The draft data privacy bill shows that global best practices were considered, but somewhere these were lost in translation, writes Srinjoy Banerjee
George Orwell’s famous novel 1984 immediately comes to mind when reading the report and the draft Personal Data Protection Bill, 2018, which were placed before the government on 27 July by the Committee of Experts under the chairmanship of retired justice Srikrishna. To be fair, it is a good first attempt. However, given the times we live in, my impression is that the bill in its present form is rather skewed in favour of the state and seemingly encourages protectionism. This is quite contrary to how far we have come as a country and pushes us back many a step from the position we hold in the world economy.
The bill is the consequence of a judgment passed by the Supreme Court declaring the right to privacy as a fundamental right as enshrined in the constitution. As the Supreme Court observed in the Justice KS Puttaswamy (Retd) & Anr v Union of India & Ors case, “Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the union government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”
State, business and the individual (non-state actors) are the three pieces of this informational privacy and data protection puzzle. Each of these parties has certain rights as well as duties. However, if one looks at the base element of this discourse, it is the “individual and the data of that individual”. While this is a goldmine for many companies, it is critical that the individual’s rights are maintained, so that the “data principal” (as the bill defines the individual) is protected.
At the same time, business needs data as it is the fuel that drives commerce. That is a fact that cannot be ignored. Commerce or the show, as they say, must go on! Practically speaking businesses need to become innovative and treat privacy and data protection as a unique selling proposition rather than an impediment. The companies that will be at the forefront of this will survive, a case in point being the effort made by Microsoft, Google, Facebook and Twitter on creating an open-source, service-to-service data portability platform for the ease of transfer of data between companies.
The state must play the role of a guardian rather than being Orwellian. Therefore, the law should not give the state unbridled rights over the individual’s data. The individual is the owner and is completely capable of making decisions to protect it. A totalitarian state is not needed to govern how individuals conduct their affairs in a civil society. This aspect is sorely missed in this draft. Following the principles of the EU’s General Data Protection Regulation (GDPR), the authority does not need to step into each situation. The authority should rather play the role of helping companies and individuals find a solution for their grievances.
The very fact that the bill carries a requirement for companies to maintain a localized set of data is an outdated concept. While not going into the politics of why that is required, what we rather need to do is up our game and create secure warehouses. It should be a situation where countries and businesses want to store their data in India rather than being forced to do so.
While reading the bill, it also seems that the best practices from various existing laws around the world such as the GDPR have been considered, however, somewhere it is lost in translation. The concepts that are discussed in the GDPR that the committee seems to have heavily relied upon are not taken to their logical conclusions in the draft.
While a lot is desired from the bill, there are some glimpses of positive concepts as well. Some examples are: (1) the introduction of the concept of privacy by design and impact assessments; (2) clearly defining children’s rights and how to deal with them; (3) the definition of “inter-sex status” and “transgender status” clearly described as sensitive personal data; and (4) the “processing of personal data necessary for purposes related to employment” being permitted.
It would be naïve of me or anyone else to imagine that this bill will go through easily, but it is a hope that it sees the light of day (though, clearly not in this form). Once we have the umbrella law in place, the various sectoral laws can talk to it. Each act must feed off each other and not be disjointed.
The fear now is that the law needs to have enough teeth to be enforced. Even before we can reach that stage, though, we need to guard against vested and conflicting interests diluting the essence of the draft law. If these two factors of practicable enforcement and political immunization are not achieved, I fear that we would have lost one of the greatest opportunities of our times to catapult India to become the business and technology leader of the world.
Srinjoy Banerjee is an intellectual property attorney and data privacy professional, and in this role an assistant vice president and legal counsel at Genpact