Cabinet nod to India’s first data protection bill, House test soon
The personal data protection bill, once approved by Parliament, will be the foundation for the country’s legal safeguards for individual privacy, which was held by the Supreme Court as a fundamental right in a ruling in 2017.Updated: Dec 04, 2019 23:30 IST
The Union Cabinet approved on Wednesday the country’s first proposed law to regulate how individuals and organisations handle digital data of Indian citizens, introducing new provisions that, while diluting some of the contentious “localisation” requirements, could now require companies to carry out the real-name verification of users, according to officials familiar with the draft.
The personal data protection bill, once approved by Parliament, will be the foundation for the country’s legal safeguards for individual privacy, which was held by the Supreme Court as a fundamental right in a ruling in 2017.
“The protection of personal data is a very important subject globally. How that will be done [here] and how work will progress keeping India’s interest and people’s interest in mind, this is what this bill is about,” said Union information and broadcasting minister Prakash Javadekar at a briefing about the Cabinet’s decisions.
While the government did not release the contents of the bill, the draft will now be tabled in Lok Sabha and Rajya Sabha. Officials in the Union electronics and communications ministry said the new bill has changes in three key areas from a draft prepared in 2018: data storage rules, user verification process, and the sharing of non-personal or anonymised personal data.
“Information that is neither classified as critical nor as sensitive will not need to be storied in India if the fiduciary obtains the consent of the user to send such data abroad,” a senior official said, asking not to be named. A fiduciary is any individual or organisation, whether private or government, that handles data.
This is a climbdown from the 2018 data protection bill, which was based on the version prepared by a committee of experts headed by retired justice BN Srikrishna on July 27, 2018. The first bill suggested all personal data must have a copy on Indian soil, a requirement meant to give India legal jurisdiction of information connected to its citizens.
On the whole, the law gives ownership of personal data to the individual, defines obligations for any organisation handling such data, and lays down penalties and punishments in case it is misused in a way that jeopardises the user’s privacy.
Companies oppose localisation of data on servers in India, saying it would add to operational costs, while activists say it could expose such data to surveillance operations that function under little oversight.
“The idea behind not requiring non-sensitive, non-critical data to be mandatorily kept in India is that Indian IT entrepreneurs might be badly affected if there are retaliatory localisation attempts by other countries,” a second official added.
Sensitive data (see box), includes passwords, financial records, health data and identifiers of gender, caste and religion. Critical data has not been defined yet, and the officials indicated that these will need to be processed as well as stored on servers located within India.
Countries such as the European Union nations, Australia and Canada too have specific laws dealing with digital user data privacy. None of these require local storage of data, according to a comparison by PRS Legislative.
The second key change was a new rule that will mandate “significant data fiduciaries” – or big digital companies such as Facebook and Twitter – to display a verification tag based on the amount of information a user discloses while signing up.
“They will have to use identifiers to differentiate between a user who has a verified registration and displays real name, a user who has a verified registration but has kept name anonymous, and a user that has not verified registration,” the first official quoted above added.
A third provision of the law will be to require organisations to disclose “non-personal or anonymised personal data” to government officials in order to improve delivery of services, the official added.
Activists and data privacy experts said the changes are privacy invasive. “The real-name verification proposal will be a dramatically new mandate. No data privacy law in a democracy has such a provision. South Korea enacted such a law but that was struck down as violative of the constitution,” said Raman Jit Singh Cheema, policy director at Access Now and a member of the Internet Freedom Foundation (IFF).
“The rule is also likely to be violative of the Aadhaar ruling in which justice AK Sikri said the provision requiring linking of mobile numbers to Aadhaar was excessive and treated everyone as suspect. How will real-name verification of social media users be any different?” he asked.
The provisions to gain access to anonymised data too was a threat to privacy, Cheema added. “It has been repeatedly demonstrated that data can be de-anonymised.”
According to one of the two officials quoted above, the government is keen on introducing the bill in the ongoing session of the Winter session, particularly in wake of the controversy surrounding the surveillance of several Indians’ phones through a malware called Pegasus.
Opposition members indicated they will send the draft law for greater scrutiny. “This government fails to understand the importance of improving bills through Parliamentary scrutiny. The bill is yet to come and we are yet to read it, but all these kinds of bills must be sent to parliamentary committees or select committees,” said Trinamool MP Derek O’Brien.
The draft law exempts government agencies from accessing data in contravention to privacy safeguards, with some activists saying it also does not check surveillance powers of the government.
Legal experts said the law is a crucial first step in order to set up a legal framework that protects privacy. “The data protection law is an imperative foundation for right to privacy,” said Arghya Sengupta, research director, Vidhi Centre for Legal Policy. Sengupta was among the members of the Srikrishna committee.
“There has been a lot of talk about exemptions. The data protection law cannot be turned into an anti-surveillance law. That has to be a different law. Data protection law can be the first word on the debate surrounding surveillance but not the last,” he added.