Don’t diminish states’ role: Rather than an overarching central data protection board, state-level ones are needed

By Amar Patnaik

In the era of rapid technological advancement where the issue of privacy and data protection has taken center stage, the passing of the Digital Personal Data Protection Act, 2023 recently is a welcome step. This is a landmark legislation as it safeguards the privacy rights of the citizens of the world’s largest democracy regardless of gender, caste, religion, or domicile. While the Act has made an honest effort to shape the data protection ecosystem of the country by balancing the protection of citizen’s data and allowing space for using data for the growth of the digital economy, there are some glaring gaps.

Chapter V of the Act talks about a Data Protection Board (DPB) and its composition. This Board, appointed by the central government, will exercise control over data collected by the state governments for functions under List II of the Seventh Schedule of the Constitution such as health, education, public order, and so on.

Given that state governments themselves handle substantial data while dispensing subsidies, services, and more under their own state-level schemes, a state-level DPB would have been better positioned to address issues of consent and data breach. Devolution of enforcement and grievance redressal to regional levels would have only increased efficiency and reduced possible operational bottlenecks and would also have aligned with the implementation design/ framework of the Right to Information Act and the Consumer Protection Act, which established state and district-level structures.

This trend would also have mirrored global practices, seen in countries like Germany and Australia.

Further, Sections 7(b) and 9 of the Act empower the central government to exempt certain entities from obtaining consent of data principals for providing subsidies, benefits, services, licenses, and so on.

However, such notification power has not been devolved upon state governments, despite their similar and almost equal responsibility in providing these kind of benefits and services through state schemes. This defies logic.

The central government is the largest collector and processor of personal data. However, it exercises a significant amount of control over the DPB like the power of appointment and removal of the chairperson and members of the Board.

Further, provisions like section 27(3) lay down that the Board, on receipt of a reference from the central government, may modify or suspend the direction issued by it. This creates a situation wherein the Board’s ability to deal with data breaches by the central government itself is severely eroded. This is also against the principle of natural justice: nemo judex in causa sua (no one is a judge in his own cause).

With this, it would be naïve to expect that the Board would be strong enough to issue orders against the central and state governments, Chief Election Commission, Supreme Court, high courts, CAG, and so on and impose a penalty on them for data breaches.

The scope and applicability of Chapter III-Exemptions should have been defined as narrowly as possible. As the Act deals with a fundamental right, the exemptions to the provisions of this act ought to have been limited to the reasonable restrictions as laid down in Article 19(2) of the Constitution with minimal discretionary powers left to the central government. Besides, there has to be a prescribed mechanism by law to review each such decision either by a parliamentary body or by a quasi- judicial institutional arrangement.

The Puttaswamy judgment had laid down that the restrictions to privacy must be proportionate and not arbitrary. However, the power given to the central government to exempt entities by merely issuing a notification does not only not satisfy this principle of proportionality but also requirements of necessity, reasonableness & fairness. For example, section 17(3) empowers the central government to exempt specific data fiduciaries, including startups, from certain provisions—such as Section 5, Sections 8(3) and 8(7), Section 10, and Section 11. The concern arises notably in relation to Section 8(3), which mandates data fiduciaries to maintain accuracy and consistency of personal data when used for decisions impacting data principals.

This obligation is a reasonable requirement expected of any kind of data fiduciary; giving exemptions from this requirement for any one, including start-ups, is entirely unjustified. In today’s world of generative AI, such incomplete datasets may lead to algorithmic inaccuracy and possible unintended bias.
Section 8(1)(j) of the Right to Information Act, 2005 states that personal information causing undue privacy invasion need not be disclosed, except when public interest outweighs privacy concerns.

Section 44 of the DPDP Act replaces this with a broad ban on public disclosure of all personal data, eliminating the determinative public interest test. This severely weakens the RTI Act. The former RTI provision should, therefore, have been retained as an exemption.

There was a need to make the legislation even more gender friendly, for the consequences of data breach for a woman are differential and in certain cases more severe.

While we can freely celebrate the surge of innovation propelled by the rise of AI and the unprecedented speed of technological advancements, we would have conquered the sea yet left a giant monster lurking at the bottom if we neglect to address the complex questions of data protection and privacy. It is important to understand that while “digital-by-design” might be an attractive slogan, it is rather essential that “privacy-by-design” is inculcated in our values of data governance.

The writer is Member, Rajya Sabha, and an advocate
Views are personal