 Hello and welcome to NewsClick. The Indian government has introduced the personal data protection bill in the Lok Sabha. Now, personal data protection is an issue which has been a matter of concern worldwide, especially in the aftermath of the Cambridge Analytica issue involving Facebook. The European Union, for instance, has introduced the GDPR, which is considered to be one of the strictest laws on this issue. So what has the Indian government actually done with this law, and what are some of the possible lacunae in this? So let's talk to Prabir Burkhaistan on this. Hello, Prabir. So Prabir, this law is, in some level, based on an earlier draft prepared by Justice B. N. Shri Krishna. So what are the major differences between this version of the bill and what he proposed? You know, before we get into that, I think there is one thing we need to register. It seems to have been shoddy and hurried drafting that this bill represents. And also the fact that it has been not, before being placed in the parliament, it has not been placed for public comment, which is normally the procedure that has been followed. At least for important things. Unless, of course, we come to governments, the core concerns, which at the moment seem to be only citizens amendment bill, article 370 on all the words. Otherwise, the normal procedure has been, this should be a public document, as Justice Krishna had conducted a long procedure through which he had drafted the bill. And this bill is supposed to be based on that. The key omissions, and I think there are key changes that have been made, have been to strengthen the government's powers considerably. And as Krishna himself has said, that how government could access data, there were strict limits on that, and the strict procedures laid down, how they could do it, what's called the section 35. And both in the section 35 is originally envisaged by Justice Krishna. And what is envisaged now? There are significant differences. And what it virtually says, this version of the bill, is that the government has untrammeled powers. It can do virtually anything it wants in terms of accessing people's data on the basis that this is a state requirement, and therefore it can do it. It is also things like friend relations with powers and so on. Now, the important part is not whether it has the right to do it under certain circumstances. It doesn't access to personal data, but the procedures laid down which protect the citizens are also missing. So there have been in that sense omnibus powers given with no safeguards virtually in this act or this version of the bill. And I think that's a very, very significant point of departure. The second departure, again, which has been put out, that Krishna's version of the bill had that the data protection authority which assumes a huge amount of responsibility by virtue of the central position which has been given to it and how it has been given this powers. I'll come to that in a moment. Is that the data protection authority should have people from outside, not just the executive. In this version, again, it's entirely going to be staffed by the executive. So what it has done is it has taken legal powers. It has taken executive powers and both these powers based only with the government. So this is I think the central problem with this and not me, Justice Krishna has called it that it will create an Orwellian state. This is the other part of it that it really is a surveillance bill. It's wrong to call it data protection bill, particularly in light of the Puttu Swami judgment of the Supreme Court where the right to privacy has been held a fundamental right. So this, in effect, violates the fundamental right that it really has. And it also makes that any violation of it will be done only under the DPA, the Data Protection Authority. If an individual's violation takes place, he can't really go to court. He can only complain. He or she can only complain to the DPA and only they have the powers to do something further to that. So it even takes away the right to redress in some sense that the people have of the violation of their privacy by the government and its officials. So I think these are some of the points that are there. Obviously there is much more in a rather fact act that is there. It has seen privacy activists talking about the violations. It has also seen the business itself talking about the violations and there are also violations of procedures. So one of the other key aspects also it's interesting that you can compare it maybe to the Intermediary Guidelines Act also where a similar procedure exists that the government has an omnibus option of clearing, say, requests to conduct surveillance. So it actually reminds me of that. But could you also talk a bit about the data fiduciary aspect also? Well, before I go to the data fiduciary aspect, let's also look at the difference between how that bill or the intermediary act was introduced and finally talked about how it was finally executed because a lot of these things get executed by the rules. And they did come in the business of the House Committee which looks at the rules and there were changes made after public hearings. What is I think important in this is that there has been no public hearing first. Second is they should have gone by rights if we've introduced the parliament to the Parliamentary Standing Committee on IT. What has happened is the IT committee which is headed by Shashi Tharoor and we know that in the Pegasus software, the IT committee by the 10 to 10 tie and casting vote by Shashi Tharoor decided to look into the Pegasus software has it been actually procured by government agency? And it's instructive to note after that all committees of the parliament have met except this Standing Committee and the new Standing Committee only for the purpose of this bill is being done. So it seems that even the normal procedures of the parliament are actually being violated the way this is being steered. So now you raise the issue fiduciary. Now fiduciary just means there is an intermediate body which holds yours and my data. So this anybody which holds yours and my data becomes quote unquote a data fiduciary. This is in some sense to say that it is not really private data that is being held by these companies that it is not their property but they hold this your and my data as fiduciary. So they have some responsibilities towards us. The only exemption of course of this is of the government which holds the data and they hold essentially untrammeled powers to use the data as the deem fit on the basis of providing services to the people. So in that sense they could also conceivably as holders of the data and fiduciary justice now the word for saying holders of the data could also transfer this to private companies and those provisions at the moment can they say for this I'm giving this over to Reliance Geo. This is not clear at the moment. Now the fiduciary concept had one saving grace and we must point that out here that it also makes clear that data that is taken by companies like Google, Facebook are held by them are not to be regarded as their property. They hold it in trust from us. Now of course it does create an issue whose data is it at the end of it. Now a lot of the issues that have been raised by the business is what happens to this what will be the procedures what will be the data processing authority. I think the whole what is being what used to be called a license permit Raj model that the government finally will hold all the powers considering the data processing authority is completely government is a government body though it should have been an independent body and the fact that lot of these rules what is going to happen are being left completely vague or opaque means that the government will really be in a position to dictate to business how this data would or would not be used and would also have access to their data. So the data fiduciary instead of bigger protection for the people which is what Srikrishna's recommendations at the peers was it seems to be it could be possibly turned on its head and instead of that the government would act essentially as an agency in the guise of data fiduciary to hand over our data to private parties. I think that is something we need to see what in more details what these provisions really are how much they have been left open and whether there will be any changes before its act becomes an act of parliament. I think this is something which need the privacy activists as well as the business interest as well as the common people political parties all have a stake in this because this is the other part of what's happening now that what we would call the not the license permit Raj where we seem to be quite licences as far as big business is concerned but really introducing a surveillance or a police Raj what is being called as the Orwellian state though you know this generation of people probably never heard of George Orwell so they would like to know what the hell is this. Then finally on a slightly connected note although this is not only to do with the government can this sort of a law say prevent a Cambridge Analytica like incident in the coming years? Well you know theoretically there are provisions the questions are these provisions who implements them and how can we activate those provisions and that's where I was talking about that I as an individual I don't seem to have the power to use any of these provisions to go and say this has violated my rights I have to go to the digital public authority which is being created by virtue of this bill or act when it becomes an if it becomes an act and they will be the only ones who can proceed so in effect the Adhar had similar provisions where the only Adhar authority could do certain things and then the Supreme Court held the courts have held that this was violating of a fundamental rights so again this provision that all powers of protection of the citizens are vested only in the DPA and the individuals do not have the right to move courts are also present here so we'll have to see whether it will help a Cambridge Analytica or it will help the people in protecting against a Cambridge Analytica it's quite possible that a ruling party like it has used election bonds says you know if it is used by A it is okay but if anybody else uses it it's not okay so we could see election bond like scenario emerge in which only one party would have the ability to use this data and nobody else but I think again these are provisions in law which may not stand up so as I said in the beginning this is a shoddily drafted bill with all the bureaucraties that is involved in India by which the bureaucratic apparatus wants to assume all the powers of the individual as well of the state as well of the courts so it seems to show all three of these problems in this particular bill thank you Praveer that's all we have time for today keep watching NewsClick