New Data Protection Bill, Same Old Problems

After innumerable drafts and consultations, last week, the government released the draft of the Digital Personal Data Protection Bill (DPDPB) 2022. 

The laws and regulations around data have been a source of debate in this country for a while. The government introduced the Data Protection Bill 2019 amidst immense criticism, and decided to scrap it after multiple stakeholders objected to various aspects of the Bill.

The fourth iteration is a shortened version with just 22 clauses, compared to over 90 in the previous draft. The draft is open for public feedback till December 17, 2022. While the Bill does address the concerns raised by businesses, especially in terms of data localisation, it, however, fails the digital nagriks (citizens) of this country once again.

Public interest is a largely vague ground

The Puttaswamy judgement ruled that privacy is a fundamental right; however, Clause 35 of the earlier draft allowed the Centre to exempt any government agency from the provisions of the proposed law “in the interest of India’s sovereignty and integrity, the state’s security, friendly relations with foreign states, and public order”.

Owing to this, the previous draft was heavily criticised by civil society as it gave the government too much power with respect to users’ personal data. However, the new draft too fails to address this concern. “Clause 18(2)(a) of the DPDPB, 2022 replicates Clause 35 of the DPB, 2021,” the Internet Freedom Foundation (IFF), a non-governmental organisation that conducts advocacy on digital rights and liberties, pointed out.

“Giving sweeping exemptions to the government is the biggest concern in the data Bill. The new draft does little to address issues relating to the excessive powers of the government and central agencies to access data without consent, as the authorities are given an exemption from provisions of the Bill in relation to access and the collection of personal data.

“Instead of offering people protection from breach of privacy, the Bill provides no redressal mechanism. The central or state, under the new Bill, can virtually do anything, anytime, under any section of the Bill. The government is not bound by the Bill at all. This is concerning as it goes against the very foundation of making data protection a fundamental right, as now privacy can’t be guaranteed anymore,” Salman Waris, partner head of TMT & IP Practice at TechLegis Advocates & Solicitors, told AIM.

Further, what if law enforcement agencies are found violating the citizen’s right to privacy in the name of public interest? There are no provisions in the Bill to deal with this. 

Lalit Panda, senior resident fellow at Vidhi Centre for Legal Policy, told AIM that the earlier Bill had provisions that required the government to have a “just, fair, reasonable and proportionate” procedure before allowing exemption; however, the new Bill does away with such provisions.

“They’ve just said that the central government can exempt them with a notification. And for crime prevention, they don’t even need to send a notification,” he said.

A not so independent board

The Bill further states a Data Protection Board will be set up instead of a Data Protection Authority, as mentioned in the earlier draft. As per Clause 19 of DPDPB 2022, how the Data Protection Board will be set up is completely at the discretion of the Union government. While IT minister Rajeev Chandrasekhar has asserted that the board will be independent, as per the Bill, it appears that public servants will hold positions in the board.

“All the appointments will be made by the central government. Purely executive-driven appointments may bring into question the ability of such an authority to perform as an independent arbitrator in cases involving the government,” Shruti Shreya, programme manager at the Dialogue-a leading public-policy think tank, told AIM.

This is definitely dicey. “Despite repeated, loud concerns around the issues with the independence of the data protection authority proposed in the previous draft, the new draft Bill created an even weaker Data Protection Board that would not be independent of the Union govt,” Raman Jit Singh Chima, senior international counsel and Asia Pacific policy director at Access Now-a non-profit digital right organisation, said.

Lalit Panda also questioned the independence of the board. He asked whether the board, completely run by the government, can act against the government, “which is a heavy-duty processor of data”.

“The power to create regulations has been removed, only the central government has all the powers to make the rules. This is also an issue because many of these rules and delegated legislations were supposed to be rules made against the government. The government also needs to be regulated. If the government is making those regulations, they will continue to make loopholes for themselves, exemptions and standards that meet their requirements,” he said.

Waris concurs, “The Data Protection Board of India, the entity responsible for partaking and regulating activities related to data protection, seems to be overshadowed by government interference and in reality, the board has little independence.  

“Normally, if an institution is to be established, a Bill specifies who is qualified to be a member, chairman, and secretary. Nothing is mentioned here. The data protection board will be a puppet of the government.”

No such thing as sensitive data 

The previous Bill had provisions to deal with sensitive and critical personal data, such as data related to healthcare or sexual orientation. However, the new Bill completely does away with such provisions and dismisses all distinctions between personal data and sensitive personal data. 

This is also an issue, according to Lalit Panda. He believes there should be a clear distinction between them. Further, sensitive data should continue to be a subset of personal data and should be subject to more safeguards. “The law eliminates the notion of sensitive personal information. Why would someone need to provide location data to download an image processing app? Users should have the freedom to set their own level of information sharing on a platform, and we believe that to be true as well. These provisions are still in draft form, so we must wait and see how the law finally evolves,” Lokesh Rao, co-founder & CEO of Trace Network Labs, told AIM.

Storage limitation

Another worrying aspect of the Bill is that the government has been completely exempted from storage limitations. Lalit Panda said that the government can hold the data of its citizens as long as it pleases them, and there are no provisions that require them to erase such data after a certain point in time. 

“This was required in the Aadhar judgement as well, where the court said that you don’t need to store data for that long. You have to delete it. Despite these requirements, the new Bill has not provided any storage limitation norms for the government. Even for private parties, there is ambiguity,” Lalit Panda added.