Mumbai: From setting up a committee in 2017 to subsequently going through innumerable drafts and consultations, the Ministry of Electronics and Information Technology (MeitY) on Friday, November 18, released its fourth version of the Digital Personal Data Protection (DPDP) Bill, 2022. The 24-page draft, open to public feedback until December 17, is a noticeably shrunken version from the ones proposed in 2018 and 2019.
The draft Bill features 22 clauses, as against the more than 90 clauses in the earlier versions, and levies heavy penalties for data breaches and non-compliance with the law. However, it also contains several exemptions and new clauses which, legal experts say, hand over a “vague”, “unguided power” to the government that can be used against the very citizens the Bill ought to protect.
The Union government, in an explanatory note released with the draft Bill, claims that it was drafted on “plain and simple language so that even a person with a basic understanding of the law is able to understand its provisions”. However, the Indian digital liberties organisation, the Internet Freedom Foundation (IFF), said that this has left the draft Bill “bereft of first principles at several places”.
The objections do not end there. In a detailed note, the organisation raised a series of concerns.
Clause 18, as proposed in the new DPDP Bill, 2022, the IFF said, replicates the clauses mentioned in the 2021 version. “Specifically, Clause 18(2)(a) of the DPDP Bill, 2022,” the IFF statement reads, “replicates Clause 35 of the Data Protection Bill, 2021, and allows the Union Government to exempt any ‘instrumentality’ of the State from the application of DPDPB, 2022 in the interests of ‘sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these’.”
“This”, the IFF pointed out, “would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy.”
The organisation also highlighted the vague wording used in several parts of the draft legislation, which it claims renders it open to misinterpretation and misuse. Once the government instrumentalities are left out of legal purview, “data collection and processing in the absence of any data protection standards could give rise to mass surveillance,” the IFF warned.
Civil rights activist Mishi Choudhary calls the Data Protection Board, as defined in the 2022 Bill, “toothless”. This, Choudhary, says is because “most power is given to the executive to prescribe through Rules.”
As per Clause 19, how to set up this board is left to the discretion of the Union government. The process of selection and composition of the board, its terms and conditions of appointment and service, and the removal of its chairperson and other members are all to be prescribed by the Union government, making them the sole deciding agency.
According to the draft Bill, the board will oversee compliance with the law not just by the private sector, but also by government agencies. Experts have pointed out that when the government itself directly controls the board’s functioning, its autonomy stands compromised.
While the Bill proposes heavy penalties in excess of Rs. 5 crore, there is no provision for compensation, Choudhary points out. Prasanna S., a Delhi- based lawyer who worked on the Aadhaar case and has been advocating for strong privacy law in the country, echoes Choudhary’s concerns.
“In case of a data breach, the victim, under the proposed Act, can’t seek monetary compensation of any form,” he said.
And worst still, the Bill has come up with the “duties of data principal”. This, Prasanna says, is unheard of and doesn’t exist in any data privacy law anywhere else.
“Consider a situation where you walk into a store and are asked for your personal data like your name and phone number,” he Prasanna said. “In all likelihood, one would like to avoid confrontation and just give some incorrect information and forget about it. This, as per the new Bill, can be held against the data principal.”
Clause 16 (3) states, “A Data Principal shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address, furnish any false particulars or suppress any material information or impersonate another person.”
Prasanna points out that this matter, when brought before the board, could lead to an individual being fined for incorrect data. And noncompliance with Clause 16 of the proposed Bill can attract a penalty of up to Rs 10,000 on the Data Principal.
Also read: Without a Data Privacy Law, India Must Consider Hazards of ‘Deanonymisation’ of Non-Personal Data
A data protection law has been in the works since 2017. At the time, when the Supreme Court passed the landmark Puttaswamy judgment, the government was obligated to come up with a law that would protect the right of its citizens. In the Puttaswamy judgment, the court ruled that privacy is a fundamental right for Indian citizens.
The government had then responded by setting up a committee headed by retired Supreme Court judge Justice B.N. Srikrishna. This committee came up with a white paper and the first draft of the Protection of Data Bill, 2018. Subsequently, another version was introduced in 2019 and it was referred to a Joint Parliamentary Committee (JPC).
In December last year, after several extensions, the JPC tabled both a report on the 2019 Bill and a new draft of the Data Protection Bill, 2021. Suddenly, in August this year, the MeitY decided to withdraw the 2021 Bill, claiming that the JPC had recommended 81 amendments to it.
Prasanna says each of these drafts had a peculiar approach. In 2017, the government set up the committee only to appease the Supreme Court, he says. “The 2018 Bill was all about protecting business interests. In 2019, the new Bill moved from business interests to protecting government interests. And the recent one is all about protecting the government and that data principals stay within bounds,” he concludes.
Along with the flaws, the IFF, however, also pointed out a few positives. A significant issue with previous iterations of the Bill, the IFF said, was that they did not require data fiduciaries to notify data principals in the event of a breach. “Thus, users whose data has been breached would not have even known that their data has been compromised,” the IFF statement read.
But Clause 9(3) of the DPDPB, 2022 mandates fiduciaries to notify the board and data principals whenever there is a breach, irrespective of its nature.
“Another positive of the Bill is that significant hurdles have been imposed in the processing of children’s personal data,” the IFF points out. According to Clause 10(3) of the new draft, undertaking tracking or behavioural monitoring of children or targeted advertising directed at children is prohibited. This provision, the IFF says, is welcome, “but the Union government has been permitted to exempt data fiduciaries from both these requirements.”
Another important point that IFF mentions in the note, which its executive director and lawyer Apar Gupta reiterated in his interviews with the media soon after the Bill was made public, is the mention of the phrase “as may be prescribed”. The phrase appears in the draft as many as 18 times.
“This is symbolic of the vague and unchecked powers that the Union government has retained for itself to frame rules at a later stage in the absence of legislative guidance,” the IFF notes.