SUMMARY
Justice BN Srikrishna Committee had submitted the draft version of the bill in 2018
The government introduced a revised bill in the parliament in late 2019
Justice Srikrishna said the revised bill can be challenged in the Supreme court
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
Last month, the Indian government circulated the revised version of the much-anticipated Personal Data Protection Bill in the parliament. However, Justice BN Srikrishna, who led the committee that made the draft, has raised objection regarding the constitutional validity of some updates the government made.
Justice Srikrishna said that certain sections are not in alignment with Supreme Court’s right to privacy judgment passed in 2017. He also said that the Indian government has diluted the sanctity by not allowing independent stakeholders to be a part of the Data Protection Act’s office.
Moreover, Srikrishna noted that the inclusion of non-personal data in the bill is dangerous. He also said that the revised draft can be challenged in the Supreme Court.
The Difference Between Personal and Non-Personal Data
The draft of the Personal Data Protection Bill 2018, which was prepared by Justice BN Srikrishna Committee, had defined “personal data” and “sensitive data” to ensure that there are no loopholes in the bill.
As per the draft, any data of a natural person which allows “direct or indirect identifiability” is personal data. Sensitive personal data includes financial data, biometric data, religious and political leaning, etc.
On the other hand, non-personal data is any data, which cannot be traced back to an individual. It is an anonymised community data that is collected by companies. This includes weather data, ecommerce shopping data, traffic and food delivery data.
The Problems With The Revised Data Protection Bill
Non-Personal Data Inclusion
The Indian government has also set up a separate committee, in late 2019, to formulate regulations on the non-personal data as it cannot be included in the Personal Data Protection Bill.
The committee is headed by Infosys’ Kris Gopalakrishnan, who is currently holding discussions with stakeholders such as ecommerce companies to understand the usage and importance of non-personal data and submit the tentative regulations to the government.
However, in the revised draft, the government has added a provision that allows it to seek both personal and non-personal data from any company to aid the policy formulation process. As per Justice Srikrishna, this provision will allow the government access to all business data — data on intellectual property, business strategy and mergers and acquisitions.
“Non-personal data needs a separate law. The government has sneaked it in this Bill. In the universe of data, there is personal data, and then everything else is non-personal data,” Srikrishna maintained.
‘Asking For Personal Data Unconstitutional’
In addition, he also noted that the Supreme Court ruling on the right to privacy does not allow the government to ask for data unless it declares a specific objective for collecting personal data, the authorities ordering it and the procedures that will be followed. The right to privacy judgment was in response to a petition filed by former Karnataka High Court judge KS Puttaswamy.
“The argument is that fundamental rights cannot be infringed upon, the law has to be constitutionally valid, which it won’t be because it does not adhere to the Puttaswamy judgment,” Justice Srikrishna added.
The draft bill had stated that the government cannot ask for any data unless it was authorised through a law passed in the parliament. However, the government changed the provision and empowered the government to exempt any of its agencies from the purview of the Act.
Personal Data Body Should Be Independent
The original draft of the Data Protection Bill 2018 stated that the body managing the regulations, Data Protection Authority (DPA), should be independent. Justice Srikrishna believed that this would ensure that the data is not used by the government to target specific individuals or groups and use the data for personal gains.
However, the revised draft allows only government nominees to hold the DPA office. “The new Bill has weakened the independence of the DPA, which has to equally monitor the government and the citizens. You can’t put a thief in charge of security… The ideal thing would be that the DPA become a constitutional authority like the Election Commission or the courts,” Srikrishna said.
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.