More stakeholder consultation sought
India has finally brought out the personal data protection bill 2019 in public domain. It has been more than year in making, a legislation, which went through a retired judge committee with public consultation , followed by ministry led public consultation but something changed mid-way, of more than 600 plus public comments received by government on first draft of the personal data protection bill, none is available in public domain. The entire exercise started on a participative note, suddenly changed course.
This raises a flurry of questions from stakeholders who are not sure about the intent and implications of the proposed legislation. Let’s take a look at some intriguing questions on the personal data protection bill 2019.
The initial bill had chosen to define personal data on the basis of characteristic, trait or any other feature of identity of data subject, the new bill text also encompasses inferences drawn for the purpose of profiling, as personal data. This leads to a question regarding the nature and degree of inferences which can be categorized as personal data.
Along similar lines, the definition of sensitive personal data, has, in the new bill been left with additional jurisdiction overview of central government whereas the first draft had left it at the door of proposed data protection authority. In same breath it may be added the very selection process of chairperson and members of proposed data protection authority in initial draft had been suggested to be in consultation with a person with judicial qualifications whereas the new bill puts the onus on a bureaucrat from the legal affairs department to advise on the selection process. These co joined clauses from the text of the new bill, has led many to question the intent behind removing judicial intervention in formation of Data Protection Authority.
The most contentious questions however arise on a new clause 91, inserted in miscellaneous section of the Bill. The clause reads ‘the Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymized or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed. Explanation. —For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.”
The most common questions on classification of data into personal and non-personal, fumes up issues around possible IPR, copyright violations and boundaries of ‘personal vs derived vs processed vs non personal data’. Many have asked the relevance of forming a non-personal data committee, which has been tasked to arrive at a legislation through a consultative process. This committee consisting of senior officials from two government ministries as well as some private sector senior sectoral representatives
has already had informal discussions with couple of big tech companies. The non-personal data committee while is yet to come out with background paper or even a formal consultation process, perhaps loses its stature on any proposed legislation on non-personal data. Industry operators would be greatly benefited if they knew the definitions and nuances of non-personal data and the enforcement guidelines strategy.
This sets the tone for a lively clause by clause debate on personal data protection bill 2019. The government has referred the bill to joint select parliamentary committee bypassing on what many would have assumed to be the standing committee for information technology in parliament. It could potentially allow relevant stakeholders to make brief presentations regarding their issues and key concerns with personal data protection legislation. The question is, will they?
Let’s shift focus for a while and focus on basic premises. While Data is precious, no benefit comes out of it till aggregated, processed, analyzed and effectively used for human good. While everyone wants to have access to ever growing terabytes every individual’s data, only a handful perhaps, have a will to do so for charitable purposes not to forget, have the necessary skill sets to collect and analyze data. There in begins the questions related to intent, purpose, business, and many such puzzles. If we add to it a machine influenced set of “data principals” i.e. those who are not fully controlled by a human jurisdiction, a new crystal starts to deflect the sunrays. We may agree to the fact that we perceive much of the world through the color of light we look at it through. Which means there is ample scope illusionary demons lurking in transparent faraway landscapes. Do we therefore stop believing or we readjust /refocus constantly? If that’s the case, coming back to our original set of questions it would be helpful if lawmakers choose to listen and readjust if required some principals when examining the Data Protection bill 2019.