal data and granting them loosely worded exemptions opens the door to abuse. This area has attracted dissent notes and merits extensive debate.
The joint committee has clubbed personal data and non-personal data, which expands the legislation’s scope. Clubbing data should be avoided as non-personal data has mainly a business dimension. GoI should keep in mind that non-personal data raises questions on protecting commercially critical data for firms. With India’s internet economy taking off, this is not a trivial question. Plus, an omnibus regulator, dealing with both kinds of data, as the committee suggests, may have too much on its plate. The suggestion that data captured by electronic hardware should also come under the regulator’s purview needs a whole lot of explanation – does this include data generated by a company’s internal functions, for example.
Another problematic area is the recommendation that the regulator can decide if individuals have to be alerted to a data breach of any entity collecting their data. Every financial firm will have an incentive, for example, to lobby the regulator to hold off on announcing a data breach. Alerts of a breach, therefore, have to be automatic and unconditional to help victims take precautions such as changing passwords.
The committee has made a half-hearted attempt to tighten the screws on social media firms. Data’s definition in the bill includes opinions. Social media firms, which suck in a huge quantum of personal data, need to be held to the standard of publishers. This loophole must be closed in the final version.
It’s good that the committee suggests a two year period before operationalising the law. This is a complex issue and needs much more debate. Let that start with a good, informed debate in Parliament. PDP will be the foundation of upholding a critical fundamental right in an age where everyone will leave an extensive digital trail.
This piece appeared as an editorial opinion in the print edition of The Times of India.
END OF ARTICLE