It has been more than three years since a draft Bill on personal data protection was crafted by the Justice Srikrishna Committee of experts and submitted to the Ministry of Electronics and Information Technology in 2018. Two years since a Joint Parliamentary Committee was set up to scrutinise another version — the Personal Data Protection Bill (PDPB), 2019 — it was finally adopted by it on Monday. But as dissent notes submitted by some panel members from the Opposition point out, the draft falls short of the standards set by the Justice Srikrishna Committee to build a legal framework based on the landmark judgment, Justice K.S. Puttaswamy vs Union of India , on privacy. The key divergences from the Justice Srikrishna Committee’s draft Bill are in the selection of the chairperson and members of the Data Protection Authority (DPA) which shall protect the interests of data principals and the leeway provided to the Union government to exempt its agencies from the application of the Act. While the 2018 draft Bill allowed for judicial oversight, the 2019 Bill relies entirely on members of the executive government in the selection process for the DPA. In contrast to the 2018 Bill that allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process data in the case of matters relating only to the “security of the state” and also called for a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”, the 2019 Bill adds “public order” as a reason to exempt an agency of the Government from the Act, besides only providing for those reasons to be recorded in writing.
As JPC member from the Rajya Sabha, the Congress’s Jairam Ramesh, rightly mentions in his dissent note, the “government must always comply with the Bill’s requirement of fair and reasonable processing and implementing the necessary safeguards”, which requires that the exemptions granted in writing should at least be tabled in both Houses of Parliament; but that was not accepted by the JPC. His note also points out to the dangers of exemption on the grounds of “public order” as it is susceptible to misuse and not limited to “security of the state” which is recognised by other data regulations such as Europe’s General Data Protection Regulation as a viable reason for exemption. In October 2021, the Global Privacy Assembly, featuring Privacy Commissioners from over 19 countries including those from the European Union, Japan and the U.K., came up with a clear resolution on principles for government access to personal data. In its resolution, the Assembly asked for a set of principles on legal basis, the need for clear and precise rules, proportionality and transparency, data subject rights, independent oversight, and effective remedies and redress to the individuals affected. As the JPC’s adoption of the draft Bill and the dissent notes appended to it suggest, it has fallen short of standards protecting privacy rights of individuals against blanket misuse by the state. It is now the task of Parliament to tighten the provisions further and bring them in conformance with the 2018 Bill.