Personal Data Protection Bill doesn’t curb state surveillance

The proposed Personal Data Protection Bill 2019 fails to protect citizens from the misuse of surveillance powers of the State. While it does well to provide citizens strong protection from misuse of data by private companies, the proposed law gives sweeping powers to the Centre to exempt itself from the protection guaranteed to citizens under the Bill. The biggest concern in the latest draft is that it allows the Centre complete discretion to exempt any entity or department from the provisions of the law. This leaves the citizens vulnerable to surveillance and spyware attacks, such as the recent snooping into private conversations of some WhatsApp users through Pegasus software. By invoking the interest of the sovereignty and integrity of India and the security of the State, the policymakers have ensured that it will have absolute control over consumer data without any judicial oversight.

This could be dangerous in a highly digital world, where consumers of Internet services are increasingly being subjected to surveillance by the state. A recent report by Google’s Threat Analysis Group revealed that there were more than 12,000 warnings sent to users across 149 countries that they were targeted by government-backed attackers. Of this, over 500 users in India were targeted by government-backed attackers. The proposed law does not do anything to assuage concerns over this issue. The other major worry is that the regulatory and monitoring structure will also be appointed exclusively by the government. This is in contrast to the draft circulated in 2018 which said that key appointments will be done by a committee comprising government officials, judicial members, and industry experts. There is no clarity on what constitutes ‘critical’ personal data when it comes to data localisation. The new law merely proposes that ‘critical’ personal data cannot be taken out of the country by any entity but has left it to the Centre to define what is critical.

When it comes to processing data by private entities such as Internet companies and financial players, the proposed law has accorded a lot of importance to user consent. For example, sensitive personal data including financial data, health data, sexual orientation, biometric or genetic data, can be transferred outside India only with explicit consent. It also does well to protect children from online predators by making it mandatory for data fiduciaries to verify a child’s age, and obtain the consent of a parent or guardian before processing any data. The new law has also put in place heavy penalties on private entities that violate the provisions of the Bill, in addition to empowering users with the right to delete, correct or transfer personal data. However, it is critical to bring about a balance between the individual, the companies which hold and process our data, and the State. The Parliamentary committee constituted by the Centre to review the provisions of the proposed Bill should iron out the deficiencies.