Comparing two Privacy Bills

What is the issue?

• The government has opened up a draft privacy bill to curtail misuse of data, but the provisions in it seem largely lacklustre. 
• In this context, debating its provisions in comparison with an already pending private member bill on privacy would be good.

What are the implications of massive data streams?

• Data has emerged in recent times as a very marketable commodity with a booming market and massive potential for further expansion.
• It is 1 year since Supreme Court’s landmark judgment recognising the right to privacy as a fundamental right.
• While we often take our privacy for granted, in an age when 2.5 quintillion bytes of data is generated every day, privacy has large implications.
• Particularly, ensuring checks on how the state and others collect and use our data is vital for preventing the emergence of a surveillance state.
• Even the most trivial of things we do online generates information that gets shared across a wide range of entities, and we seldom realise the implications.
• “Data drives all we do” and the data breaches exposed thus far, reveal the extent to which personal data can be misused to influence one’s choices.
• Notably, “Cambridge Analytica scandal” is one among many worrying signals about the extent to which vested interests are willing to go.

What are the proposed legislations to protect privacy?

• A “Draft Personal Data Protection Bill, 2018”, by Srikrishna Committee has been published earlier and is now opened for public scrutiny.
• After consultations, the government is likely to introduce the draft bill (with minor changes) as its version of the bill in the parliament. 
• As an independent member bill on privacy (by Shashi Taroor) is already pending in Parliament, it would do good to compare and contrast both bills. 
• Notably, even a basic reading of both reveals that there are fundamental differences between them, with Mr.Tharoor’s being more individual centric.

What are main differences between the two bills?

• Mr.Tharoor’s - The bill is built strongly on the privacy verdict and holds both private & government agencies handling data on the same footing.
• There is a strong emphasis on personal consent, absent which no personal data can be mined for commercial or other gainful purposes.
• Notably, acquiring consent presently a mere farce where individuals just press the click button without reading or understanding the implications. 
• For consent to be effective, it must be unambiguous, free, voluntary, affirmative, and revocable and obtained prior to extraction of data for use.
• Further, to ensure consent remains effective, the data must be destroyed after the purpose is served (thereby preventing its reuse in another context).
• Government’s - The government’s draft Bill grants “the right to be forgotten” but deceptively defines it as disallowing further disclosure of data.
• It seems that the government wants to revamp the globally accepted meaning of “forgotten” to “limited recollection”.
• Through this, the government is merely posing as an upholder of privacy, unlike the leak-proof right to privacy sought by Tharoor’s bill by erasing data.
• The government bill also fails to hold state actors accountable for any form of violation of privacy, even those as grave as interception or surveillance.
• Resultantly, the bill strengthens government’s scope for privacy-violations and has also reduced its own transparency and accountability.
• Government’s Bill primarily holds private entities accountable for the exploitation of personal data and disregards concerns about state misuse.

What is the desired governance apparatus for data protection?

• There is a skewed power equation between the data processor and the individual, which any good data privacy law must redress.
• Ownership - One’s ownership rights over personal data are inalienable and even if consent for usage, one does not forgo the ownership right over it.
• The concerned person must have the right to revoke permission for its usage, object to its processing or ensure its deletion if he wants to.
• If data is to be used for a purpose different from the one consent was obtained for or if the duration for usage is longer than it was obtained for, then effective consent must be obtained afresh for the new terms.
• Exemptions - Circumstances such as medical emergency, needing immediate use of personal data without effective consent, should be allowed.
• Similarly, one’s right to privacy can only be diluted when there are no other means to resolve a threat to security of the state.
• The state may carry out surveillance only after authorisation by a privacy commission (an envisioned independent impartial privacy arbiter).
• The surveillance and interception must be limited to the necessity of the measure and must be proportionate to the threat it wants to overcome.
• In all these circumstances, from medical to security, the data so obtained must remain confidential and should be destroyed immediately the need end.
• Importantly, right to privacy can remain a pillar of our Constitution only if the exceptions are rare and subordinate to your rights.

Source: Indian Express