Data Protection Bill | State gets absolute power, and that’s not a good thing

Representative image.

For over five years now, India has struggled to pass a data privacy law, lagging major democracies in the exercise. Europe’s General Data Protection Regulation (GDPR) came into effect in 2018, and the California Consumer Privacy Act, a notable legislation but not covering the entire United States, came into effect in 2020.

Meanwhile, we asked Justice Srikrishna to prepare a data protection law, and then consigned nearly all of it to the bin. So much so, when a draft Bill emerged in Parliament, the learned judge found it unrecognisable and termed it Orwellian.

On November 18, we got a new iteration of a data protection Bill, with notable improvements in ease of doing business; but nothing to ease fears of State surveillance, suggesting that the government is happy to explore the ‘art of the possible’ with the likes of Google and Facebook, but far from enthusiastic to do the same with civil rights groups and digital activists.

In a welcome move, the Digital Personal Data Protection Bill, 2022, expectedly, reversed a bid by a Joint Parliamentary Committee (JPC) to expand the purview of the previous Bill to include non-personal data. That adventurist attempt by lawmakers stirred a hornet’s nest, and was a key factor in the government’s decision in August to junk the Bill and start afresh.

The new Bill eases several concerns of Big Tech. It not only restricts the Bill to personal data, but also permits cross-border flows of personal data — albeit to friendly nations, most certainly likely to include the United States. It also drops from the previous Bill hair-splitting about what constitutes ‘sensitive’ data, and what might be termed ‘critical’ data. It significantly improves on the previous Bill by placing more responsibility on the companies harvesting user data. So, companies would be required to notify users whenever they breach users’ data, and pay stiff fines of up to Rs. 250 crore for failures.

Under the oversight of IT Minister Ashwini Vaishnaw, the Bill also sports some niceties. It is considerably shorter, has less legalese, and, for good optics, uses the pronoun ‘her’ to refer to a user. It has several gaps and drawbacks too, most of which could be redressed during the public consultation process open until December 17.

Take, for example, “deemed consent”, which is sought to be applied in multiple use cases. So, a person who submits their name and mobile number to reserve a table at a restaurant is deemed to have given their consent to use of their data, but the Bill does nothing to ensure that the person’s mobile number will not be used to, say, offer a personal loan. Similarly, one would think Google or Facebook should let us know if it shares our data with third-parties, and for what purpose or how long. But that is not the case.

Prescribing “duties” for a “data principal” is also widely regressive, needlessly burdening the common citizen whose data is the one at stake. The lack of compensation to individuals whose data is breached is another. It is reasonable to expect that a final version of the Bill to be presented to Parliament would plug these gaps. But where the Bill is fundamentally flawed is in the government’s refusal to explore any nuance in asserting the State’s absolute right to access anybody’s data, in its refusal to establish any independent safeguards, and indeed in its quest for complete executive control over any avenues to redress, allowing no scope for judicial scrutiny or parliamentary oversight.

Consequently, the Bill grants to the government sweeping rights over all data when in it is “in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or [for] preventing incitement to any cognizable offence relating to any of these.” In addition, the Bill allows the State — and its agencies — to retain for perpetuity any data collected, while requiring all other “data principals” — the likes of Google, Facebook and other private entities — to delete the data when it “is no longer being served by its retention” and “retention is no longer necessary for legal or business purposes.”

With regard to the data protection agency, the government’s powers under the Bill are similarly absolute. The government can name anybody as the chief executive of that agency. It will alone determine the “strength and composition of the board and the process of selection, terms and conditions of appointment and service, [and] removal of its chairperson and other members.” In effect, the data protection agency could end up being at the mercy of the Union government.

Clearly, the new Bill has not heeded concerns expressed by Justice Srikrishna or the political opposition. In addition to fears of an Orwellian State, Congress’ Jairam Ramesh — who was a member of the JPC that debated the previous Bill — warned of a constitutional challenge unless clauses governing State’s powers are “narrowly tailored”. It is also likely that the Bill will be challenged in the light of privacy being declared a fundamental right under Article 21 of the Constitution, in the landmark Supreme Court ruling (Puttaswamy v Union of India and others). With such uncertainties, we may have to wait considerably longer for a privacy law.