While the new digital personal data protection bill looks to ease the compliance burden on businesses, especially for start-ups, on a few issues and is more concise compared to its predecessors, experts pointed out that the proposed law allows a wide berth to the government to legislate through rules that can be notified without parliamentary proceedings.
“Unlike the previous draft Bills, which drew significant inspiration from the GDPR, this version of the Bill seems to be designed to be a shorter and simpler document, which may help with alignment and rapid adoption,” said Arun Prabhu, head of the technology practice at law firm Cyril Amarchand Mangaldas.
“That being said, while this simplification may have benefits, several concepts that the current Bill proposes, and some of the open-ended language, may need refining before the Bill is adopted," Prabhu added.
After the draft bill was published today, Internet Freedom Foundation highlighted in a tweet that the phrase ‘as may be prescribed’ was mentioned in the draft bill 18 times. “This creates vague, unguided power for the Union Government to frame rules,” the digital rights organisation observed.
For example, on the issue of data localisation, the bill proposes to allow the transfer of personal data outside India to a trusted geographies list which will be specified later.
Another notable instance where it does not get into the specifics is data protection in the case of children. While the bill mandates parental consent for processing the data of minors and prohibits the tracking or behavioural monitoring of children, it leaves the door wide ajar for interpretation by stating that "a data fiduciary shall not undertake such processing of personal data that is likely to cause harm to a child, as may be prescribed."
“The brevity and examples provided are a welcome change but cleverly leave all details to be legislated by the Executive through Rules. Rules that we have seen as in the IT ACT are exploited to pass broad provisions making the Executive all-powerful,” said Mishi Choudhary, Founder of Software Freedom Law Center, India.
“Rules that don't require the same rigorous parliamentary process as the parent act. The Bill doesn't meet the expectations of people protection but ensures that the government retains its power as it makes laws about individuals and businesses,” Choudhary added.
The bill has also improved on certain counts from the perspective of consumers. While the previous version of the bill mandated that a data fiduciary has to notify only the data protection authority in the event of a breach, the new bill mandates that even the user has to be notified.
Whereas the previous bill only gave data principals the right to appoint nominees in the event of death, this version has extended this right to ‘incapacity’. Yet, experts said that the larger concerns around the government giving itself a wide berth to access citizens’ personal data remain intact in the bill.
“Like previous versions, Clause 18(2) of the DPDPB grants vast exemptions to governmental agencies… Clause 18(3) creates arbitrary power for Government to exempt data fiduciaries (not only small entities),” pointed out the Internet Freedom Foundation.
"The government has retained broad powers to exempt its agencies from any – or all – provisions of the Bill. This power is wider than past versions since the safeguards proposed in them – especially the 2021 version – have been taken out from the 2022 Bill," said Vijayant Singh, Senior Associate at Ikigai Law.
"The end result is that government agencies could collect personal information without being subject to standard privacy obligations like obtaining an individual’s consent, or providing individuals with rights to access, correct, or delete their data, among others," Singh added.
The bill also mandates the creation of a Data Protection Board that will be tasked to enforce the law and can levy penalties of up to Rs 250 crore in case the entity collecting or processing data does not implement “reasonable security safeguards’.
The bill says that the strength and composition of the Board and the process of selection, terms and conditions of appointment and service, and removal of its chairperson and other members will be prescribed later.
“Seriously, see the condition of all the boards they have set up. They are just a mess. Someone or other is on leave or the seat is vacant for months or years altogether as the government can’t decide who to oblige,” said Salman Waris, Partner at technology law firm TechLegis.
“I fear it may just become another body where the government obliges its cronies with post-retirement appointments and posts,” Waris added.