Earlier this month, the government released the Digital Data Protection Bill of 2022, and asked for public comments. This bill is the fourth attempt at enacting a data protection law for India, an effort that has spanned a decade-and-a-half.
The government said this iteration provides a progressive and adequate legal framework for data protection in India; and, in particular, having listened to industry critiques of the draft Personal Data Protection Bill of 2018 (the previous version), it has removed onerous provisions regarding the storage of data within India, thus providing an industry-friendly legislation. A closer look at the provisions, however, reveals some serious shortcomings within the proposed legal framework.
First, the bill provides a wide range of circumstances (ranging from credit scoring to employment to provision of services) where an individual’s data may be collected, stored and processed without their consent (the bill euphemistically refers to this as deemed consent). In my view, this is an infringement of individual privacy. In its 2017 privacy judgment, the Supreme Court clarified that when the State or a private party wishes to infringe upon individual privacy by collecting personal data, it must fulfil the test of proportionality: In particular, the collection of data should be the least restrictive method of achieving the goal, and that there should be a balance between the extent of infringement and the importance of the goal. However, the draft bill makes no mention of the proportionality standard; it also makes no mention of classic data protection principles, such as purpose limitation (i.e., data should be used only for the purpose for which it is collected) and data minimisation (the minimum possible data should be collected, consistent with the goal). Instead, the bill has wide and vaguely worded clauses that, under the guise of deemed consent, can potentially authorise vast and unchecked data mining, without constraint.
Second, the bill authorises the government to exempt any State agency from the obligations and provisions of the bill. Put simply, the government can pick and choose where the bill applies and where it doesn’t. This is a flagrant breach of the basic principles of the rule of law, according to which the government is as bound by the law as anyone else.
Third, the bill creates a data protection board, ostensibly for the purpose of implementing the law on the ground, and handling complaints and breaches of the law (including complaints against the government). It is evident that to adequately perform its functions, the board — much like an Election Commission or an Information Commission — must have the necessary independence from the government. These institutions are collectively known as “integrity institutions” or “democracy institutions” because of their role to adequately implement fundamental rights, and stand between the government and the individual. However, under the terms of the bill, the board is entirely under the control of the government, from appointments and tenure to terms of service. Members of the board have no functional independence from the government. Consequently, it is difficult to see how the board will function independent of the government, especially when it may have to enforce the law against the government.
Fourth, the bill is problematic because it seeks to amend the Right to Information Act and make it impossible to obtain “personal information” in toto. This, effectively, amounts to weaponising the right to privacy against the right to information: Under the previous version of the law, personal information could be provided if there was a public interest involved that was of sufficient importance. That clause has now been deleted.
Fifth, the bill is almost skeletal in form, and leaves most of the concrete details to be worked out through the rule-making power of the executive. While it is natural for some delegation to happen in complex laws, the bill delegates crucial issues — such as what constitutes a “fair and reasonable purpose” for deemed consent — to be determined through rules.
And finally, the bill is eloquent in what it does not say. The flip side of any data protection law is surveillance reform. A data protection bill is not worth the paper it is written on if State surveillance can continue unchecked and unregulated. However, much like its predecessors, the bill is entirely mum about surveillance. This is a major lacuna, and continues the two-and-a-half decades of State resistance to surveillance reform, ever since the Supreme Court flagged this issue in its 1997 judgment in PUCL v Union of India.
Taken as a whole, this bill presents an inadequate and problematic legal framework for data protection in India. It is to be hoped that the government will take constructive critique on board, and modify the bill to bring it on par with global best principles on privacy protection.
Gautam Bhatia is counsel with the Internet Freedom Foundation
The views expressed are personal