On December 11, more than two years after the Supreme Court said privacy is a fundamental right, the Personal Data Protection Bill was tabled in Parliament by minister of electronics and information technology, Ravi Shankar Prasad. The bill seeks to establish who can access and benefit from data generated by Indian citizens. Besides being expansive and ambiguous, its provisions could lead to an Orwellian state, warn experts.
Besides the personal data we generate (names, emails etc), there is also non-personal data: for example, traffic data that Uber and Ola have, or data with e-commerce companies such as Amazon and Flipkart. A lot of insights—say, on somebody’s socio-economic status—can be drawn from such data. The bill applies to the purposes and extent to which companies can collect personal data. It has provisions for deletion of personal data post-use and withdrawal of consent by the data principal (the person to whom the personal data relates) in most cases as well. It also mandates the creation of a data protection authority, with one chairperson and six members, capable of imposing fines up to Rs 15 crore for big offences.
The safeguards, however, do not always protect the citizen’s personal and non-personal data from being accessed by the government. It can even direct data processing companies to “provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the central government”.
“The bill in its current form will negate people’s data protection when it comes to the government and government agencies,” says cyber-security expert Pawan Duggal. “The State becomes the party, the arbitrator and the judge in the same breath; and judge of its own cause. It will...