government is in a lastmile huddle with security and
intelligence agencies to find ways to either exempt them from the Personal
Data Protection Bill or put in place a special dispensation to regulate their public scrutiny.
ET has reliably gathered that the agencies have raised a red flag on the application of the provisions of the proposed Bill, which is expected to be considered by the Cabinet soon, on their surveillance-cum-investigation functions. “These agencies, including some of the state police forces, access data for security purposes and some of it may be private in nature. They want protection,” said an insider familiar with the issue.
Some of these agencies, sources said, have suggested a blanket exemption as in Section 24 of the Right to Information Act. Some others have pointed to the model followed in the IT Act under which 10 agencies were recently designated as authorities empowered to intercept digital traffic through a laid out approval process. Another view being explored was to have an oversight mechanism to prevent misuse by intelligence agencies.
The proposed Personal Data Protection Bill requires entities to obtain consent of individuals before accessing their personal data, which intelligence agencies argue is counterproductive to their mandate of monitoring activity for security purposes. Also, they add surveillance under these provisions will leave them legally vulnerable. Moreover, the Bill does not distinguish between government and private entities.
Those in the know of the details told ET that this is the only key issue left for the Bill to be finalised and placed before Parliament next session. The government has largely relied on the Bill proposed by the Srikrishna Committee.
Besides this, the government has “focused” on the definition of what constitutes personal and private in the Bill. The ambiguity in the definition, sources said, was an issue raised often by the industry, which the government has sought to address by being specific in definition.
In its draft, sources said, the government has defined consent as a ‘finite concept’, which means that consent once given cannot be assumed for any length of time and for all purposes. Also, the government has leaned towards more monetary penalties than penal provisions. “It’s better to penalise a company and target a part of their earnings than send the CEO to jail,” explained an insider.
However, it’s learnt that any deliberate attempt to reverse-engineer a data chain to trace and identify an individual from a larger anonymous data sample will attract serious penal action. This applies largely to data samples in health studies where patient identity is not disclosed.
The government has prepared the Bill after sifting through nearly 12,000 representations that were received on the Srikrishna Panel-proposed draft Bill, which was placed in public domain for comments.
Both envision a CIC (Central Information Commission)-like body to deal with privacy violation complaints. The government Bill, sources said, has also been put through another round of discussions among stakeholders, which includes security agencies.