Comments on the Personal Data Protection Bill 2019
We submittted our comments on the PDP to the Joint Parliamentary Committee - February 2020
The Personal Data Protection Bill, 2019 is the result of India's tumultuous journey to safeguarding the right to privacy and data protection of the citizens of India. As the Bill, which was introduced in the Lok Sabha in December 2019, moves further toward becoming legislation, the Joint Parliamentary Committee, headed by Chairperson Meenakshi Lekhi, has invited comments and suggestions on the Bill from public and private stakeholders.
You can read our detailed chapter-wise comments and broader, overarching concerns here.
1. Need for alternative frameworks for data stewardship
2. Inadequacy of a consent based framework
3. Underestimation of algorithmic systems
4. Excessive powers to state agencies
5. Undue exceptions to search engines
6. Anonymity and security undermined through social media verification
We do not believe the Bill provides adequate privacy protections to citizens, particularly with regard to the processing of personal data by government authorities. Further, while we believe there is tremendous benefit to establishing the fiduciary relationship proposed by the Bill, the Bill falls short in adequately defining fiduciary responsibilities and identifying a basis of trust, placing instead an unreasonable and unrealisable responsibility on citizens to safeguard their own privacy. Rather than providing adequate protections, the Bill better identifies the conditions under which considerations of privacy can be side-stepped by both private enterprises and government agencies. The current approach risks subsuming privacy concerns to priorities of economic growth and national security, while increasing the surveillance capacities of the state. With revisions, the bill could provide an important baseline or starting point for data protection and privacy. However, other types of intervention that promote and enable responsible data stewardship - strengthening the trustworthiness of those who use and hold data - will need to be seriously examined if users are to gain better control over their data. Equally, we will need to develop frameworks and conditions for the legitimate collection and use of data, with clearly specified and transparent accountability provisions. Current provisions, such as those around the composition of the Data Protection authority and exemptions for government agencies, undermine rather than contribute to such trust-building. Further, the Bill includes a number of vague and under-specified terms, such as public benefit and innovation, which are used to grant critical exceptions to the Bill; nor does the Bill specify a timeline for implementation.