Withdrawal of the Personal Data Protection bill 2021: The way forward
The article has been authored by Akshat Shonak, associate, Saraf & Partners.
The right to privacy gained prominence through an article published in the Harvard Law review on December 15, 1890. The article which is considered to be one of the most influential essays in the history of American law was written by Samuel Warren and Louis Brandeis. The right to privacy which could be understood as the right to be left alone has always been at odds with the right to freedom of expression. The authors emphasised that for years, instantaneous photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life. The advancement of technology and mechanical devices have further threatened to make good the prediction that “what is whispered in the closet shall be proclaimed from the housetops”.
Unfortunately, this prediction turned true with the introduction of mainframe computers in the offices of public administration and large enterprises. They conveniently used it to set up data banks of the personal information of multiple individuals, creating an adverse impact on their privacy. This propelled the concern that whether the existing law affords a principle that can properly be invoked to protect the privacy of the individual and if it does what is the extent and nature of such protection? Finally, as a result of a series of discussions and guidelines Convention 108 by the Council of Europe was adopted in 1981 as the first internationally binding legal instrument in the area of data protection. In 2018 the General Data Protection Regulation which is considered the new gold standard in the data privacy law domain was enforced to seek a harmonised approach across European Union.
Parallelly in India, the decision of the nine-judge bench of the Supreme Court (SC) in the KS Puttaswamy v UOI judgement helped the right to privacy gain equivalence of a fundamental right and further made the right to information privacy a crucial facet of the right to privacy. Fundamentally the right was not an absolute right and any violation had to stand the test of (1) Legality (2) Proportionality (3) Legitimate Goals (4) Procedural Guarantees. Taking the baton from the SC the government worked actively and formed the Sri Krishna panel to examine the need for a data protection law in 2017. The committee submitted its report in 2018 and the Personal Data Protection bill was tabled in the parliament which subsequently was sent to the Joint Committee of Parliament (JCP) for a detailed review. The committee performed a detailed analysis and suggested amendments in 81 sections out of 99 and gave12 recommendations toward a comprehensive legal framework for the digital ecosystem. Taking into consideration the extensive report of the JCP the government decided to withdraw the bill and come up with a bill that fits into the comprehensive legal framework. The comprehensive framework of global standard laws and rules will possibly include (1) Digital Privacy Law (2) National Data Governance Framework Policy (3) Amendment to IT rules 2022 (4) Cyber security directions and the underlying intention of the framework will be to meet the contemporary and future challenges in the digital space and make the internet open and entities accountable.
The government also looks forward to either dropping or fine-tuning in the fresh legislation the issues related to the regulation of hardware and devices, data localisation requirements, regulatory authorisation of every cross-border data transfer and penalties on global turnover for any violation.
These ongoing developments in the privacy law domain have left people wondering what is in there for them and has certain expectations from the upcoming bill. First, the objective to protect personal data must not be diluted. Personal data which is data about an individual including name, address, phone number etc should be under an individual’s control and individuals should have the right to determine its usage. It should not be clubbed with non-personal which is information about weather patterns, traffic patterns etc, as an amalgamation of these contrasting objectives in a single law dilutes both. Second, there must be checks and balances which should be maintained with regard to the power to use personal data by the government agencies which if left unfettered will again defeat the purpose of the fundamental right. Last, a robust data regulator should be set up to ensure that the law duly complies and it should work in close contact with other sectoral regulators to ensure regulatory coordination. Above all the expectation of the mass is that fresh legislation will be drafted keeping into consideration the sentiments and impact of the law upon the last man in the social order.
The article has been authored by Akshat Shonak, associate, Saraf & Partners.