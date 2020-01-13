The Data Protection Bill is out, and it is going to be a defining year-end for the Indian tech policy space and the digital economy. Reading into the content of the bill, a few issues stand out in particular, specifically, the Data Protection Authority (DPA) and the rights afforded to the state to access user data.

Let us begin with the DPA. Because the Bill has such a broad scope and mandate, and because the Parliament is a legislative authority and not a traditional enforcer, the directives and spirit of the Bill will largely be carried out by one body, the DPA. In the Bill, the DPA is seen as a representative of the data principal (the person to whom the relevant data is related) with part of its duty being the protection of the interests of data principles. So once the bill is finalised and passed, the DPA’s work will begin. The body will be expected to operate at or even better than global standards while and after it is constituted.

The thing to notice here would be how the DPA is staffed, particularly who the chairperson and six members are going to be, and how they are going to be appointed. The need of the hour is to not have senior or retired bureaucrats as part of the DPA but experts who are acquainted with technology, law and privacy.

The bill had broadly three trade-offs to manage: define the powers of the state when it comes to data, set privacy standards around the personal data and sensitive personal information of citizens and outline the roles and responsibilities of data fiduciaries.

The big-ticket item here is that the bill heavily favours the government when it comes to access to data and processing of it. There are two reasons why I say that. Firstly, Chapter 3 of the bill lays out grounds that allow the government to process personal data for a certain number of functions. The text of the clauses is fairly broad. For instance, the first clause allows for the processing of personal data for the provision of any service or benefit to the data principal from the state. As a proponent of privacy, I am thankful it does not apply to sensitive or critical data and wish it stays that way. Secondly, Chapter 14 gives the state, in consultation with the DPA, the power to demand non-personal or anonymised data from fiduciaries to enable better targeting of services or form evidence-based policymaking. Given the prevailing environment, one could fit a lot of cases under the umbrella of evidence-based policymaking and abuse that provision if it’s not defined well.

In all fairness to the bill, it has tried to formulate checks and balances while granting the executive these powers. Two instances come to mind here. Firstly, in granting powers to demand non-personal or anonymised data, it somewhat requires the government to consult with the DPA first. But given that the DPA will be structured by people recommended and appointed by the Central government, that process may end up being redundant. Secondly, the bill also puts a check on the DPA when, in Chapter 9, it asks the Authority to “specify manner in which the data fiduciary or data processor shall provide the information sought, including the designations of the officer or employee of the Authority who may seek such information, the period within which such information is to be furnished and the form in which such information may be provided”.

In spite of all this, I still think that the bill more or less tries to hand the government a blank cheque when it comes to access to data. As we head into deliberations around this issue, I would argue that there is a chance that this cheque gets blanker. For people set a high value on privacy, the good news is that we still have the landmark Puttaswamy judgment that establishes the fundamental right to privacy under the right to life and personal liberty. Moreover, the regulatory climate is shaping into one where this verdict will be needed more than ever. Especially with the government giving itself the powers to access data through the bill, by recommending and appointing members in the DPA, allowing agencies to intercept and access data, and pushing for traceability in the intermediary guidelines.

The personal data protection bill is an essential step towards regulating a new space. However, given the draft version available, it also seems to be the beginning of a new tug of war for access to data.