Justice BN Srikrishna, one of the main architects of the landmark Personal Data Protection Bill, said he wants the final version of the legislation to be sent to a select committee of Parliament for a thorough review before it becomes law.
This Bill, which will determine how global tech giants Amazon, Facebook, Alphabet’s Google and others process, store and transfer Indian consumers’ data, is based on the report of a committee headed by Srikrishna. It’s expected to be introduced in Parliament on Monday, having been cleared by the Cabinet on December 4.
“I would prefer it goes to a select committee,” Srikrishna told ET on Friday in an interview on the sidelines of Carnegie Global Technology Summit in Bengaluru. “It is too serious and too complicated an issue. It is better to give it to a select committee because what happens there is that they invite knowledgeable people, experts to present evidence and the committee assesses the whole thing.”
The government hasn’t said whether the Bill will go to a select committee for review. It has made changes to data localisation provisions that were in the panel’s draft.
Protection Against Snooping
It also added some new ones with respect to social media account verification and mandatory sharing of non-personal user data with the government.
The bill proposes that all “critical” information related to individuals will be stored and processed only in India, while all “sensitive personal data” have to be stored in the country but can be processed outside subject to certain conditions, such as the permission of the individual concerned.
The data localisation provisions will help local law enforcement agencies access information of individuals, ostensibly to investigate wrongdoing and curb crime. Privacy and freedom of expression activists have questioned this. Until now, government agencies had to rely on slow-moving mutual legal assistance treaties (MLAT) to obtain personal data stored on foreign soil. However, Srikrishna said that the bill will protect Indian citizens from unauthorised government snooping.
“That (surveillance) is happening today without the law. Today, they are twisting your hand. Today, can you say no to Central Bureau of Investigation (CBI) asking for your data? Tomorrow you can. If CBI is given an exemption to snoop, such a law will become unconstitutional,” he said. “This Act overrides all other laws in the country.”
Srikrishna said the draft Personal Data Protection Bill had explicitly stated that no data should be collected unless it is authorised pursuant to law passed in the Parliament. Any such legislation has to be constitutionally valid and comply with the three-fold parameters set out in the Supreme Court’s Privacy judgment of 2017.
The government will need to declare a specific objective for collecting private data, the authority ordering this and what procedure it will follow, he said. Until the Parliament draws up such legislation, it can’t collect private data as it will be a “fully unconstitutional and illegal act,” Srikrishna said.
When asked about the impending amendment to the Information Technology Act that may mandate traceability for encrypted messaging services, he said that if the government does not define the objective, authority and procedure, it would be unconstitutional.