Parliamentary panel's version of Personal Data Protection Bill endangers privacy: Justice Srikrishna

Justice BN Srikrishna
Image: Hemant Padalkar/Hindustan Times via Getty Images

For Justice BN Srikrishna, who led the committee that came out with the first draft of India’s Personal Data Protection Bill in 2018, the latest amendments proposed to it by the Joint Parliamentary Committee (JPC) “enhance” the danger to fundamental right of privacy. This version does not pass the three-step proportionality test defined by the Supreme Court in the 2018 Puttaswamy judgement, he says.
 
The JPC version, which was tabled in both houses of the Parliament on December 16, gives “carte blanche” to the central government to exempt any of its agencies from any and all provisions of the Bill. Furthermore, by making “security of the state” as one of its stated objectives, the proposed law is no longer limited to protecting the privacy of citizens and non-citizens, he says. The latest version also makes the intended regulator of personal data —the Data Protection Authority (DPA)—“subservient to the executive”, he says.
 

Eight members of the JPC have filed dissent notes against this report primarily because of the two provisions that allow the government to exempt itself and any of its agencies from the Bill, and allow the state to process personal data of individuals without consent for any function of the state.
 
For Justice Srikrishna, the JPC’s recommendations to re-classify social media intermediaries as “social media platforms”, and to treat them as “publishers” responsible for content from unverified accounts are attempts to “abridge free speech”. The other recommendation to have the central government create a statutory body to regulate press in the country is a means to “muzzle” free press.
 
Here are edited excerpts from Forbes India’s interview with Justice Srikrishna:

Q. Does the JPC version of the Personal Data Protection Bill improve or worsen the 2019 version from a privacy perspective?
There are further restrictive terms in this latest version of the Bill. The danger to fundamental right of privacy of personal data is enhanced.
 
Q. Which are the most restrictive recommendations/amendments to the Bill, according to you?
Changing the Title of the Act by introducing national security as one of the objectives—the law which was intended to protect the privacy rights of the citizens and non-citizens now has security as the objective. The provisions [Clause 35] that give untrammelled power to the government to exempt government agencies from any or all of the sections is greatly restrictive of the right that is put on the high pedestal of fundamental right by the Supreme Court in the Puttaswamy judgment. The provision [Clause 86, now 87] that gives power to give mandatory directions to the DPA [Data Protection Authority]—these are all restrictive and constrictive of the fundamental right of privacy.

Q. Does the JPC version of the Bill adhere to principles of necessity and proportionality laid down in the two Puttaswamy judgements?
In my opinion, no. Under this version of the Bill, the government has a carte blanche to grant exemption to any or all government departments. The Act should apply equally to the State and private entities collecting personal data. The balance is totally tilted in favour of the government.

Q. Does the JPC version provide effective protections against privacy violations by the State?
In my opinion, no. Allowing an executive to make inroads into the fundamental rights by mere executive declaration is certainly dangerous. There should be a separate enactment consistent with the triple test prescribed in the Puttaswamy judgment.

Q. Does the inclusion of four more members to the DPA’s selection committee make it less executive-led?
No. The DPA is entirely captive to the government and cannot be said to be an independent regulator. That is unacceptable since the regulator has to act against the government as a data fiduciary also.
 
Q. The JPC wants the DPA to follow all government directions, not just public policy related.
This is one more nail in the coffin making the DPA subservient to the executive.

Q. The JPC also wants to classify social media platforms as 'publishers' and hold them responsible for content from unverified accounts. What are the repercussions of that?
That is devious method to control the social media intermediaries.

Q. Is the 'voluntary' verification of social media users by social media platforms desirable? Does that abrogate safe harbour?
That is the first step in the direction of exercise of control over them [social media intermediaries]. Control over them would lead to greater debility of the rights of people and gradually abridge free speech. No one who wields power likes to be criticised, even rightly.  

Q. How will creating a statutory body to regulate press and issue a code of ethics, as recommended by the JPC, affect the freedom of press in the country if it is regulated by a government body?
That, too, is another method of muzzling the free press by degrees. The press should be self-regulated and that is why the earlier versions highlighted the code of ethics adopted by the Press Council or other self-regulatory body.
 
Q. The Shashi Tharoor-led standing committee on IT also made a similar recommendation in its report on press ethics. What does that portend for free press?
That the legislators are keen to ensure that the spotlight turned on them by free writing in the press and other media is dimmed, if not totally switched off.  

Q. Should the PDP Bill also regulate non-personal data, as the JPC has said? Your version of the Bill said that the government was free to regulate non-personal data (NPD) through a separate policy.
This will create confusion since it attempts to conflate two immiscibles. One is personal, the protection of which is fundamental right, and the other is not so. By providing for government interference here also, there is an attempt to water down the fundamental right of privacy as well as take away non-personal data too. There may be occasions when the two are intertwined and there would be great confusion on such occasions.

Q. Guardian data fiduciaries are no longer a separate category. Is prohibiting all DFs from profiling children or targeting them with ads a step in the right direction?
At first blush, it is not possible to envision how this will play out. If it produces the same result as envisaged by the earlier versions of the Bill, it may be unobjectionable.
 
Q. Will classifying fiduciaries processing children’s data as significant DFs, as proposed by the JPC, preserve children's privacy?
​I am not sure what will be the end result. It needs to be watched as to how this provision plays out in effect.

Q. The JPC has recommended rights for the deceased so that they can exert their right to be forgotten through an heir or legal representative. How do you see that playing out in effect?
That may be a right step.

Q. The government has passed a bill to allow ‘voluntary’ linkage of Aadhaar with voter ID.  Do you agree with such a move?
What starts as voluntary has the tendency to become compulsory by insidious steps. It portends the danger of surveillance and monitoring by state agencies under different grabs, with without Pegasus and its likes.