Personal Data Protection Bill, 2019 is much weakened and disastrous.
Even as the Pegasus – Israeli private spyware - spread its wings across four continents, 50 countries, potentially accessing data from smartphones of 50,000 users including prime ministers, presidents, a king, politicians, journalists and activists, India still does not have a proper legal provision protecting the personal data of its citizens.
The Personal Data Protection (PDP) Bill, 2019, is pending with the Joint Parliamentary Committee (JPC) since March 2020. The JPC, holding consultations with experts and stakeholders, has already taken several extensions and was expected to submit the final draft in the ongoing Monsoon session of Parliament. However, there may be a further delay since five of its 30 members, including its Chairperson Meenakshi Lekhi, have been inducted into the Cabinet.
Retired Supreme Court judge Justice B.N. Srikrishna, who headed the Committee that prepared the first draft of the Bill in 2018, tells Bhavna Vij-Aurora that the version which was approved by the Cabinet as PDP Bill, 2019, was a much-diluted one. It gave the government the blanket power of exemption from all provisions of the law in favour of any of its agencies in the national interest. The Bill was referred to the JPC following widespread criticism.
You headed the Committee that drafted the Personal Data Protection Bill in 2018. In view of the Pegasus project, do you think it would have made a difference if the law was in place?
Justice Srikrishna: The law should have been in place three years ago. The 2019 draft is a much-diluted version. Much weakened. It is disastrous.
Do you think, the JPC will address this issue?
Justice Srikrishna: Since they (Ministry of Electronics and Information Technology) had diluted the Bill so much, I was also interested that it should go to the JPC, hoping that somebody there will carefully apply his/her mind. Now, I believe even the JPC is unable to take a call since there are all kinds of tugs and pulls. It is all a political issue and there is some tussle going on within the JPC. So nothing is happening. I don’t know what they will do about this.
What is your view on the Pegasus report with hundreds of phones being targeted?
Justice Srikrishna: There is no doubt that Pegasus was intended to be sold only to governments. It appeared for the first time five years ago and there was a furore about it then too. Now they have been able to identify the persons in various countries whose numbers were being monitored by Pegasus. It is dangerous.
These things have been happening earlier too. In 2010, off-the-air GSM machines were used by NTRO to listen to conversations...
Justice Srikrishna: Unfortunately, under the existing Bill too, the monitoring of such authority is not there. That is why, we had initially suggested a Data Protection Authority, headed by a judicial officer as a Regulator, who would control the access to data and prevent misuse of personal data. That was not done. They watered it down with its composition dominated by the government.
Now they have further watered it down. There is a blanket power of exemption from all provisions of the law (including access to personal data without consent, citing national security, investigation and prosecution of any offence, public order) in favour of a government agency. If someone makes a declaration that it is necessary in the interest of the sovereignty of the country, that someone's data should be accessed, they will access it. That is all that is necessary today.
The point is privacy is a fundamental right. You can’t take away anyone's fundamental right just by a declaration made by some babu (bureaucrat) somewhere.