During a debate in the Rajya Sabha, Shiv Sena MP Sanjay Raut admonished his party’s erstwhile ally, the BJP, by saying: “We don't need any certificate on our nationalism or Hindutva. Jis school mein aap padhte ho, hum us school ke head master hain. ” (We are the headmaster of the school where you are studying.)

The Sena has proved the truth of his statement time and again, albeit within the confines of Maharashtra, the State where it is in power. Whether it was the vaccination drive, the ludicrous Sushant Singh Rajput case, corruption charges against its Home minister or now the Aryan Khan brouhaha, the Sena has shown that it is adept at adopting the very tools used by the BJP to turn the tables on its arch rival. Whether it is in the use of institutions (like the police) or unleashing online troll armies or using ‘friendly’ media to hound one’s opponents, the Sena has time and again paid back the BJP in its own coin.

This should be a useful lesson to remember, not just for the BJP, but for anyone in power. The shoe can always move to the other foot. What one sees as a weapon pointed at one’s enemies today can always turn around and menace you later. Unfortunately, the drafters of the Data Protection Bill appear to have forgotten this. Nothing else would explain the kind of sweeping powers arrogated to the executive, and the doing away of institutional checks and balances one finds in the draft Bill. True, a Joint Parliamentary Committee has approved the draft. But already, as many as seven Opposition members of the panel have submitted dissent notes and more, if media reports are correct, are on the way.

True, the Bill will now be debated in Parliament. But given the current dispensation’s past track record in pushing through legislation using its brute majority in Parliament, and its tendency to ignore amendments moved by the Opposition in the legislations that have been passed till now, one cannot realistically hope for even the sensible amendments proposed to make its way into law.

Opposition’s failings

The Opposition, on its part, has often played along, falling into the trap of creating chaos in the house over side issues while the ruling party “passes” Bills at lightning speed through voice votes which no one can hear. The soon to be repealed farm laws are a good example of this. The Opposition was as guilty for the debate-less passing of the laws, waking up to the ramifications only later when farmers marched on the capital.

This is not to say that India does not need a Data Protection Bill. In fact, in a country where an American-owned social media company has almost as many users as the population (Meta, comprising WhatsApp with over 53 crore users, Facebook with around 41 crore and Instagram with 21 crore users) and where the government is holding sensitive personal data of the entire population in its hands, the need for a data privacy law is paramount.

But what has been presented is a weakened draft, which gives extraordinary powers to the government for non-consensual use of personal data, and to exempt almost any agency it chooses from the provisions of the privacy law.

Speaking to Inc42, Justice BN Srikrishna, who headed the committee of experts whose recommendations purportedly form the basis of the law, was characteristically blunt. “First and foremost, what bothers me is the security part of it. What we had suggested was that the government access to an individual’s data in only extraordinary circumstances which must be specified by the Parliament. They have now changed it to the extent where the Government can any time access the data. That is very worrisome.”

Worrisome is right. The stated objectives of the Bill are unexceptionable. The Bill seeks to create a legal framework for the protection of personal data of individuals, a framework for processing such data, and provides for establishing a Data Protection Authority to ensure transparency, equity and accountability on part of all entities collecting, storing and using data.

Which is good, but as the dissent notes have pointed out, the institutional independence of the proposed data regulator has been compromised ab initio by the giving the government the sole right to select the chairman and members of the proposed Data Protection Authority, whereas the original draft had suggested judicial oversight of this process. This clearly weakens the independence of this key regulator.

Even more concerning is Section 35 of the draft, allowing the Centre to exempt any agency of the government from the provisions of the law, when it is deemed to be in national security and or for the sake of an undefined “public order.” Allowing the government a free hand from acquiring “informed consent” from data principals for using sensitive personal data (Section 12) is even more worrying, as is the fact that neither judicial or Parliamentary approval is required for such actions. The government only has to submit the reasons “in writing”, which can then be suppressed from public scrutiny or RTI requests on the grounds of “national security”!

Non-personal data worries

The clubbing of non-personal data under the ambit of the proposed law is also hugely problematic, since non- personal data has huge ramifications for business. The handling, access to and rights over such data require a different kind of skillset and mindset, which a privacy regulator tasked with primarily looking at personal data might lack.

On the other hand, the draft Bill also overlooks many of the benefits of having open access to non-personal data. The government in all its forms — from local to national — is the largest gatherer and owner of such non-personal data, which can be of immense use to businesses as well as government. To cite just one use case, access to granular crop, yield and price data can transform agricultural credit and insurance, as well as allow agritech innovations to be used at scale at the bottom of the pyramid. But this calls for the creation of a data exchange framework, as well as an authority to oversee this, all of which should rightly be the subject of an entirely different law.

The Data Protection Bill is only the start of a long and complex journey. It would be a pity if a flawed belief that arming oneself with powers to do as one wishes when in power will be the same as arming the government with the same powers when one is not. Lawmakers would do well to remember that and look at the long-term implications, rather than short-term political or PR wins, while finalising the legislation.

The writer is a senior journalist