- Equal treatment should be prescribed for violations by government and private fiduciaries
- Recommendation for statutory body for media organisations harms media freedom
- Anonymisation of data needs more checks and balances before it can be shared
“The one way to look at it is this is a carte blanche for censorship because if the government starts deciding why or when should the media be legitimate and accepting, or agreeing to publish something and not access personal data, in a way the government is completely controlling the narrative and which is very dangerous,” Saikat Datta, founding partner at DeepStrat, a think tank, said during the session on ‘Government Access to Data’ at MediaNama’s event ‘Decoding India’s Data Protection Bill’ held on January 20, 2022.
Datta was talking about the Joint Parliamentary Committee’s recommendation to the government that a regulatory body supervise the media’s use and access of data, in its report on the Data Protection Bill (DPB).
Along with him, Anushka Jain, Associate Counsel at the Internet Freedom Foundation, a digital rights organisation; Jhalak Kakkar, the Executive Director of the Centre for Communication Governance National Law University Delhi, a think tank; and Vaneesha Jain, Associate Partner at law firm Saikrishna & Associates also shared their views in the session.
The latest version of the Data Protection Bill in the Committee’s report enables the government to process or access data without consent while imposing certain obligations on private data fiduciaries. The report also recommends sharing of non-personal data with the government, etc. This session revolved around the implications of these recommendations on user rights.
This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Double standards in place on data breaches
Government has walled itself out: Not many aspects of the bill will apply to government collection, use, and processing of data, Kakkar said in response to Vaneesha Jain’s question on where the individual figures under Section 35 of the bill. According to Kakkar, the lines are a bit blurry as etched out in the bill, as the Data Protection Authority (DPA) is not involved in investigating violations by government fiduciaries.
Section 86 lays out that if there is a breach of data in a government fiduciary, the head of department will investigate the matter. Thus, she said that the government has walled itself out of the bill. Vaneesha Jain further posed the following questions:
- What if certain exempted government agency were to requisition, personal data from say, a body corporate or a company to which I as an individual have given data, does the individual’s consent figure at all in that transaction? Do they even get informed?
- And what happens if once that exempted agency has collected the data? Can they share it with other agencies? Can they share it with other exempted agencies or just about anybody?
- What happens in case of a leak or a disclosure of data by the government? I mean, we know that’s happened quite often in the case of Aadhaar data, etc, by the government. So are there any protections at all for the individual when government accesses data in these ways?
Lots of expectation from the courts: Accountability and independence issues with the DPA and the appellate authority leave the possibility to get justice only at the Supreme Court, according to Anushka Jain.
“So there’s a lot of, you know, steps to take before you actually will get justice, if you get justice eventually. And, you know, the process itself will be the punishment in this situation I feel,” Anushka Jain said about the grievance redressal mechanisms available under the bill.
Recommendation: Anushka Jain recommended that a strong, powerful, and independent DPA is needed. She also said that Clause 86 is against equality before the law and that there cannot be a different treatment for a government fiduciary and a private fiduciary in case of data breach.
JPC recommendation curtails media freedom
Creation of a statutory body, like the Press Council of India, for all media organisations across different medium, to safeguard the misuse of data for ‘journalistic purposes’ has been recommended by the JPC. According to Datta, the provision can be a carte blanche for censorship, allowing the government to decide when or why the media publishes something, accesses certain data, etc.
Recommendation: Datta pushed for the independence of the media referring to the philosophy of the founding fathers of America and its constitution.
“The founding fathers of the American democracy and the Constitution were very clear that we need an independent agency, which can inform the public and government can never be trusted to inform the public because anything the government says even if it is as innocent as it can be, and whatever its intentions are as noble as it can be, it will always necessarily fall within the ambit of what we call propaganda,” he said.
Privacy concerns from non-personal data sharing
“I think we have to really ask ourselves can personal data truly be anonymized?” Kakkar asked, saying that the government was trying to save face by asking for sharing of anonymised personal data. According to her, lots of checks and balances need to be in place to facilitate true anonymization and protecting de-identified non personal data.
Recommendation: The government should clarify provisions related to NPD governance such as government access of non personal data, how it becomes functional, the authority’s limited role of consolidation, etc. Kakkar said.
Bill should recognise state governments
Regarding the bill’s provision to have a central DPA, Datta cast doubts on how operational it would be. He also said that it does not fit with constitutional principles, nor does it recognise state governments’ role in areas of health, education, etc.
“Even from an operational point of view, I don’t know how this will be enforced because you have a district collector who’s sitting on tons and tons of data and certainly a central government authority to a district collector say in Odissa will say that I want you should give out this data so on and so forth,” Datta said.
Recommendation: A rectification of the bill’s provision for a central DPA was recommended.
Key concerns around powers of the government
Through previous iterations of the Personal Data Protection Bill, various stakeholders have expressed concerns regarding government access to data:
- Law enforcement agencies can be exempt: “In terms of application of the Bill, it means that an agency like the Delhi Police can be exempted from all provisions of the Bill, citing security of the State or public order,” a speaker said addressing the previous version of the bill at a MediaNama event.
- Adequacy with the EU: Insufficient safeguards against government access to data might make it harder for India to achieve adequacy with the EU, European Commission Deputy Head of International Data Flows & Protection Ralf Sauer indicated at PrivacyNama 2021:
“We had some question marks on some of the grounds for processing for public authorities, and whether they were always sufficiently framed. The corollary to this is that there was a clause at some point that allowed for broad exceptions from the data protection rules which put a shadow over the law,” Sauer said.
*Note: The two speakers in this event, Anushka Jain and Vaneesha Jain are not related.
- How should India’s Data Protection Authority work
- Data Protection Bill 2021: Summary of all powers held by Indian government
- Restrictions on cross-border data transfer will hurt Indian start-ups
What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.