Why the draft data bill may face legal hurdles
From the land of Arjun comes a draft bill that lacks focus and is demonstrably unconstitutional. The draft Digital Personal Data Protection Bill 2022, made public by the government last week, misses the mark almost entirely by diluting the rights of data principals instead of protecting them, contrary to the privacy principles laid down by the Supreme Court in the 2017 KS Puttaswamy vs Union of India judgment.
Whatsapp’s discriminatory privacy policy is an illustration of this problem. The messaging platform imposed a revised privacy policy for India, a Hobson’s choice of take it or leave it for consumers, who had to either accept the revised policy or lose access to Whatsapp. The company, however, extended a different option to the European Union (EU), allowing consumers to opt out of certain usage of their data without losing use of the service. This was due to the EU’S General Data Protection Regulation, which protects user privacy rights. The Indian government took a clear stand before the
Delhi high court that India should be extended a similar “opt out” policy.
But the new draft takes away this choice from customers, of refusing the use of their data without losing access to the service.
Two other problem areas are the exemptions and deemed consent provisions, which not only dilute privacy rights but effectively decimate consent and purpose limitation rights. The very illustration to explain deemed consent — “A” shares her name and mobile number with a data fiduciary for reserving a table at a restaurant. “A” shall be deemed to have given her consent to the collection of her name and mobile number by the data fiduciary to confirm the reservation — validates unscrupulous practices by vendors to forcibly collect personal data. The bill retains exemptions that allow the government to process personal data without consent for purposes such as “maintenance of public order” and “preventing incitement to any cognisable offence”, which are essential. However, it also permits the central government to exempt “any instrumentality of the State” in the “interests of sovereignty…, security…, friendly relations with foreign States, maintenance of public order” from the safeguards of the law via notification in the future. This exceeds the remit of Article 19(2) of the Constitution, which permits only Parliament to exercise such rights of imposing reasonable restrictions.
Unconstitutional and excessive vesting of delegated or subordinate legislation (laws made by a body or entity that is other than, or subordinate to, Parliament) percolates multiple provisions of the draft. This includes Section 10, which deals with child rights, wherein mandatory parental consent for collection of child data and restraints on tracking, profiling and targeting advertisements at children can be done away with, if so prescribed.
Significant penalties are now being imposed against data principals — the persons whose rights this law was to protect — with fines up to ₹10,000 for breach of ambiguous and openended provisions, such as compliance with “all applicable laws”. Individuals being deprived of their right to compensation — more so after the repeal of section 43A of the IT Act — for data breaches is another miss. With the categorisation of sensitive and critical data being done away with, the assumption would be that personal data would be elevated to the position of sensitive personal data with higher protections, which is not the case. Existing rights are consequently diluted, instead of being strengthened.
The Data Protection Board (DPB), which replaces the proposed Data Protection Authority, is now under the control of the central government. Another unconstitutional provision is the retention by the government of the right to set out the functions of DPB instead of these functions forming a part of a Parliament-enacted law. Such overarching control also militates against effective enforcement of privacy against the central government, which is also purportedly covered under this bill.
Free flow of data is recognised, as is the norm, except when nations fail to implement robust data protection laws. However, with the weak data protection framework proposed by the present draft, the goal of some businesses that wished to entice EU data to India may remain a dream. High penalties also affect businesses, particularly smaller firms, though there is a provision for proportionate penalties.
With the misses far outweighing the hits, one should hope that this is not a draft that finds its way into Parliament. The wait for a near-decent data protection law that assures our privacy has already been long. Though this draft is only at the consultation stage, one has to hope that this doesn’t delay the inevitable, ie, an enactment that protects personal data.