The Personal Data Protection bill that deems to classify and signify broadly how data could be handled within and with regards to India has passed with concurring motions of both houses of parliament to a select committee to review.
The bill, which can become a landmark in Indian legislation for the many years to come in an increasingly digitized society, has raised quite a few eyebrows with the aforementioned motion in the last two days. The latter has agreeably sent the bill for review and discussion to a Joint Parliamentary Committee, to ultimately be discussed and debated during the next Budget Session of Parliament.
Following the action, Congress MP and chairman of the Standing Committee on IT Shashi Tharoor wrote a letter to the Lok Sabha speaker saying this would set a dangerous precedent for legislation in the future. Exactly, the letter read, ‘The exercise in creating a Select Joint Committee on a matter that rests squarely within the purview of an existing Standing Committee sets a dangerous precedent since it will allow the government to bypass the designated Standing Committee whenever a contentious bill is under consideration’.
Under parliamentary procedures laid down for the body, a minister introducing a bill is free to move for its referral to a Joint Parliamentary Committee, according to researchers from PRS Legislative. Moreover, there is no question of the parliamentary activities being scrutinized by the law ever in hindsight.
However, civil society members and lawyers have voiced their concerns on the matter, citing concerns of approachability, acceptance of comments or suggestions, and expertise. Executive Director at the Internet Freedom Foundation (IFF) and lawyer, Apar Gupta says, “With the Standing Committee it could’ve been much more expert oriented review and could result in productive policy discourses and outcomes which would suit the kind of legislation also that we are dealing with- which is incredibly technical and deals with issues of technology and fundamental right.”
Further, Gupta added, that the motion to pass the bill to a Joint Committee after the introduction, also hints at ‘a certain degree of nervousness…with the Standing Committee already there looking into a matter of protection of citizen data.’
The Standing Committee on IT is currently conducting hearings on the NSO Pegasus spyware row. The Standing Committee consists of 31 members of both lower and upper houses of parliament- 15 from the Bharatiya Janata Party (BJP), 4 from the Indian National Congress (INC), 2 Independents, 2 from the All India Trinamool Congress (AITC), with the rest from single, regional parties.
Constituted after motions passed in both houses of Parliament, the Joint Parliamentary Committee of 30 members consists of 15 BJP, 4 INC, 2 AITC, 2 Biju Janata Dal MPs hailing from either house with the rest of the members from regional parties. BJP MP Meenakshi Lekhi is the appointed head for this committee. So far no member of the committee has made any statement about the appointment, in public.
Prasanth Sugathan, the legal director at Software Freedom and Law Centre, echoes Gupta’s concerns about expertise of the committee but also adds a word about approachability. He says, “We would’ve preferred for the bill to go to the Standing Committee as organizations and people could’ve written to them as they have before (on the WhatsApp snooping case)…This is an ad-hoc committee which is being formed so we don’t know what the procedure of inviting comments would be and I’m not sure if they would even do that or if it would only be restricted to MPs.”
While things could also change if the committee decides to throw open doors for comments and suggestions, widely and in a structured manner from the public, stakeholders and players in the sphere do have quite a bit to add from their ends to the legislation.
Positive of the atmosphere of data security this would beget, CEO of Stellar Data Recovery Sunil Chanda mentions only a reconsideration of compliance timings for adjustments. “Some data sharing requests are very demanding for companies responsible, and may involve significant time and costs, thus the committee should consider relaxing compliance timelines,” he says.
Swapnil Shekhar the Director of Sambodhi Research and Communications expects more specificity to be added to clauses of the bill. “While the Personal Data Protection Bill 2019 addresses the issue of informed consent, it only states that the data fiduciary must process data in a ‘fair and reasonable manner that respects the privacy of the individual’. The Bill does not specify what constitutes ‘fair and reasonable’ leaving room for the potential violation of privacy,” he says.
Krishnanand Bhat, the Chief Information Security Advisor at Nexdigm hopes that the committee would rethink current clauses around the composition of the Data Protection Authority in the bill. “The bill relieves the biggest data aggregators and processors form this fiduciary responsibility and accountability. While the intent of the Bill was sound, it is important to incorporate deliberate measures to define an Independent Data Protection Authority that maintains, free from political influence and power,” he says.
Meanwhile there are individuals satisfied with the legislation as well, like Ajay Trehan, CEO of AuthBridge and Murtaza Bhatia of NTT Ltd who say that the bill provides a framework for data protection where there was none. The latter also foresees India to become a data processing hub, in the future saying, “most organisations now will collect, store and process the data within the country to avoid any complications.”...