The Union Information and Technology Ministry last week put out the Digital Personal Data Protection Bill, 2022 for public consultation.
This is the fourth version and the government’s undertaking to the Supreme Court of introducing effective data protection at the earliest remains unfulfilled. That was during the proceedings of the right to privacy case, which culminated in a nine-judge bench decision in August, 2017 holding that the right to privacy is a fundamental right.
The Supreme Court had reasoned that if privacy can be protected at all in the digital age, it can be so only if it is acknowledged as a fundamental right. The challenge arose in the context of the challenge to Aadhaar.
The claim of privacy was in fact against the government. The government therein, perhaps to appease the Supreme Court, and to try and avoid a too problematic ruling on the scope of the right to privacy, hurriedly set up a committee headed by Justice (Retd.) Srikrishna to have the necessary stakeholder consultations and come up with a relevant legislative draft.
That was in 2017.
The Justice Srikrishna committee published the draft Personal Data Bill, 2018, more than a year after the privacy ruling.
Its object was “a free and fair digital economy”, signalling a departure from the expected orientation of the Bill. The emphasis from 2017 to 2018 had shifted from the need to protect privacy, after having received the status of a fundamental right, to trying to balance it with business interests. It appeared as if legislation on protecting women from domestic violence had tried to strike a balance and protect “family values.”
By the time the government adopted most of the committee’s recommendations and introduced a legislation in parliament ― the PDP Bill, 2019 ― the focus had shifted even more towards protecting businesses and the government.
The 2019 Bill introduced in the Lok Sabha was sent to an ad hoc joint parliamentary committee which produced another version in late 2021, which was published as the Data Protection Bill, 2021. By this time, the emphasis was on safeguards protecting the government against the onslaught of privacy!
This was made amply clear by the insertion of “interests of the security of the State” in the preamble of the Bill’s object, other provisions conferring extraordinary exemptions, and extraordinary powers of surveillance and those powers conferred under a non-obstante clause, overriding all other provisions of the bill.
The 2019 Bill was however withdrawn from parliament and the government went back to the drawing board.
The 2022 Bill is thus the fourth in the series, and a worthy successor to the botched 2019 attempt.
It retains the focus on protecting the government’s interests ― as opposed to protection of the rights of the data subjects (or data principals, as the Bill likes to call them). It no longer requires personal data processing to be limited strictly to the purpose for which it was collected ― the ‘purpose limitation’ principle ― a key pillar of all data protection legislations around the world.
It retains broad exemptions for government and government agencies from provisions of the Bill – a bewildering inversion of history – for, the history of the data protection legislation attempts can be traced to the Aadhaar case, where privacy claims against the government were the predominant focus.
The 2022 Bill also introduces a carte blanche for certain businesses like credit scoring and debt recovery. Clause 16 of the Bill further illustrates how far the pendulum has swung to the other side: it confers ‘duties’ on the data principal to be truthful and accurate, after having progressively eaten away its rights.
Even a commercial confidence agreement disclaims any warranties on the part of the disclosing party as to accuracy or completeness of the confidential information disclosed, and the onus is on the receiving party to acknowledge and process it on an ‘as-is, where-is’ basis. The onus on the data principal to demonstrate accuracy and/or completeness is somewhat unprecedented.
The compliance framework under Chapter V remains controlled by a body that is independent only in text, as it is still appointed by the government. While it would have been better for the Board to be able to award exemplary and punitive damages, creating an incentive for aggrieved individuals to complain, the 2022 Bill even removes the compensation provisions under the previous Bills.
Financial penalties ― handsome sums in theory ― only go to the government’s purse and the complainant is left high and dry. It is unclear how the Bill hopes for effective enforcement when the aggrieved data principal is saddled with all the burdens of duties under Clause 16 and when it has no incentive to bring complaints.
The 2022 Bill is a caricature of data protection legislation. It must not pass.
Prasanna S is an Advocate on Record in the Supreme Court.
This article was first published on The India Cable – a premium newsletter from The Wire & Galileo Ideas – and dhas been republished here. To subscribe to The India Cable, click here.