‘Data bill in line with global practices’
The new draft of the data protection bill was released on November 18, and has attracted both praise and criticism, the first for its light-touch and agnostic approach to regulating a dynamic space, and the second for the significant exemptions it grants to governments and government agencies when it comes to using the data of individuals. IT minister Ashwini Vaishnaw discussed these in an hour-long interview with HT.
Edited excerpts:
One of the things that a lot of people have remarked on is the simplicity of the bill, including the drafting technique giving illustrations on how clauses have to be interpreted, so we want to start off by asking you about the philosophy behind the bill. What did you want to achieve when you set out to draft the bill?
Fundamentally, the PM has given us the clear mandate that all the laws that we make should have the SARAL (simple) framework. What does “saral” mean? It means that the bill should written in simple English and not legalese. It should be understandable by a common citizen, and not just lawyers. The whole conundrum of cross connections, provisions, notwithstanding … all of the stuff that makes it difficult for people to interpret should not be included. And we should include things like the explanatory note and make it part of the parliamentary papers so that people understand what is the intent behind the bill and not get lost in the way laws have been drafted for many decades now. If you see from the Telecom Bill, this bill, many of the new bills you see will have this structure.
There are two camps – one that says that this a bill that looks at outcomes, interests, what the underlying issue is and therefore, doesn’t focus on the small print. And these people think it’s a great bill. Then there’s another school of thought that says the rules have not been made, there are a lot things left for subsidiary rules and there are a lot of gaps and unanswered questions. How do you respond to this?
Our parliamentary structure has laid out the system and hierarchy between legislation and subordinate legislation in a very neat way. No subordinate legislation can go beyond the boundary of the main legislation. So, anybody who says that we are intending something beyond what we have established in the bill must understand that no subordinate legislation can go beyond the main legislation. That is the first. Second, the details in a bill should be proportionate to the complexity of that particular topic. For example, notice that we have gone in very good detail on consent. So, every principle of privacy that needs to be enunciated has been enunciated in full detail. What are the things we haven’t gone into detail? Things like appointment of the Digital Data Protection Board members. Why do you need to write what will be the qualification of the member? In the bill we say it will be an independent body, now the independence is derived from the law, rest of the procedural matters should be kept in the rules. For example, in the TRAI Act, there is a provision that a member of TRAI can only be a person who has worked as an additional secretary-rank officer for a particular number of years. Why do you need to hard-code such things in the act. The act should lay the rails of the particular sector, whether we drive one engine or two engines on it should be left to the executive... I’m putting the whole thing into three different contexts. First, the structure, we can’t go beyond the law passed by the Parliament so there is no big question mark that we are trying to do something outside the ambit of this bill. Second, the government is accountable. Third, we should hard-code only those things that are fundamental to the subject.
One of the main criticisms of the bill is related to exemptions, subsection 6 and 9, which provides significant exemptions to the government. There are fears that this could result in some sort of overreach or make people’s data more vulnerable.
See, if we see the GDPR, the basic principles on which the exemptions have been made in GDPR, they are far wider than the principles we have laid out here. So it’s not that the exemptions have been given in India, exemptions have been given in all countries where privacy bills have been made. Now, we have limited the exemptions to specific things... particular sections, particular sub-sections and everywhere we have provided clear reasons why such an exemption is being given. The country has to be run, it’s government’s duty to run the country, implement laws of the land and make sure that the law enforcement agencies and courts are able to do what they are supposed to. It should not be that the court says it has to send a warrant to the person and to send it, first you go and take consent of the person. We have to strike the balance between the requirement of privacy, the requirement of running a country.
Prevention and detection of fraud, credit scoring, recovery of debt, deemed consent for all of these have come under fire for providing too much leeway to the government. Some experts say many of these are beyond the purview of the State.
Absolutely not. For instance, if there is a cyber fraud, will we wait for the fraudster to give consent for checking the identity of persons who have been contacted by him? We have to understand the realities of our society and draft our laws in tune with the requirement of protecting our citizens within those realities.
Some people have said this concept of deemed consent is not very different from what other countries do. Except, other countries don’t call it deemed consent. Some of them call it legitimate interest, some call it reasonable purpose. Do you think there is a wording issue there?
I think it is a wording issue. There are many counties that call it deemed consent, others call it legitimate interest. It’s a question of what language we are using right now. And I think people who understand this bill have said that this is well within the framework and provides proper protection to citizens data. But we can consider alternative formulations as well.
Do you think the exemptions given to the state agencies – it effectively authorises the government to exempt state
agencies from several requirements – are too broad, or do you think they’re in line with international practices?
They are very much in line with international practices. In most of the places we have very clearly written why the exemptions will be given. For example, we have used the exactly same carve out in 19(1) in case of central government instrumentalities of the state – any department, particular agency, in the interest of sovereignty and security of India, friendly relations, all the carve outs are in line with constitutional provisions. Other places we have kept having regard to the volume and nature of the personal data. So, wherever the exemptions, that is of course for small data fiduciaries, the start-up ecosystem, so wherever we have kept the exemption we have a proper logic behind it, very much in line with data practices.
While speaking on exemptions, some of the earlier version of the bill had a clause that personal information can be provided in public interest. That is being deleted in this and there are fears that this can weaken the RTI Act.
We cannot have two contradictory provisions of law in the same country and if there is a government servant or a public servant, as much as a private person is a human being to whom all these laws should be applicable, a government servant should also have the same protection. Its very fair. It’s right of equality.
The Data Protection Board that has been proposed… There are fears that it won’t be independent.
Very few people think that. Most people understand that the independence comes from the law. Independence doesn’t come from appointing a certain individual or the process of appointment. Best of the institutes in the country, which are independent... RBI, SEBI, EC, everywhere organisations are done by the government. But they are independent institutions where they derive their independence from the law under which they are created. Same will be the case here.
Section 43(A) of the IT Act allowed damages for data breaches. It gave individuals the ability to seek damages. This data law seems to do away with that.
I’d like to say that there are certain horizontal bills we are creating that will address certain verticals and sectoral regulations. This bill is purely laying the foundation of privacy principles. Telecom bill is laying the foundational principles of the carrier. Tomorrow there might be another foundational bill for content. All the residual things that are there being considered in the Digital India Act, which is in the advance stage of drafting. We should be able come out with a consultation paper in a couple of months. So take a look at everything in a comprehensive way. The IT Act’s replacement is the DIA.
The bill also does not address the provision barring intercompany data sharing.
The problem with that construct is that who is going to be responsible with the compliance with the law. The compliance obligation has to be very clear. The person who is collecting the data should be the one that is responsible for compliance with this act. It cannot be 10 different people
Why did you decide to do away with categories such as sensitive, critical and personal data. These crucial to the previous versions of the bill. What was the rationale behind doing away with the differentiation?
If we hard-code what is sensitive, what is super sensitive personal data then we are creating a situation where it is tough to administer the bill and implement the provisions. It will become a super complex maze of legal challenges that most of us think will be very difficult to implement. The alternative is to create a framework and some factors that can be considered before implementing a decision. In section 25(2) and 67 different groups of factors have been stated. These are considered before you take a final call on a particular subject. These are nature, gravity, duration, and more. We also cover types of data that is affected by non-compliance realised the situation as well as actions taken to mitigate the effect. We look at the complete picture and then take a wholistic call.
Does that not give you the power to define anything as sensitive personal data?
Absolutely not. Everything in this law is challengeable in courts. The structures we are creating here such as independent board, votes, review of order. These aspects can be challenged in court. Such structures serve as checks and balances in the society. Nobody can go one way.