By Prateek Waghre
On November 18, without much fanfare, a draft version of India’s much-awaited Digital Personal Data Protection Bill 2022 (DPDPB 2022) was released for public consultation via a tweet. We should expect to see thorough analyses of the various aspects of the draft bill in the coming weeks. Still, an early read and surrounding circumstances suggest that it does not fulfil its duties towards the Right to Privacy of ‘Digital Nagriks’.
In a democracy, one of the foremost duties of the state is ensuring that the law-making process is transparent, just and responsive. An open public consultation process is a vital component of this. Unfortunately, by choosing to preclude any disclosure of consultation responses, the Union government has denied citizens their right to be informed of how different stakeholders will weigh in regarding their right to privacy. By extension, the process also means there is no scope to further engage with responses through counter-comments—a practice that TRAI should be complimented for adhering to.
On this count, the shortcomings go beyond the DPDPB 2022. Since the withdrawal of the previous iteration, the Union government has been referring to a ‘comprehensive legal framework’. By piecing together various statements, one can conclude this includes a telecommunications law, a user privacy law, a ‘Digital India Act’ to replace the IT Act, potentially a framework for non-personal data, and other unknown components. This is a laudable goal and no mean undertaking.
Yet, as citizens, we are unaware of how the Union government views these as fitting together. We also do not what and how it is approaching specific issues within these components since they are rarely articulated meaningfully through detailed initial whitepapers/position papers, which are then supplemented with interim positions/responses and final responses to public consultations. For example, even with the DPDPB 2022, we have limited insight into the Union government’s thoughts/concerns with the recommendations made the by the Joint Committee on the Personal Data Protection Bill, 2019, and why certain parts were removed, added, or kept unchanged.
Also Read: Still a net negative for people’s privacy
These are practices our international counterparts in the UK, EU and Australia have adopted as they too seek to effectively govern ‘the digital ecosystem’. Meanwhile, we have a limited understanding of how the Union government even conceptualises ‘harms’ on the internet in the Indian context. While these practices do not guarantee perfect regulatory interventions, they ensure citizens have the opportunity to be informed and engage meaningfully throughout the process, with an adequate application of mind. They also enable the government to iron out major issues through discussion and consensus.
Present and future consultations aside, years’ worth of feedback from civil society organisations on previous iterations have also not been taken into account. Two consistent demands had been to narrow the scope of exemptions that the state had granted itself (alongside an ask for broader surveillance reform) and to ensure that any authority which oversees compliance was genuinely independent. The DPDPB appears to fail on both these fronts, which impact nagriks’ freedom from undue surveillance by the state. Clause 18(2)(a) replicates Clause 35 of the 2021 version and creates exemptions for “any instrumentality of the state” without the addition of any checks/balances and obligations on the state to meet the criteria of legality, necessity, and proportionality. Through Clause 19(3), the Union government also gives itself control over the ‘Data Protection Board’ (DPB) with the ability to appoint the ‘chief executive entrusted with the management of the affairs’ and determine ‘terms and conditions of her service.’ Such executive powers will likely affect the DPB’s ability to hold it accountable. In effect, the executive centralises power within itself. It is also unclear whether the change in nomenclature from a Data Protection Authority to a ‘Board’ is purely cosmetic or if it has other implications for the body.
A legitimate question to ask at this stage is if the DPDPB 2022, despite the concerns already stated, meaningfully protects citizens’ right to privacy. Unfortunately, this question cannot be answered right now. Despite some positive inclusions, the quest to simplify the Bill and its subsequent reduction to 30 clauses from 99, has resulted in the DPDPB 2002 being significantly short on details. Phrases such as ‘as may be determined’, ‘may, by notification’ and ‘may determine’ appear over 20 times in the 24-page Bill. The result is that many specifics will only be known at an unspecified future point in time and can be crafted without underlying legislative guidance from the parent Act. These include crucial aspects such as: the strength, composition, terms and conditions of appointment, service and, removal of the chairperson and members of the DPB [Clauses 19(2), 19(3)]; conditions under which data fiduciaries can be exempted from obligations under certain sections [Clause 18(3)]; ‘fair and reasonable purposes’ for which consent is ‘deemed’ to be given [Clause 8(9)]; what constitutes ‘harm’ to minors when preventing data fiduciaries from processing their data [Clause 10(2)].
As digital nagriks, we also find ourselves in a unique situation. Not only does the Bill fall short of fulfilling its duties of effectively protecting citizens’ privacy, but it also turns around and imposes duties and penalties on us. Clause 16 sets out obligations for data principals, and Schedule 1 imposes a penalty of up to `10,000 for non-compliance. The effort to limit ‘false or frivolous grievance(s)’ is notable [Clause 16(2)], but an associated penalty will almost certainly also disincentivise genuine grievances. Potentially restricting users from providing pseudonyms or information that isn’t directly associated with them [Clause 16(3)] even for non-financial transactions/services, i.e. ‘under no circumstances’, is overbroad and not in keeping with the ways in which many people resist indiscriminate data collection on the internet. Even if one may disagree with this practice, it is a significant escalation to create conditions to penalise people for it. Thus, the public consultation period is crucial to point the Union government in the right direction to address the bill’s shortcomings.
The author is Policy director at The Internet Freedom Foundation