In seeking to deliver on the promises when withdrawing the Data Protection Bill (2019) this week, the Ministry of Electronics and IT released the Digital Data Protection Bill, 2022. At the time of withdrawal, on August 3, 2022, as per a note circulated in Parliament by Ashwini Vaishnaw, the Union Minister at the Ministry of Electronics and IT, said it was done to ensure “a comprehensive legal framework”. This was substantiated by Rajeev Chandrashekhar, the Minister of State at the Ministry of Electronics and IT in his public statements that the new proposal must be as per “global standard laws”. Have the government’s objectives been achieved with the Digital Data Protection Bill, 2022? The Digital Data Protection Bill, 2022 has now shrunk previous proposals that covered over 90 clauses to 30, phrased in plain English. This is a drafting style that is also present in the Telecommunications Bill, 2022 and seems to be the current fashion of setting legal proposals that as per the government serve the values of brevity and comprehensibility. After all, the laws should just not be there for lawyers, but “a person with basic understanding”. While there is little to quarrel with this principle they have been achieved at a considerable cost to established legal standards.
First, when the Supreme Court in the Justice Puttaswamy judgment reaffirmed the fundamental right to privacy it contained specific legal standards as a three-part test. This includes words such as, “necessary”, “reasonable” and, “proportional” which are terms of art and exist as legal doctrines. As per Justice D Y Chandrachud’s majority opinion, the data protection law should have, “due regard to what has been set out in this judgment”. However, it seems the judgment and such legal standards have largely been ignored.
This can be noticed in Clause 18, which contains exemptions from the data protection rights contained within the Digital Data Protection Bill, 2022. Under it, the central government can exempt any government authority from its application by a mere notification stating it satisfies grounds matching the language of Article 19(2) of the Constitution. This is a lower standard than the one prescribed under the privacy judgment. Further, the government can now even exempt private sector entities that may include individual companies or a class of them, by assessing the volume and nature of personal data. Clause 18(4) further exempts any state authority from deletion of data after use, which in effect will permit them to store personal data indefinitely in contravention of the principle of purpose limitation. This is a concerning expansion of state power that tilts the law against the interests of individual privacy.
Second, the concentration of power in the executive branch becomes clearer as the Digital Data Protection Bill, 2022 omits legislative guidance that is a vital part of any law to ensure that executive power is exercised reasonably. Within the 30 clauses, the phrase, “as may be prescribed” is contained in 18 instances. For instance, the compliance and regulatory enforcement to be conducted by a Data Protection Board of India will lack autonomy in appointment or functioning. As per Clause 19(2), the strength and composition, the process of selection and removal of the Chairperson and other members are all, “as may be prescribed”. Further, under Clause 19(3), the Chief Executive who will manage this Data Protection Board will be appointed and the terms and conditions as well will be determined by the central government. Hence, the Ministry of Electronics and IT will have direct oversight over the Data Protection Board of India. It is reasonable to ask at this juncture: Will any such board be able to exercise any oversight and issue fines on any government authority? Such lack of detail is only one among many. Vagueness animates several proposed clauses that create vast regulatory power for the central government. They will determine significant policy choices that are usually first prescribed, but presently absent in legislative guidance. It has been India’s constitutional experience that such unhappy drafting often manifests in the arbitrary exercise of executive power.
Finally, the section on user rights is not only underdeveloped but even now contains penalties for users, who are essentially the beneficiaries of a data protection law. For instance, Clause 6 which requires user consent before data collection, unlike the previous version now no longer requires a notice of with which third parties the data will be shared, the duration for storage and whether it will be transferred to other countries. One of the most curious provisions is Clause 16 which places a duty on users to, “furnish such information as is verifiably authentic”, or face a potential penalty for a fine. When you bundle this with the requirements for authentication that are proposed for users in the Telecommunications Bill, 2022, it can mean the death of online anonymity and pseudonymous identities with the creation of a vast surveillance apparatus. Essentially, each online service is KYC verified or a user faces penalties and denial of service. Hence, any commendation to the Central Government for the deletion of an earlier requirement in the verification for social media is only half made out. To conclude, the simplicity of the drafting choices of the Digital Data Protection Bill, 2022 comes at the price of individual privacy.
This article was originally published in The Indian Express on November 25, 2022.