As the monsoon session of parliament is all set to begin on July 20, the proposed Digital Personal Data Protection Bill, 2022, has taken the centre stage of political debates. With the approval from the cabinet, political analysts believe, it is a matter of time before the government to pass it through both houses.
However, Congress has made it clear that they would oppose the bill tooth and nail as the proposed bill ignored the recommendation of the Joint Parliamentary Committee to which it was sent for consideration. The communication head of the party Jairam Ramesh, after a meeting of the party’s parliamentary board, said, “We are opposed to the Personal Data Protection Bill because there was a committee that was set up on the previous Bill. That committee met for two-and-a-half years — incidentally, the current minister of Telecom and current MoS, Electronic and IT, were members of that committee — and made 92 recommendations. Those recommendations were ignored.” The bill in its current form is allegedly worse than the previous one, added Ramesh.
But what are the major contentions of the bill that the opposition parties are contesting? Does it anyhow give the government leeway to use the citizen’s data in the name of national security and sovereignty?
The draft bill released by the Ministry of Electronics and Information Technology (MeitY) aims at “framing out the rights and duties of the citizen (Digital Nagrik) on the one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.” However, media reports suggest that it has retained the controversial versions of the earlier draft that was introduced in November, 2022 and is about to exempt the Central government and its agencies from the purview of data protection principal.
Exemption from Accountability
There are majorly two objections raised by the activists and scholars. Firstly, it has kept intact the approach of Personal Data Protection Bill, 2019 that gave the state enough power to use the digital personal data citing ‘fair and reasonable’ reasons without following the data principal. Secondly, it has not paid heed to the recommendations that asked for the autonomy of the Data Protection Board- the regulatory authority that would look into the data breaches.
As per the reports of LiveLaw, most of the data protection tenets stand void when it comes to “the interests of preventing, detecting, or investigating any offense or other violation of any law.”
Moreover, the protection also goes for a toss if it is in the “interests of India's sovereignty and integrity, security, friendly relations with foreign states, public order maintenance, or avoiding incitement to any cognizable offences relating to any of these”.
The question, however, appears whether it passes the proportionality test as propounded by the apex court in Puttuswamy vs Union of India- commonly known as Right to Privacy judgement- that became pivotal in drafting data protection law.
The proportionality test was further concretised by Anuradha Bhasin vs Union of India in 2020. Drafted by former CJI N V Ramana, the verdict noted, “By “proportionality”, we mean the question whether, while regulating exercise of fundamental rights, the appropriate or least restrictive choice of measures has been made by the legislature or the administrator so as to achieve the object of the legislation or the purpose of the administrative order, as the case maybe.”
It also took note of four prongs that have the potential to restrict the right to privacy. Firstly, the law infringing on privacy must have a legitimate goal. Secondly, it must bear a rational nexus with the said goal. Thirdly, there must not be a less restrictive but equally effective alternative and lastly, it must not have a disproportionate impact on the right-holder.
Legal scholar and Professor of Jindal Global Law School Indranath Gupta, however, thinks that “there are enough checks and balances after the Supreme Court decision in Puttuswamy judgement.”
“Proportionality will always be questioned, in case there is over-processing of personal data. Further, none of the rights are absolute in nature and they must be balanced against the rights of other individuals living in a democratic society,” adds Gupta.
Blanket exemption of any government and its agencies is likely to affect privacy of citizens. Legal scholar Arghya Sengupta, while appreciating the efforts to initiate a much-needed data protection regime to protect citizens, points out that the exemptions to government need to be “purpose-specific”. “The government cannot be given an exemption by the virtue of being government. The government obviously may need some data for which asking for consent may be onerous or difficult. Exemptions given to government must be purpose-specific, narrow and proportionate. If they are too wide, we need to relook those provisions,” Sengupta says.
Notably, the government is the largest data fiduciary that deals with the maximum personal data of the citizens for several purposes- ranging from policy implementations to providing benefits.
Data Protection Board and the question of Autonomy
Another major objection to the DPDP lies in the formation of the Data Protection Board. The influence and control of the government over the appointments in the board would allegedly strip it off the autonomy necessary to look into the complaints of data breach. The board is the major regulatory organ that would act on the alleged data breaches.
According to the reports, besides enforcing compliance and imposing penalty on the alleged offenders, it will also push the data fiduciaries to take up urgent remedial measures to fix the breach.
The Data Protection Board (DPB), as per the publicly available draft of November, 2022, will not stand the test of legality in court of law, notes Sengupta. “Appointment conditions, retirement provisions and functions must be provided by law and cannot be left to delegated legislation,” says the research director of the Vidhi Centre for Legal Policy.
Emphasising the significance of independence, effectiveness and high-quality oversight, he adds, “The DPB has to be at arm’s length from the government. It needs to ensure that it has experts who are capable of ensuring oversight over the system.”
This is technically the fourth attempt of the government to push the data protection bill through Parliament. It came into discourse after the historic Puttuswamy verdict following which the government formed a committee chaired by Justice B N Srikrishna in 2017 to address the data privacy concerns.
In July, 2018, the committee submitted a draft bill and in 2019, the first Personal Data Protection bill was introduced in Parliament. In face of opposition, it was sent to Joint Parliamentary Committee in December that submitted its report in December 2021. In August, 2022, the government withdrew it and in November, introduced the Draft Digital Data Protection Bill, 2022 that with some proposed changes has recently got the approval of the Cabinet.
However, the effectiveness of the bill depends on the “level of awareness of data principals”. Expressing his hopes at the new data protection regime, Gupta says, “We should rely on the efforts of those involved in implementing the Act, including but not limited to the data fiduciaries. We must understand, changes wouldn't happen overnight. Europe has more than three decades of experience -- starting from 1990s leading up to the passage of GDPR. Therefore, we ought to be optimistic and constantly make residents aware of their rights.”