Loose ends – The Hindu BusinessLine

Clipped from: https://www.thehindubusinessline.com/opinion/editorial/loose-ends/article38014462.ece


JPC version of data protection Bill is lax on govt accountability and casts its net too wide

After dragging its feet for two years, the Joint Parliamentary Committee (JPC) has come out with a considerably modified version of the Data Protection Bill, with the change of title itself saying quite a lot — the Personal Data Protection Bill , 2019, is now the Data Protection Bill (DPB), 2021. This incorporates 150 corrections and surprisingly clubs personal and non-personal data. But first, the positives. The JPC is clear that the individual is the subject of protection against breaches of their fundamental right to privacy by companies for profit and by the State on grounds of security. With regard to harnessing private data by companies, the regulations in Clause 26 of DPB, 2021 seek to hold at least major social media platforms accountable, by terming them “significant data fiduciary”, to be defined by a threshold limit of user numbers as notified by the Data Protection Authority (DPA). This marks a vast improvement over the free-for-all that prevails now, often ravaging individual dignity. These entities would be subject to regulatory compliance such as data impact assessment, registration, appointment of data protection officer and enhanced power of oversight by the DPA. However, it is hard to justify why 24 months are needed to implement the law. Nor is there clarity on the status of data collected so far, or till the two year period till this Bill becomes law. Misuse of such data in the fast-growing fintech space is already becoming a matter of grave concern, to take an example. The prospective application of the law is not in consonance with the approach taken by the EU’s General Data Protection Regulation.

The enthusiastic characterisation of citizen’s data as the “new oil” seems discordant in a law whose concerns should revolve around the repercussions of mining such data. There is no apparent basis to clubbing personal and non-personal data either, in contrast with global practices. The concerns are disparate. Non-personal data, for example, could pertain to preserving business confidentiality for artificial intelligence or machine learning models. The JPC proposes a regulatory regime for non-personal data which is not innovation-friendly to tech businesses. Non-personal data should be treated under a separate law. The JPC should have heeded the industry as well as the Srikrishna report which had wisely left the question of non-personal data to the “wisdom of a future committee…”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s