SUMMARY
Some of the JPC members took to Twitter criticising the JPC’s failure to safeguard the right to privacy from government agencies
The PDP Bill assumes that the right to privacy arises only where operations and activities of private companies are concerned, says Jairam Ramesh, member, JPC
The degree of autonomy has been reduced and made in favour of the government, Justice BN Srikrishna who headed the drafting committee, had earlier told Inc42
Constituted on 12 November 2019, the Joint Parliamentary Committee on Personal Data Protection Bill, 2019 has finalised its report and will now submit its recommendations to the Lok Sabha Speaker Om Birla.
The Personal Data Protection Bill, 2019, was tabled in Lok Sabha during the Winter Session of Parliament in 2019 and was later referred to a Joint Parliamentary Committee instead of the Standing Committee on Information Technology headed by Congress leader Shashi Tharoor.
The 30 member Joint parliamentary committee is being headed by governing party BJP’s MP PP Chaudhary. While the official Lok Sabha Twitter handle tweeted that the Committee considered and unanimously adopted the draft Report of the Joint Committee, at least five of the members including Congress leaders Jairam Ramesh, Manish Tewari and Gaurav Gogo and; Trinamool Congress MP Derek O’ Brien, have reportedly moved dissent note against the report.
According to reports, the committee has proposed over 200 amendments, 170 of which have been proposed by Chaudhary.
PDP Bill: The Dissent Notes
Taking the battle to Twitter, Rajya Sabha MP Jairam Ramesh has published his dissent note on Twitter. “…The PDP Bill assumes that the right to privacy arises only where operations and activities of private companies are concerned. Governments and government agencies are treated as separate privileged classes whose operations and activities are always in the public interest and individual privacy considerations are secondary,” the note read.
Ramesh further pointed out that Section 35 gives unbridled powers to the Centre to exempt any government agency from the entire Act itself.
Ramesh had proposed an amendment to seek parliamentary sanction before exempting govt agencies. “Under the amendment, I had suggested that the central government will have to get Parliamentary approval for exempting any of its agencies from the purview of the law. Even then, the government must always comply with Bill’s requirement of fair and reasonable processing and implementing the necessary security safeguards,” he said.
JPC and Congress MP Manish Tiwari also tweeted his dissent note against the report. “While complimenting @OfficeofPPC for his leadership of the Joint Committee of Parliament on Data Protection, I was constrained to submit a Dissent note as I do not agree with the Fundamental design and Construction of the bill,” he tweeted.
The PDP Bill: Why Dissent Must Be Heard?
Amid growing public discontent over the massive Aadhaar data leak, and also taking a cue from then the ongoing Aadhaar case hearing at the Supreme Court, the Indian government, on July 31, 2017, had set up a committee of experts to work on the data protection framework. The committee was asked to examine issues related to data protection, recommend methods to address them, and draft a data protection bill.
The Committee’s submission — draft Personal Data Protection Bill 2018 — released in July 2018 had evoked mixed reactions, with most veering towards dissent, including from some expert committee members.
A member of the expert committee and the CEO of NASSCOM’s Data Security Council of India, Rama Vedashree, had then noted that the data localisation requirement in the Bill is regressive and against the “fundamental tenets of the liberal economy”.
She added that portraying localisation as a tool for developing the domestic market is “fuelled by unfounded apprehensions and assumptions.” She said that localisation could be a trade barrier in key markets.
Further, Vedashree disagreed with the classification of passwords and financial data as sensitive personal data. “The concept of Sensitive Personal Data is primarily used for providing higher-level protection to the data subject from instances of profiling, discrimination and infliction of harm that are identity-driven,” she said, adding that most countries don’t classify passwords and financial data as sensitive personal data. Vedashree’s comment was about the draft Bill submitted by the very Srikrishna Committee.
The PDP Bill that was tabled in the Parliament was further modified to the extent that even Justice BN Srikrishna refused to support the Bill.
Speaking to Inc42, Justice Srikrishna had said that there are at least five points that make the latest draft bill radically different from what was submitted initially.
“First and foremost what bothers me is the security part of it. What we had suggested was that the government access to an individual’s data in only extraordinary circumstances which must be specified by the Parliament. They have now changed it to the extent where the Government can any time access the data. That is very worrisome,” he said.
Further, Justice Srikrishna added that the composition of the proposed Data Protection Authority has been diluted, the degree of autonomy has been reduced and made in favour of the government.
“Although this is supposed to be a personal data protection act, they have also introduced one Section which says, non-personal data can also be accessed by the government. I don’t understand this. The draft itself is about Personal Data Protection, why would they bring in non-personal data without any context,” he then told us.
The Draft Personal Data Protection Bill Clause 91(2) says that the central government may, in consultation with the DPA, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the government, in such manner as may be prescribed.
