By Namrata Maheshwari & Siddharth Sonkar
Five years ago, the Supreme Court recognised privacy as a fundamental right under the Constitution. Since fundamental rights can be directly enforced against the state and not private actors, the SC highlighted that a privacy law would enable citizens to seek legal recourse against private players, including BigTech for instance, for privacy violations.
Around the same time, the Justice Srikrishna Committee was established to develop a data protection framework. Since then, the draft data protection Bill went through multiple iterations, active engagement across stakeholders groups, and scrutiny by parliamentary committees, before it was withdrawn in August 2022 with the promise of a revamped draft. This new draft—the Digital Data Protection Bill, 2022 (Draft)—was released for consultation last week.
Much is being written on the impact on Big Tech and start-ups, the hiking of penalties, the softening of the mandate to store data locally (a positive change for individuals from a surveillance perspective, and for businesses in terms of compliance burden, but clarity and safeguards are needed). But how does the draft impact individuals and the right to privacy?
The new draft is unfortunately impervious to many criticisms leveled against the Bill since its first iteration years ago, and even introduces new provisions that would undermine individuals’ right to privacy and control over their personal data.
For instance, two consistently pressing issues have been the absence of government accountability and lack of independence of the proposed regulator, the Data Protection Board of India (DPBI). These issues are aggravated by the new draft, which continues to grant excessive discretionary powers to the government to exempt not only any state agency, but also any entity collecting personal data, from having to comply with provisions in the Bill. It also lacks teeth and predictability as it leaves too wide a scope for the government to prescribe substantive conditions through rules and delegated legislation.
An independent regulator is the cornerstone of any effective data protection regime globally, especially since the government would frequently be a party before it as a data fiduciary. However, the DPBI’s appointments, terms and conditions, and even functions, are all proposed to be prescribed by the government, unlike most global privacy regimes. The cost here is people’s right to privacy, autonomy over their data, and business certainty. It could also impact global assessments of whether India has an “adequate” data protection framework—a necessary precondition to transfer data to India—discouraging transfers from European businesses, and affecting the Indian outsourcing industry.
It removes individuals’ ability to seek compensation for breach of personal data protection obligations, retaining only penalty provisions (penalties are paid to the state). This leaves little incentive for individuals to seek legal recourse and incur the often heavy costs of the process. Crucially, even the penalty provisions could potentially be circumvented through “voluntary undertakings”—the ability of data collectors to effectively bargain with the DPBI and face negligible consequences for violations, provided “specified action” is taken, at the cost of people’s fundamental rights. This is particularly problematic given that the independence of the DPBI is severely compromised. Further, the DPBI can encourage mediation instead of courts for grievance redressal, which could be ill-suited given the power-imbalance between the individual on one side and private or government entities on the other.
The meaningfulness of consent is diluted in the Draft. It provides for “deemed consent”, allowing a data fiduciary to assume consent on broad grounds where there is none, including if there is any “public interest”, “legitimate interests” of the data fiduciary or where information is publicly available. Such broad grounds don’t fulfill the necessity and proportionality test. Further, the Draft eliminates categorisation of sensitive personal data, and thus removes the obligation to undertake heightened responsibilities in relation to biometric and financial, for instance.
While offline personal data is beyond its scope, even with respect to digital data, the Draft limits applicability to “automated” processing of personal data. “Automated” is defined to mean digital processes that can operate automatically—creating a grey area for instances where entities manually use digital processes to process personal data (which takes place in most cases, such as where information is processed by government or private personnel through softwares).
In an attempt to simplify, the Draft oversimplifies the language of data protection, with extremely broad carve-outs and exceptions that render seemingly well-meaning provisions, such as on consent and purpose limitation, meaningless. It fails to capture essential, internationally accepted data protection principles, such as necessity, proportionality, and data minimisation, as well as rights, such as the right to data portability—allowing the further entrenchment of the already-concentrated market power of Big Tech.
The previous version of the Bill proposed by a Joint Parliamentary Committee comprising members of the ruling and Opposition parties was far from perfect. Yet, it did not contain many of the harmful provisions in the current draft. Significant global attention is on India, particularly in light of the G20 presidency. We have the opportunity and ability to build an exemplary, rights-respecting data protection framework that will only be well-served if the draft undergoes major changes based on past and ongoing feedback from the full set of stakeholders.
The authors are respectively, Asia Pacific policy counsel at Access Now, and lawyer and author of What Privacy Means