This post has been authored by Raghav Saha, a 3rd year student at Gujarat National Law University.
Introduction
It has been more than five years since the Apex court held the Right to Privacy to be a fundamental right. Nevertheless, the Government struggles to grasp the idea of protecting the rights of its citizens over its own interests. This is evident from the draft Digital Personal Data Protection Bill 2022 (“DPDP Bill”), released by the Ministry of Electronics and Information Technology (MeitY).
The DPDP Bill only contains around 30 clauses, as compared to its previous versions, which contained around 100 clauses, as the current bill delegates a majority of the law-making power to the Central Government. Further, unlike the Joint Committee on the Personal Data Protection Bill (“JPC Bill“), which dealt with all forms of data- both personal and non-personal, the DPDP Bill only deals with digital personal data. The DPDP Bill is fraught with difficulties.
Although the Bill does contain a few positives, the pros certainly do not outweigh the cons.
Issues with the DPDP Bill
The DPDP Bill, which is open for public comment, has been criticised severely for having myriad issues. Some of them are:
- The Bill bestows unbridled powers upon the Central Government
It only takes a plain reading of the Bill to notice the vagueness of some of the sections. This is quite apparent from the uncontrolled powers that are given to the Government.
Firstly, the Bill empowers the Government to exempt its entities and other Data Fiduciaries from the provisions of the Bill. Justice Chandrachud, in his privacy judgement, had laid down a three-fold test to determine when an entity could be exempted from breaching privacy. Any exemption must pass the test of legality, necessity and proportionality. Section 18(2)(a)of the DPDP bill replicates Clause 35 of the 2021 Bill (JPC Bill) and fails to adhere to any such test to determine when the Government can retain personal data, bestowing unbridled powers on all instrumentalities of the State. Further, the Bill exempts the instrumentalities of the Government on vague and wide grounds like the sovereignty of our country, its friendly relations with other nations, maintaining public order, etc., which can be used to stifle the right to privacy, especially due to the absence of any limiting standards, as enumerated in the privacy judgement.
Moreover, Section 18(3) empowers the Government to exempt certain Data Fiduciaries from the provisions of the Bill based on the “volume and nature of personal data” processed by them. Again, due to the absence of any reasonable standards, such a provision bestows upon the Government arbitrary powers to exempt ‘any’ entity from the provisions of the Bill.
Secondly, the Bill has put extreme reliance on the rules and notifications, as will be prescribed by the Government in the future. The Bill has used the phrase “as may be prescribed” 18 times, granting immense powers to the Government, which can easily be misused. Some instances of the usage of the phrase are when a Data Fiduciary requires verifiable consent of parents in processing the data of a child [Section 10(1)], when the consent of the Data Principal is deemed to be given for fair and reasonable purposes [Section 8(9)], etc. Owing to the absence of any legislative standards, the Government may frame the rules unreasonably in its favour.
Thirdly, Section 19(1) of the Bill provides the Government with the power to establish a Data Protection Board (“DPB”). The DPB is essentially concerned with overseeing if the entities (both private and Government) have complied with the provisions of the Bill. Sections 19(2) and 19(3) empower the Government to prescribe the composition of the board, the selection process, the terms and conditions of removal and appointment of the Chairperson and the other members, and the appointment of the Chief Executive. The autonomy of such a DPB is questionable, considering the wide powers granted to the Government. Ironically, Section 21(1) considers the DPB to be an independent body. Comparing the Bill to the JPC Bill 2021, Section 42(2) bestowed similar powers on the Government but with the recommendation of an independent selection committee. Further, the various nuances of the Data Protection Authority were clearly defined in the JPC Bill.
Lastly, the localisation of personal data has been done away with. Section 17 of the Bill allows the Government to prescribe the countries to which Data Fiduciaries can transfer the personal data. The clause does not provide for any standards for deciding the countries, providing room to the Government for the unreasonable exercise of this power. Comparatively, Articles 44-50 of the EU’s General Data Protection Regime (“GDPR”) provides for data transfer to only those countries which provide some level of data protection. Further, Article 45(2) lays down various objective elements to determine if those countries meet the adequate level of protection.
- The issue with deemed consent
The DPDP Bill has specified certain situations when the consent of the Data Principal would be “deemed” to be given for the processing of their data. Clauses 6, 7 and 8 of Section 8 state certain situations like ensuring public order, employment purposes and the interest of the public. Further, Clause 9 considers consent to be deemed for any purpose that the Government prescribes to be fair and reasonable. These clauses are subject to broad interpretations, which allow for the processing of data even when the principal has not expressly consented to such processing, especially when phrases like “fair and reasonable”, “public interest” and “as may be prescribed” are not clearly defined.
- The Bill penalises Data Principals
Section 16 of the DPDP Bill lays out the duties of the Data Principals, which include compliance with all the provisions of all laws, providing authentic information, not registering frivolous complaints, etc. But, as per Schedule 1, non-compliance with Section 16 would attract a penalty that may extend to 10,000 Rupees. This is worrisome as the Bill is supposed to protect the rights of the individuals, and not penalise them.
- No compensation for the victims of breach of privacy
Schedule 1 of the Bill provides the various situations when the Data Fiduciaries may be penalised. What the Bill does not provide is the compensation to the Data Principals who may suffer due to the non-compliance by the fiduciaries. Further, Section 30(1)(a) omits Section 43A of the Information Technology Act, which provides for compensation. Comparatively, Article 82 of the GDPR provides compensation as a right to the entities suffering any material or non-material breaches due to the actions of any data controller or processor, putting the onus to disprove the same on such controllers and processors.
The Way Forward
Along with the several issues, the DPDP Bill does have some positives as well. For example, Section 9(3) of the Bill requires the Data Fiduciaries to notify the Data Principals and the Board about every breach that takes place. The same was omitted in the previous Bills. Further, Section 10(3) prohibits the Data Fiduciaries from monitoring children or from directing targeted advertisements at them. This is a welcome move, although the Government may allow the same to be exempted.
The vagueness of the Bill can have severe implications, including the mass surveillance of the citizens. The DPDP Bill has also omitted the Data Principal’s Right to be forgotten, the Right to object to unfair and unethical automated processing, and the Right to data portability. What we need is a data protection regime that strictly complies with the Right to Privacy judgement. The Legislature must draft a law that does not leave much room for wide interpretations and actually protects the rights of the citizens. It must establish standards to clear away the ambiguity and the vagueness of the provisions of the Bill. While doing so, reliance may be put on foreign privacy laws, like the GDPR, which continues to act as the model framework for the laws of most countries throughout the globe. The Legislature may incorporate the GDPR’s elements for (i) determining if a foreign country provides adequate protection to store the data; (ii) providing compensation to Data Principals, in cases of material and non-material breaches; and (iii) defining the Data Principal’s Right to data portability.
The Government must consider the public comments and make them available to everyone to secure the interests of all stakeholders. Further, for future frameworks, the Government can release a white paper, highlighting its intent and understanding of the issues concerned. The DPDP Bill, in its current state, will act as a catalyst towards India becoming a surveillance state and the same needs to be avoided.