The Personal Data Protection Bill was passed in Lok Sabha on December 11,2019. It was known to be a landmark legislation to safeguard the constitutional guarantees of privacy for Indian citizens and provide a just and equitable vision for the future of India’s digital economy. However, there is an incongruent provision in the Bill that departs from this hope that the country had from the bill.
This is the clause 91 that enables the central government to direct any of the regulated entities under this Act to provide anonymised personal data or non-personal data to enable “targeted delivery of services” or evidence based policy making. It is important that the implications of the policy be examined and its implications for the economy be considered.
By anonymised data, the bill refers to the data from which markers of identity have been irreversibly removed. It is important to note that this anonymity should not be seen as without the threat of large data sets being used without compromising privacy. Recent research shows that the common methods of anonymity applied are imperfect and the data released as anonymous can be re-identified, primarily because of the use of machine learning techniques. This makes large anonymised data sets vulnerable to attacks of re-identification. This implies that this data can now be combined to re-identify anonymised data and link it back to the individuals to whom it refers.
The Bill landed in controversy for being different from what was proposed by the expert group in its first draft in July 2018. The Indian government through the proposed law, wants to allow law enforcement agencies and authorised third parties to have access to citizens data, to investigate crimes faster. In other words, it will allow governments an exemption from legal obligations. This has led to resistance and delayed the passing of the bill. Even the chief architect of the bill, BN Srikrishna cautioned that the bill may turn ours into an ‘Orwellian State.’ Several critics of the bill have cautioned that the accounted access to Personal data of customers might lead to the misuse of data. Several privacy concerns have also been raised about the revised draft of the Bill. The Data Protection Bill states that the personal and non-personal Data may be processed without obtaining consent from the concerned user to help in he delivery of government services.
It is also feared that the Bill could bring major implications for national security, foreign investment and international trade.
Navin Kakkar is Policy Analyst based in Bangalore.