Mozilla highlights pros and cons of revised Personal Data Protection Bill
By MYBRANDBOOK
Mozilla has been on the forefront in campaigning for the need of a strong data protection law in India. It has repeatedly urged the Government of India to implement a data protection law as a national priority.
This is in line with the near final draft of Government of India’s data protection law that was shared with Members of Parliament in recent time. This is a significant milestone for a country with the second largest population on the internet and where privacy was declared a fundamental right by its Supreme Court back in 2017.
As per the blog post of Mozilla, “Like the previous version of the bill from July 2018 developed by the Justice Srikrishna Committee, this bill offers strong protections in regards to data processing by companies. Critically, this latest bill is a dramatic step backward in terms of the exceptions it grants for government processing and surveillance.
The original draft, which we called ground breaking in many respects, contained some concerning issues: glaring exceptions for the government use of data, data localisation, an insufficiently independent data protection authority, and the absence of a right to deletion and objection to processing. While this new bill makes progress on some issues like data localisation, it also introduces new threats to privacy such as user verification for social media companies and forced transfers of non-personal data”.
The post also vividly discusses about the bill. It says, “As the bill is introduced and reviewed in Parliament, attention and action is needed on several provisions. Here are some highlights:
· Exceptions for Law Enforcement and other government use: The biggest concern in the new draft is the bill’s expansion of the broad exceptions that were present in the 2018 draft of the data protection bill for the government processing of data. Crucially, the requirement that government processing of data be “necessary and proportionate” has been cut. Furthermore, a provision was added granting the government complete discretion to exempt any entity or department from any part of the law. This leaves the current legal vacuum around India’s surveillance and intelligence services intact, which is fundamentally incompatible with effective privacy protection.
· Independence of the Data Protection Authority: The new law further reduces the powers and independence of the data protection authority (DPA) by significantly weakening the commission that will appoint the Chairperson and members of the DPA. Where the 2018 draft said that they were to be appointed by a diverse committee with executive, judicial, and external expertise, the new law limits this committee to members of the executive. As with the last bill, Adjudicating Officers are also appointed by the government. Together, this will make it much harder for the DPA to be empowered and effective as the entire governing structure will be appointed exclusively by the government.
· Social Media User Verification: In a move that will be disastrous for the privacy and anonymity of internet users, the law contains a provision requiring companies to provide the option for users to voluntarily verify their identities. This would likely entail users sending photos of government issued IDs to the companies. There are also reports that intermediaries will have to report accounts that do not verify themselves using such procedures to the government, which could make them a target for government scrutiny and investigation. This provision will incentivise the collection of sensitive personal data from government IDs that are submitted for this verification, which can then be used to profile and target users. This is not hypothetical conjecture – we have already seen phone numbers collected for security purposes being used for profiling. This provision will also increase the risk from data breaches and entrench power in the hands of large players in the social media space who can afford to build and maintain such verification systems. There is no evidence to prove that this measure will help fight misinformation (its motivating factor), and it ignores the benefits that anonymity can bring to the internet, such as whistleblowing and protection from stalkers.
· Forced Transfer of Non-Personal Data: The law also mandates that certain companies can be forced to transfer non-personal data to the government for public good and policy planning purposes. Not only can non-personal data constitute protected trade secrets and the insights derived from such data be protected by intellectual property law, but turning over this information to the government also raises significant privacy concerns. Information about sales location data from e-commerce platforms, for example, can be used to draw dangerous inferences and patterns regarding caste, religion, and sexuality. The law should continue to focus on the protection of personal data and leave the regulation of non-personal data to an independent law.
· Ambiguity in Implementation: The 2018 draft clearly laid out the timelines for the creation of the data protection authority, the accompanying subsidiary legislation, and the date in which the law would finally be enforceable. The new law removes all references to this timeline and merely mentions that the Central Government may notify the enforcement of the law at its complete discretion, creating ambiguity and uncertainty in the ecosystem.
· Data Localisation and Cross Border Transfers: In a positive move compared to the 2018 draft, the law relaxes data localisation restrictions and applies them to only sensitive and critical personal data (i.e., personal data can be transferred without restriction). For sensitive data, the data can be processed outside the country and there are also reciprocity based exceptions that allows even critical and sensitive data to be processed outside the country. However, sensitive data must be stored in India, and it continues to be hard to see this as anything other than an effort to make surveillance easier.
· Right to Erasure: In a positive move, the new law includes an explicit right to erasure along with the right to correction, which gives data principles the right to demand that fiduciaries delete data which is no longer necessary for the purpose for which it was originally processed.
· Strong obligations on companies and rights for individuals: Overall, the bill retains the strong protections in regards to processing by companies that existed in the 2018 draft. In particular, there are strong provisions on consent, authorized basis for processing, purpose limitation, collection limitation, notice, data retention, data quality, data security safeguards, right to access, right to correction, data portability, and enhanced obligations for significant data fiduciaries.”
Commenting on the move of the government, Mozilla’s Policy Advisor, Udbhav Tiwari says, “Indians have been waiting for a strong data protection law for years now. This latest bill delivers real privacy in regards to processing by companies, but is a dramatic step backwards in terms of processing and surveillance by the government. Exceptions for government use of data, the verification of social media users, reduction in the independence of the Data Protection Authority and the forced transfer of non-personal data all represent new, significant threats to Indians’ privacy. If Indians are to be truly protected, it is urgent that the Parliament reviews and addresses these dangerous provisions before they become law.”
Nazara and ONDC set to transform in-game monetization with ‘
Nazara Technologies has teamed up with the Open Network for Digital Comme...
Jio Platforms and NICSI to offer cloud services to government
In a collaborative initiative, the National Informatics Centre Services In...
BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium
A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...
Pinterest tracks users without consent, alleges complaint
A recent complaint alleges that Pinterest, the popular image-sharing platf...
ALPHAMAX TECHNOLOGIES PVT. LTD.
PDRL - Passenger Drone Research Pvt. Ltd.
HAVELLS INDIA LTD.
PRAMA HIKVISION INDIA PRIVATE LIMITED
Icons Of India : Anil Kumar Lahoti
Anil Kumar Lahoti, Chairman, Telecom Regulatory Authority of India (TR...
Icons Of India : AALOK KUMAR
Aalok Kumar is celebrated as a global leader and recipient of the Peop...
Icons Of India : ASHISH KUMAR CHAUHAN
Ashish kumar Chauhan, an Indian business executive and administrator, ...
STPI - Software Technology Parks of India
STPI promotes and facilitates the growth of the IT and ITES industry i...
LIC - Life Insurance Corporation of India
LIC is the largest state-owned life insurance company in India...
UIDAI - Unique Identification Authority of India
UIDAI and the Aadhaar system represent a significant milestone in Indi...
Indian Tech Talent Excelling The Tech World - NEAL MOHAN, CEO - Youtube
Neal Mohan, the CEO of YouTube, has a bold vision for the platform’s...
Indian Tech Talent Excelling The Tech World - Aneel Bhusri, CEO, Workday
Aneel Bhusri, Co-Founder and Executive Chair at Workday, has been a le...
Indian Tech Talent Excelling The Tech World - REVATHI ADVAITHI, CEO- Flex
Revathi Advaithi, the CEO of Flex, is a dynamic leader driving growth ...