DECEMBER 18, 2021
PP Chaudhary, the Chairman of the Joint Parliamentary Committee (JPC), on Saturday said the Data Protection Bill if passed by the Parliament, will be a game-changer as there is no law to regulate data. He also said that there is a need to have data localization in order to maintain privacy. On being asked about the disagreement of Opposition on the bill, he said these dissents are “politically motivated”.
The report of the JPC on the Personal Data Protection Bill, 2019, was tabled in both Houses of Parliament on Thursday, which recommended tougher norms to regulate social media platforms by holding them accountable for the content they host.
In an exclusive interview to News18, BJP MP PP Chaudhary, who headed the 30-member committee, talked in length about the proposed law and how it would benefit the protection of private data and the need for data localisation.
Here are edited excerpts from the interview:
With 700 million internet users and 400 million smartphone users, India processes a mammoth of data. Yet, it doesn’t have laws to regulate it or stop the misuse. What is your recommendations to protect data?
PP Chaudhary: As of today, it (data) is not regulated except section 43A of IT Act. But those are not exhaustive and that is why we made recommendations covering all other aspects. So far it wasn’t regulated by law. Once passed by parliament, it will be a game changer.
The clauses recommended by the panel on penalties are exhaustive. Don’t you think this will scare off the investors- multinationals and other business entities?
PP Chaudhary: This won’t affect them. We have it examined the penalty clause carefully. Section 57 and its sub-sections have provision of penalties for both minor and major scales. Section 57(1) says penalty is Rs 5 crore or 2 percent of the global tender or whichever is higher. This is the maximum penalty.
It for government to prescribe the penalties. Apart from this the maximum necessary penalties will depend upon the nature and continuous violations. The amount will be finalised on the base of objective consideration. However, minor violations should not exceed Rs 5 crore or two percent of the global turnover of preceding financial year.
For Section 52(2), the penalty should not exceed Rs 15 crore Or 4 percent of the global turnover of preceding final year. This is a guideline and the government can’t transgress the guidelines. Also, government can provide lower penalties and adjudicating authority can lower it. If we do it, in case of breach suppose it is Google, and there is any start up, there needs to be a fine balance on penalty and this should be based on violations as well. We have left the penalty and its scales to the government. They can listen to various stakeholders and decide on the amount. The process of penalty should be flexible.
What was the need of inclusion of non-personal data and bringing them in the ambit of the law?
PP Chaudhary: We realised that in future there may be demand to regulate non-personal data and then a seperate authority have to be created. Why not do it when we are developing a mechanism for personal data. There may be overlapping of personal and non personal data. Sometimes it is difficult to segregate personal and non personal data. Non personal data as on today is not included but for future govt can formulate the policy under section 92 to deal with violations related to it.
What does Data localisation do?
PP Chaudhary: It will prove to be a game changer for the country. Companies that are operating as data fiduciaries they need to operate from India and need to have their units here and required to pay the taxes. Employment will be generated which will eventually give boost to the economy.
In view of Puttaswamy judgement, we need to see that data is stored in India. Data are stored outside and further can be transfered to enemy countries and will be misused. There is no question of privacy. To maintain privacy, we need to have local localisation.
National security issue was raised with regard to dissent notes. They maintain that too much power given to government. We can’t put government and private entities in same basket. Government is disposing so much social responsibilities.
Why government agencies have been given exemptions?
PP Chaudhary: If you compare birth of section 35, it is article 21 of Constitution of India which is a fundamental right. It says no person shall be deprived of personal liberty except in accordance with the law. So, this is a condition by Constitution. More safeguards have been provided in bill. It says only data can be processed if authorised by the government and will be based on rules framed by the government. On basis of those rules, government can authorise agencies to process the data. The purpose is given in the section 35. Processing of data is only for purpose is national security, protect the sovereignty and integrity. The individual right to privacy will be over-ridden if they clash with national interests.
Do you think dissent notes are politically motivated?
PP Chaudhary: I can tell you these are politically motivated dissents. These dissent notes are basically misconceived and unfounded. These notes do not stand legally anywhere. The dissent was not limited to Section 35 but also about Section 12 without consent data shall not be processed. Meaning there will be a complete embargo. It means government can’t process the data. I am asking them, if we don’t process the data of farmers while making them the payments of government schemes what will happen. Should we ask each one one of them separately about their consent. Whether it is expected from the government to obtain consent from 10crore farmers.
If government want to transfer payment to NREGA labourers to public distribution, should we seek consent from everyone. We say government can process the data in accordance to the law. The section say personal data can be processed for benefit for data principal.
Where do they want to take the country? Do they want to take the country back to paper economy from digital economy. The opposition is trying to halt the progress of digital economy. Suppose the government need to raid someone, should income tax authorities seek consent? Is it practical or feasible, should we seek permission from terrorist before processing this data.
Your take on dissent notes.
PP Chaudhary: I appreciate. They are sufficiently intelligent people. They know our recommendations are correct. The issues were raised due to political compulsions.
What role will Data Protection Authority play?
DPA is enacted by centre. Parliament is competent to legislate. We can’t provide different DPAs to state.
How are EU data protection regulations different from that of our recommendations?
PP Chaudhary: In GDPR of EU, there is a trust deficit. We have data fiduciaries. In Europe, it is treat as regulator. Huge obligations are levied on fiduciaries to protect the data. We are all for exemptions but with having balance of maintain privacy.
What will happen to data of the user if deceased ?
PP Chaudhary: That isn’t in GDPR of EU, but we have this provision. Data principal, whose data is being stored, can nominate his legal heir and he can exercised all powers.
What is the way forward?
It is in public domain and for the government to take the final call and fic the date for consideration and passing of the bill. So, government is serious about the bill and it may come in second part of budget session.