Hyderabad: Hot on the heels of the Delhi High Court declining to make it mandatory to link Aadhaar or any other government IDs to social media accounts, privacy enthusiasts have a new thing to worry about. Yes, it’s the Personal Data Protection Bill, 2019. After all, the Bill, once touted to be the magic bullet, seems to be a Trojan horse.
According to Rohan Seth, policy analyst (technology) at The Takshashila Institu-tion, “The bill comes very close to writing a blank cheque to the government to get access to data. It allows for processing without consent, fairly unche-cked access to information, and does not do enough to install procedural safeguards.”
Fearing a backlash from privacy enthusiasts, the government kept the Bill well guarded till Tuesday when this secret document finally made its way to the public domain. And as the proverb goes, the devil lies in the details. The bill, as expected under diplomatic pressure from United States, has gone soft on the data localisation.
“The new draft allows for sensitive personal data to be processed outside of India, based on adequate security standards being met,” said Seth.
However, the main revelation is that the Bill, which is meant to ensure Indian citizens have autonomy on their personal data, said that wherever the Central government is satisfied that it is necessary in the interest of sovereignty and integrity of India, the security of the state, public order, friendly relations with foreign states, it can direct that all or any of the provisions of this Act shall not apply to any agency of the government in respect of processing of such personal data.
Yes, say hello to Big Brother. And if that wasn’t enough to send a shiver down the spine, then here’s yet another revealtion.
The Bill, similar to the one released last year by Justice B.N. Srikrishna Committe, does not require data fiduciaries (companies) to report to data principals (users) about data breaches.
“There is potential for misuse of data almost every time it collected at a large scale. Also, anonym-ized data may not be able to help identify individuals on its own. However, it can help identify whole communities,” Mr Seth said.
“Also, combining that with pre-existing datasets (gathered for the purposes of state functioning) can also result in profiling. Secondly, there is a chance that the DPA may not be the balance the bill is deeming it out to be.”