Justice B N Srikrishna, the retired Supreme Court judge who headed the committee that drafted the original Personal Data Protection Bill, has warned that extra powers and legal exceptions given to the central government are a “dangerous trend”, potentially leading to an “Orwellian State”.
In a note to the Joint Select Committee in Parliament deliberating on the Bill, Justice Srikrishna also said “data localisation requirement has been watered down because of lobbying by foreign companies”.
After a public consultation process, a committee led by the former judge released the first draft of what is commonly called the “privacy Bill” in July 2018. The Bill is the country’s first attempt to protect individual rights by regulating the collection, movement and processing of data that is personal, or which can identify the individual.
There are three stakeholders in the data protection debate: the individual, the state and technology corporates. Justice Srikrishna’s letter flagging a perceived increase in power to government and industry will be one of the many perspectives the committee will hear regarding the delicate balancing act between these three.
Justice Srikrishna’s draft required entities to store a copy of all personal data, even non-sensitive and non-critical data, in India. The new version of the Bill, reworked by the Information Technology Ministry, removed the mirroring requirement of personal data and allowed sensitive data to be stored abroad with government approval. Big technology companies have been critical of several requirements laid out in both versions of the Bill so far.
The personal data mirroring requirement, Srikrishna wrote in the note, “was with the objective that, if there be necessity for accessing such data at short notice, it would be impossible to follow the MLAT process to get it as that would take at least 18/24 months”.
The Mutual Legal Assistance Treaty (MLAT) is the extensive process that Indian authorities have to follow in order to receive information from an American company for law enforcement purposes. Even American industry associations have recognised the need to adapt the mechanism for the speed of digital technologies. However, critics of the Bill argue that storing the data within the country’s borders does not necessarily enable increased access to data.
In addition to leniency given to foreign companies, Justice Srikrishna also said that the “Government can always dominate the Data Protection Authority’’, and exemptions made for government surveillance have “sinister implications”.
The new Bill shifts many powers from the Data Protection Authority to the central government, such as determining the definition of sensitive personal data. It also removes the original draft’s independent committee that appoints DPA members, giving government officers appointment powers instead.
In addressing the clause giving the government the power to direct any entity to provide all their non-personal data, Justice Srikrishna calls it “a dangerous trend”.
“This vague and generalized declaration will provide a carte blanche to access non-personal data from citizens and business entities,” he said.
He also took issue with the government’s power in notifying social media intermediaries as “signified data fiduciaries” who have more stringent obligations under the law. As he has previously said publicly, he said the “vague” exceptions given for government surveillance are a violation of the right to privacy and the potential introduction of an “Orwellian State”.
The Bill, cleared by the Cabinet on December 4, 2019, was referred to a 30-member committee set up for the specific purpose of deliberating on it on December 12, 2019. The committee has met twice so far and is currently collecting public comments.