Does the Data Protection Bill threaten the right to privacy?

On December 11, Information Technology Minister Ravi Shankar Prasad introduced the much-awaited Personal Data Protection Bill (PDP), 2019 in Lok Sabha. However, due to the concerns raised by the Opposition, the Bill could not be passed and has been referred to a Joint Select Committee of both houses for further discussion.

The growing importance of data and the government’s push towards digital economy makes the bill one of the most important legislations of the decade. The Bill seeks to give individuals control over their data. It lays down a framework for the collection, dissemination, and protection of personal data which includes a wide range of data from health data to biometric data to genetic data.

The Bill bestows certain rights to individuals. These include the right to get notifications regarding the purpose, nature, and categories of data to be collected. The individuals have the right to receive confirmation whether their data is being processed or has been processed.

They have a right to know with whom personal data has been shared, with categories of data shared. Besides these, individuals also have the right to withdraw consent, the right to correction and the right to be forgotten. To ensure that these rights are not violated, the bill seeks to set up a Data Protection Authority.

Looking at the rights and the amount of control that are being given to individuals, this Bill seems revolutionary in the sense that people will control their data, rather than the government or any firm. However, the restrictions and exemptions laid down in the Bill dilute many of these rights. The Bill seeks to give sweeping exemptions to the government vis-à-vis processing of personal data.

The government can process personal data in the interest of the security of the state and public order without requiring consent. The personal data of any individual can also be processed in order to prevent, detect, and investigate any offence.

For example, if the government thinks that an individual is a threat to the security of the state (irrespective of whether he/she is a threat), the government can lawfully snoop on that individual.

It can get access to information like where the individual goes, who is he talking to, and whom he interacts with. The government can also process personal data without consent for some “reasonable purposes” which include whistleblowing. This could result in systematic harassment of whistleblowers who may expose scams or irregularities in the government.

These sweeping powers given to the government under the Bill opens up a possibility of mass surveillance which goes against the fundamental right of privacy (Puttaswamy Judgement).

Another contentious part of this Bill is that it enables social media intermediaries to provide a voluntary user verification mechanism by which any user can voluntarily verify his/her account.

Although, verification is voluntary, it opens a channel by which everyone can get his/her account verified to get a visible mark of verification which is often associated with influencers. This may lead to a large number of people opting for user verification. This might result in real-time tracking and profiling of those who dissent.

Besides these issues, the right to withdraw consent also seems to be have been diluted. To withdraw consent from the processing of any personal data, one needs to provide a valid reason and all legal consequences arising out of such withdrawal are to be borne by him. This might act as deterrence against withdrawing consent and can lead to the exploitation of personal data.

Hence, the Data Protection Bill is a welcome step in establishing a Data Protection Regime but it is fraught with various provisions that dilute the fundamental right to privacy. The Bill lacks the necessary safeguards needed to protect the right to privacy.