- The Personal Data Protection (PDP) Bill is finalized as the parliamentary joint committee concluded its recommendations recently. As you are aware, the most contentious parts of PDP relate to the extent to which government agencies have been exempted from the proposed Act. As the news reports reveal, two aspects need to be kept in mind here. It is known that details such as definitions matter hugely in drafting a law and the state does get exemptions to uphold sovereignty. Nonetheless, PDP suffers from loose language and expansive exemptions that practically keep the Government of India agencies outside the purview of the legislation.
PC: Bobby Anthony
- Further scrutiny on the matter would reveal an interesting bit of information as we know, the devil lies in the details. Remember, the state agencies are among the biggest collectors of personal data, and granting them loosely worded exemptions opens the door to abuse which the entire country is so familiar with. No wonder, this particular area has attracted dissent notes and merits extensive debate. Another aspect that deserves further introspection is that the joint committee has clubbed personal data and non-personal data thereby expanding the legislation’s scope. It goes without saying that clubbing data should be avoided as non-personal data has mainly a business dimension.
- As such, the Government authorities should keep in mind that non-personal data raises questions on protecting commercially critical data for firms. The pandemic has provided a huge fillip to the digital economy and India is making every palpable effort to reap the benefits of the technology-driven measure. Moreover, an omnibus regulator, dealing with both kinds of data, as the committee suggests, may have too much on its plate. Thus, the suggestion that data captured by electronic hardware should also come under the regulator’s purview needs a whole lot of explanation, does this include data generated by a company’s internal functions, for instance.
PC: Archana Prasad
- Another problematic area is the recommendation that the regulator can decide if individuals have to be alerted to a data breach of any entity collecting their data. It goes without saying that alerts of a breach have to be automatic and unconditional to help victims take precautions such as changing passwords as digital scams are on the rise. It appears the committee has made a half-hearted attempt to tighten the screws on social media firms. Undoubtedly, social firms which suck in a huge quantum of personal data need to be held to the standard of publishers. And this loophole must be closed in the final version when it eventually comes out.
- Most welcomingly, the committee suggests two years before operationalizing the law. Since it is a complex issue demanding more debate, let that start with a good and informed debate in Parliament in the ensuing winter session. The PDP will emerge as the foundation of upholding a critical fundamental right in an age where everyone will leave an extensive digital trail. Hopefully, the committee will consider all the above aspects before allowing the Parliament to enact the Act.
