A bill fails to prioritize Indian rights over their public data and instead has spread to areas beyond its reach and without sufficient consultation, senior rights organization officials said. digital Access Now.
The legislation on the protection of personal data (PDP) – in preparation since 2018 – will be tabled during the winter session of Parliament from Monday. Reports and dissent notes tabled by members of the Joint Parliamentary Committee (JPC) deliberating on the bill suggest several changes from its original draft in 2019. Social media appears to have been included in the legislation.
“Based on the reports to date and the details shared by MPs involved in the process, it is clear that this is not the privacy and data protection law currently that India needs. The current draft does not adequately protect people’s right to privacy and autonomy or allow strict accountability, especially on the part of the government, ”said Raman Jit Singh Chima, Asia Policy Director -Pacific and Senior International Advisor, and Namrata Maheshwari, Asia-Pacific Policy Advisor, at Access Now.
“… Parliament will have to amend the bill to incorporate safeguards in line with Supreme Court rulings on privacy and international human rights standards,” they said.
As data breaches and financial fraud increase, India needs strong data protection legislation. The JPC passed the bill last week, amid criticism from some MPs that the government had given its weight to a host of issues.
“The recent public fury and parliamentary and judicial discussions around the NSO Pegasus revelations also demonstrate that the framework of the surveillance law in India is outdated and needs to be urgently revised to better regulate and oversee the way government agencies can access our personal data. In addition, the government has a strong grip on the composition and functioning of the proposed Data Protection Authority, which seriously compromises its independence, authority and ability to protect privacy, ”Cheema and Maheshwari said, referring to Israeli spyware.
To ensure an independent data protection authority, the government should not be involved in its composition, selection of members and operation, they said.
“The current bill allows the government to decide the criteria for selecting these ‘arbitrators’ – the same government that itself is said to be one of the main parties that the DPA often complains about. This seriously compromises the independence of the DPA.
Reports and sources have suggested the bill proposes to tackle social media. The JPC has reportedly proposed to treat social media platforms, which are not intermediaries, as publishers, as publishers, holding them accountable for the content they host.
“The protection of social media intermediaries from liability for third party content on their platforms under the Information Technology (Computer) Act, also known as the Safe Harbor, is critical. to protect freedom of expression online. Treating social media platforms as responsible publishers of such content would have a chilling effect on freedom of expression and far-reaching consequences for democracy, ”Access Now executives said.
“This framework under the Information Technology Act should not be altered by the separate and parallel process surrounding the PDP Bill and in the absence of extensive and sustained multi-stakeholder consultation on this specific issue. International best practices are also clear: The legal liability of intermediaries for the speech of third parties on their platforms is not part of a data protection law, ”they said.
The recent IT rules for social media intermediaries, introduced earlier this year, have been controversial on several issues.
Congress Party MP Gaurav Gogoi, a member of the JCP, filed a dissent note last week, questioning the rationale for removing a clause in a previous bill that penalized companies for data breaches.
“It’s only when the penalties are high that tech companies are forced to comply with government or regulations. This is what we have seen in Europe and other parts of the world, ”said Gogoi.
Agreeing with Gogoi’s point, Cheema and Maheshwari said, “Existing data protection laws in other countries mostly contain this in the language of the law itself. Indeed, this is also the case with India’s competition law, where penalties are set out in enactment passed by Parliament and include provisions allowing fines set at percentage points of the total turnover of the company. ‘business – a good practice in order to avoid that businesses avoid penalties by the creative structuring of the business. The European GDPR also does exactly that; it is considered an effective law because it includes sanctions that target a company’s total worldwide turnover, sending a signal to multinational companies to take the law and people’s rights seriously.