By Amar Patnaik
While discussion on the Data Protection Bill has been going on since the Supreme Court’s Puttaswamy judgment, followed by the recommendations of Justice BN Srikrishna Committee (2018), there is a new version of the Bill now—some are calling this a diluted version of the one introduced in Parliament in 2019. The new draft contains around 30 clauses, down from 90-plus clauses in the 2019 iteration. It does away with eight chapters. What is concerning is that, even in the ‘truncated’ version, 18 of the 30 clauses contain the phase “as may be prescribed”, giving uncircumscribed power to the Centre to frame rules. This raises the spectre of a compromised data protection and privacy regime where one of the most significant data fiduciaries, the Centre, is entrusted with regulation of this ecosystem while itself getting regulated by the legislation. This creates a conflict-of-interest. Some aspects needing clarity are:
Applicability to manual data
Non-automated processing and offline personal data are excluded from the Bill by naming it as the Digital Personal Data Protection Bill. Citizens’ personal data is also collected and stored for processing manually. Does it mean that we will require a Manual Data Protection Bill? The SC’s order in Puttaswamy is clear that citizens’ data in any form should be protected with the same rigour, so far as it involves their privacy. The SC uses the word “informational privacy” as opposed to “digital privacy” used in this draft Bill.
Also read: The over-population bogey
Effects of deemed consent
The draft Bill proposes “deemed consent” in “public interest”, such as for preventing fraud, ensuring network and information security, and for fair and reasonable purposes. But it will only be the Centre that will specify what “fair and reasonable purposes” are. This is a dilution of the citizen’s agency to give or retract consent. Besides, it is essential that more rigour is put on this provision by subjecting the process of obtaining “deemed consent” to a quasi-judicial, inter-ministerial scrutiny and supervision, with as narrow applicability conditions as possible, and confined to a fixed time period. For extension, the matter should be put to review once again before this quasi-judicial mechanism. The principle of proportionality has to be explicitly mentioned in the Bill.
Globally, jurisdictions took heightened care in handling the personal data of citizens with clear consent even during the Covid pandemic. According to the UK government’s additional guidelines, all National Health Survey data was under the control of NHS England and NHS Improvement. When the public health emergency ended, data was scheduled to be destroyed or returned under the law, as per strict contractual agreements in place between the NHS and its partners.
Data portability and penalty on the data principal
Per the draft Bill, individuals can’t seek porting of their data across platforms, unlike in the 2019 Bill. This deficit not only dis-empowers data principals by eliminating their right to choose between different data fiduciaries, but also kills competition between data fiduciaries. Further, the draft Bill has introduced a penalty of `10,000 for non-compliance by data principals with any of the four duties as laid down in it. Since this right is bestowed on the data principal as a fundamental right—now having been read into Article 21 of the Constitution—such penalty may not stand the test of legality and proportionality.
Accounts and audit of Data Protection Board
There is no provision in the Bill for accounts and external audit of the Board, which was there in the earlier Bill. The CAG is the agency for auditing. In the absence of a provision for government audit, the question arises as to whether such audit would be performed by chartered accountants? In such a case, their audit reports shall not be presented to Parliament and will, thus, make the Board immune to parliamentary oversight. This is a sharp departure from any law passed in Parliament, such as the RTI Act or the new Consumer Protection Act.
Harmonisation with cross-sectoral laws
Also read: The case of female labour force participation
While the draft Bill has tried to relax the norms around strict data storage and localisation, it sheds little clarity on the mechanism to ensure harmonious interpretation with other sectoral laws. The Indian data protection regime is currently governed by the IT Act and the SPDI Rules. But sector-specific rules issued by regulators govern data protection, privacy, and data localisation. Examples include the National Health Authority of India’s Health Management Policy and RBI’s circular on data localisation for the fintech/banking sector. This may lead to turf wars between different regulators and the Data Protection Board, thus creating unintended regulatory arbitrage opportunities for data fiduciaries, to the detriment of data principals.
Incomplete framework of cross-border data flows
While the Bill keeps the terms for cross-border data flows quite open, which would help in negotiating country-specific requirements in bilateral trade deals, where data will be an important aspect of negotiations, it is also prudent to acknowledge that if a country does not find our privacy system ‘adequate’ per its policy standards, this may create barriers to efficient data flow. Also, unlike the EU GDPR, India’s Bill does not recognise other grounds for overseas transfer such as standard contract clauses, certifications, etc.
Absence of privacy-by-design provisions
Privacy-by-design requirements are conspicuous by their absence. If it is not built by design into the day-to-day digital ecosystem by all data fiduciaries (those who collect or store or process data), then privacy will not be organically built into our digital ecosystem and its effectiveness will, therefore, be sub-optimal.
The writer is Member of Rajya Sabha. Views are personal