Why in News?

• The Personal Data Protection Bill 2019 which is currently under parliamentary process for approval is criticised to be of heavily tilted towards security and revenue generation of the state rather than Right to Privacy which is the basic reason for a Data Protection Regime.

Categorisation of Data as Per the Bill:

• The bill constitutes 3 personal information types:

1. a). Critical
2. b). Sensitive
3. c). General

• Sensitive Data constitutes or is related to passwords, financial data, health data, official identifier, sexual orientation, religious or caste data, biometric data and genetic data. It may be processed outside India with the explicit consent of the user.
• Critical Datawill be characterised by the government every once in a while, and must be stored and handled only in India.
• General Data:Any data that is non-critical and non-sensitive is categorised as general data with no limitation on where it is stored or managed.

Provisions of the bill which is Under Criticism:

1. Access to Non-Personal Data:

• Government is empowered to gain access to any non-personal data — anonymised data like traffic patterns or demographic information — mainly for framing policy for better delivery of services and evidence-based policy.

2. Process Data Without Consent:

• The Bill includes exemptions for processing data without an individual’s consent for “reasonable    purposes”, including security of the state,detection of any unlawful activity or fraud, whistle blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data. Accordingly personal data processed in the interest of prevention, detection, investigation and prosecution of any offence is exempt.

Issues Regarding the above Provisions:

1. Security Interest vis-a-vis Data Privacy:

• Not in line with the recommendation of Justice Sri Krishna Committee
• Justice B.N. Srikrishna committee in its report had cautioned against use of data without consent and had recommended exemptions to be “watertight”, “narrow”, and available for use in “limited circumstances”.
• But the government empowering themselves to collect data in the name of “national security” which is defined and highly vague goes against the basic intent of the bill.
• It had also recommended that the Government bring in a law for the oversight of intelligence-      gathering activities, the means by which non-consensual processing of data takes place.

2. Conflict of Interest (Data Protection Authority):

• The bill provides for Data Protection Authority of India to monitor and enforce the provisions of the Act. Given that the appointment of chairperson and members is done by a panel constituting Government nominees and government agencies but themselves being the major collectors and processors of data, it tantamounts to conflict of interest.

3. Revenue generation vis-à-vis Right to Privacy

• According to Edward Snowden there is a symbiotic relation between financial models of digital platforms and security interest of the state which leaves a lot of scope for misuse of data.The Data Protection Bill empowers the government to gain access to any non-personal data mainly for framing policy for better delivery of services and evidence-based policy. This is particularly goes against the ‘principle of limited purpose limitation’ according to which personal data that is gathered for a specific purpose cannot be put to use for any other purpose.
• For instance recently under the Bulk Data Sharing Policy & Procedure of The Ministry of Road Transport and Highways the government shared Vehicle Registration Certificates and Driver License with automobile industries, banks, finance companies etc. at specified rates for each data set.
• If such policies aimed at monetizing the database by bulk data sharing is adopted to the data that is collected, then the major aims of bill such as privacy and data protection is compromised.