Opinion

The ‘expectations vs. reality’ of the Personal Data Protection Bill, 2019

Introduction

The Personal Data Protection Bill (“PDP Bill”) was introduced in 2019 to provide for the protection of the privacy of individuals relating to their personal data…. The PDP Bill acknowledges the right to privacy as a fundamental right and personal data as an important facet of it. It places heavy regulatory compliances on Data Fiduciaries who use data of its users in its operations. The main purpose of The Personal Data Protection Bill is to protect data owners like us from the illegitimate use of our information. At least, this is the rhetoric that is painted to us by the PDP Bill. However, once the Bill is scrutinized closely, an ulterior motive of the government seems to elevate.

 
The PDP Bill as a tool of surveillance

Before going into the reality of The Bill, the socio-political conditions which motivated the introduction of such a bill should be looked at.[1] In 2017, the Supreme Court included the Right to Privacy under the purview of Art. 21 and raised questions on the validity of Aadhaar. In 2018, the EU General Data Protection Regulation (GDPR) was brought into force, which later acted as a benchmark for The Bill. In 2019, a few days before the introduction of The Bill, the Citizenship (Amendment) Bill was published. It is clear that the period of introduction of the Bill seems to have this continuing theme of surveillance over civilians, be it having the physical identity of an individual in the form of Aadhaar or having records of individuals’ origins in the form of CAA requirements.

The IT Act, 2000 governed data privacy in India before the introduction of The Bill, however, it restricted government surveillance which was required to happen only as per the rules in IT Act, 2000. With the help of the PDP Bill, the government can now exempt any of its agencies from the application of the PDP Bill. Therefore, this changed data privacy law is allowing increase government surveillance, among other things.

Along with the prevalence of Aadhaar, CAA, the government’s attempt to include Facial Recognition Systems in multiple institutions including schools and colleges, MHA’s cyber volunteer programme which establishes lateral surveillance, the PDP Bill is the newest tool which the government seeks to exploit to keep surveillance on its citizens. Therefore, this interpretation of the PDP Bill is not out of nowhere. The government has used such tools in the past as well. These instances of the past are shaping such interpretation to highlight the continuous practices of the government. There is an evident democratic deficiency [2] in this law. The oligarchy is the same as in every other case, causing direct harm to a very significant group of people. This group of people is the same as the ones targeted under the CAA. The very premise of the PDP Bill is based on the ability of the user to give consent, which can conveniently be taken away by the government “for the performance of any function of the State authorised by law”.

The ideology of the oligarchy against the targeted group of people under CAA is carried forward in the PDP Bill with a lot of ease. The parens patriae notion of morality seems to be the justification which the government carries for such extreme surveillance on its citizens- it is for our welfare and protection that the state is taking such measures. The members of the Parliament are considered to be representative of the people. In reality, they are representatives of the majority, epitomizing an even smaller sub-set of the people. The inevitable result requires the minority to compromise for the interests of the majority. In the case of abrogation of Art. 370, the larger egoistic idea of the hegemonic majority resulted in usurping of Jammu and Kashmir while the residents of J&K remained voiceless.

The PDP Bill is an unjust law

Although there is no legal illegality present, because the Fundamental Rights are also subject to reasonable restriction, the PDP Bill is clearly an unjust law. It is unjust especially towards that section of society whose presence in the country is criminalized by the CAA. Using the exemption in the PDP Bill, the government can effortlessly identify such group of people and hold them liable under the CAA. This causes the reality to move further away from the rhetoric and causes absurdity in the law. The duality of law which is seen as both sword and shield by Dworkin is evident here. The government is benefiting and the citizens’ right to privacy is being compromised. However, we still look at the law for help, following the paradox. The vulnerable are still asking for a data protection law, but one which is not a tool of surveillance for the government.

This unjustness is not limited to the targeted section of people under CAA but also the majority like you and I. Everything from our bank’s passwords to our Amazon Wishlist is saved in the form of data. The PDP Bill places an immense amount of emphasis on the consent of the data owner. Therefore, in theory, an individual would have enough (not full because there are provisions where data can be taken without consent) control on whether the data should be used or not, or for what purposes should their data be used. However, how practical is this utopian idea of consent. Very recently there was a huge data leak by MobiKwik wherein the information of about 110 million users, including their addresses and credit card details, was leaked on the dark web. Except what was the response of the MobiKwik owners? They denied any data breach and provided no information of any leak to the concerned user. This is the real experience. This is the reality. The personal data of the people of this country is up for grabs for private companies and the government and there is little agency provided to such users.

This new Bill is a very clear example of how the rhetoric of law can be, and is, very different from the reality of law. While the rhetoric promises autonomy and power to the owners of data, the reality is completely in the favor of the Data Fiduciaries, especially the government.

[1] Upendra Baxi, Outline of a “Theory of Practice” of Indian Constitutionalism, Politics and Ethics of the Indian Constitution, 92-118 (2008).

[2] Id.


ABOUT THE AUTHOR

Sanjhi Sharma

Sanjhi Sharma is a fourth-year student at Jindal Global Law School, O.P. Jindal Global University with a keen interest in Policy Development. She has also attended Jindal-Harvard Summer School in July 2019 on Human Rights and Policy Development.

0 comments on “The ‘expectations vs. reality’ of the Personal Data Protection Bill, 2019

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: