Data Protection Bill is vague and intrusive
The Personal Data Protection (PDP) Bill, 2019 introduces significant new requirements and challenges for legal and compliance functions. This entails changes to the ways in which technologies are designed and managed, including focus on search, storage and security of data.
A gamut of cautions –
- The PDP framework needs to stand test of time in the era of artificial intelligence, machine learning, robotic process automation (RPA), Big Data and the Internet of Things which are evolving at higher speed and posing many challenges in addressing data protection and privacy.
- The PDP Bill needs to be considered keeping in view such transformations in the backdrop, along with key objectives such as promotion of the digital economy, innovation and protection of citizen and consumer interest — with a focus on data privacy — and of the state and public interests.
- The interests of the tech and commercial entities need to be balanced with that of the public and state, given reliance of the latter on such entities.
- The Bill, however, creates a ‘monopoly’, wherein all of the data, personal and non-personal, will be under the purview of the state and its agencies.
- All data in the near future will either be or will contain personal data, leading to the application of ‘data privacy and protection’ to just about everything. The data-analysis technology is rapidly moving towards perfect identification. Any information is likely to relate to a person.
- A more principle based holistic approach may be needed with regard to the definitions of personal and non-personal data, because of the difficulties in distinguishing between the two.
- There are certain provisions relating to social media as well. Such provisions should be included in the Information Technology Act, rather than the PDP Bill. In this hyper-connected world, can data localisation be possible, particularly where data is hosted, posted, updated and accessed using public networks in a decentralised environment? Only data that is hosted, posted and accessed on a captive private network can be localised.
Way forward –
- It will be important to consider applying the law uniformly to all kinds of personal and non-personal data.
- The other solution would be a clear separation of personal and non-personal data. In fact, the latter data could be limited to machine-generated data, and be aimed to implement an efficient market-oriented non-personal data law.
- It would be necessary to study the European Union’s GDPR (with which the PDP Bill bears many similarities) and other international frameworks, and align the provisions relating to cross-border flow of data while addressing Indian environment, culture and sovereignty of the country.
- It is important to lay out a proper system of modern law for the digital economy that also integrates the perspective of privacy based data protection, which may drive efficient market regulations.
- The framework needs to be more modular, and may be expanded as we learn from experience and technological innovations. Care needs to be taken, that the PDP Bill does not become “the law of everything”.
Source – The Hindu Business Line
QUESTION – Examine the issues raised by various stakeholders with respect to the ‘Personal Data Protection (PDP) Bill, 2019’. How can we maintain an effective balance with modularity and privacy?