The data privacy draft bill recommendations sent to the government by the Justice Srikrishna committee has left both privacy activists as well as digital players unhappy and confused. In fact, the only stakeholder who is unlikely to have a problem with the draft bill is the government.
The problem with the bill is not the amount of research that has gone into it. The bill has been drafted after extensive study of the privacy legislations across the world and after taking on board some of the current discussions on data privacy taking place in different countries. But the problem is that the draft bill has tried to balance the interests of opposing stakeholders, and ended up with a compromise that pleases none. There is an old saying that a camel is a horse designed by a committee — that sums up the problems of the draft privacy bill. The issue is that the committee had members from the government, who tried to look at the entire bill from the government’s point of view, from the private sector, whose primary goal was a lax law that gave them enough freedom to collect data and build businesses using that, and members who were also concerned about protecting the privacy of citizens.
Data privacy draft bill is a badly conceived bill that pleases no one but govt
However, the composition of the committee with different viewpoints represented in it was not the big issue. I think the bigger issue was that the final draft tried to balance everything without a clear idea on its primary goal. This is unlike what is happening in other countries, which are grappling with the same issues. This is what has led to dissenting notes and opinions by the committee members being placed on record, even as the draft bill was submitted to the government.
Consider this: the European Union was very clear that it needed to safeguard the privacy of its citizens and that was the most important goal when it created the General Data Protection Regulation (GDPR). The GDPR goes to great lengths to put the interest of citizens and digital users first and foremost, even though it is considered fairly unfriendly by companies with digital businesses.
On the other hand, the US has followed a somewhat different path – it gave great freedom to companies in the Silicon Valley to collect and build businesses around citizen data. It primarily sought to protect the citizens’ data being accessed in its entirety by the government. In fact, from time to time, digital giants have chosen to refuse giving data of their consumers with the government agencies if they felt that it was not in the interests of their consumers. On the other hand, the US government never put in any regulations about the limits to which the companies themselves could use this data – they depended on self-regulation by these companies to do the needful. It is only now that it is seeking to develop regulations that will curb what Facebook, Google, Amazon or others are collecting from people, and what they can do with it, and whom they are sharing with it, after the Cambridge Analytica and other scandals.
As is apparent from the draft bill, the Indian approach is different. It provides some protection to citizens, but it puts weird conditions. It does not address the key question – who owns the data. More importantly, it expects a data breach to be reported first to the data authority, and not to the consumer whose data has been shared or misused. Similarly, it only suggests that a copy of key data be kept in the country, not that citizen’s data should be stored entirely in the country. And then again, if the interpretation of many lawyers studying the draft bill clauses is correct, it does make it imperative for a company to seek consent but it does not give enough protections if the citizen decides to withdraw the consent after some time.
At the same time, the builders of digital business are unhappy, precisely because they feel that too much of the bill was also borrowed from the GDPR, and that it will only add to their costs and curtail their freedom to build big businesses and collect data freely.
It is only the government that will be happy with the draft bill because it gives the government a huge latitude to collect and do whatever it likes with the data, if the need arises. It does not go into any specifics on under what conditions the government can access citizen’s private data.
This is only the draft bill, and it could go through revisions to address some of these concerns. But if it doesn’t, it will be a badly conceived bill that serves no one’s interest except the government.