New data protection bill at odds with privacy ruling, say experts
NEW DELHI: The proposed new data protection law shared by the government possibly falls afoul of the 2017 Supreme Court judgment that laid down the right to privacy, gives the government excessive leeway in framing rules and protocols outside of the parent legislation and seeks to set up a regulator that is unlikely to be independent, experts believe.
The Union ministry for electronics and technology shared the Digital Data Protection Bill, 2022, on Friday for public comments and the proposal is likely to be brought to parliament in the upcoming winter session.
Among the aspects that experts pointed to was the number of issues left to be “prescribed” later via rules that the government will draw up, a process that would not need parliamentary approval.
Among these are additional purposes to which deemed consent will apply, the purposes for which there will be exemption on the additional protections when data of children is processed, and the strength, composition, terms and conditions of appointment and service of the Data Protection Board and its officers and employees.
“The Bill should be called “As May Be Prescribed By Govt Bill” as a lot is left to the rules -- rules that the executive in India has a track record of exploiting to expand its powers,” said technology lawyer Mishi Choudhary.
“Earlier, according to the 2018 draft, to grant an exemption, the government needed the approval of the Parliament,” said Supreme Court lawyer and founder of Cybersaathi, NS Nappinai. “Now they are proposing that exemptions can be introduced in by order of the central government. That is unconstitutional and will not stand the test of judicial review.”
A second major concern was around the deemed consent clause. The bill includes among its provisions “deemed consent”, which does away with the explicit need for a person to permit the sharing of personal data in certain circumstances, including “in public interest” and “any breakdown of public order”.
“It (deemed consent) is not consistent with the Puttaswamy judgment broadly on human rights, but also more specifically on the principlesofnecessity, proportionality and purpose limitation,” said Raman Jit Singh Chima, Asia
Pacific policy director at advocacy group Access Now.
The Puttaswamy judgment refers to the 2017 ruling in which the Supreme Court, in a 9-judge bench order, ruled that privacy was a fundamental right for all Indians. A three-fold test, the order stated, must be fulfilled for any executive action to breach the guard rails around privacy: it must be backed by law, there must be a necessary state purpose, and it should be proportional to the aims.
This particular condition is proposed in Section 8, part 2, which says that the government may, by notification, exempt from the law the processing of personal data “by any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”.
According to Justice BN Srikrishna, who headed the committee that submitted the first version of the privacy law in 2018, there are parts of deemed consent clause that are unconstitutional. “As far as in the interest of public order is concerned, that is constitutional, but adding clauses that apply to fraud is beyond the ambit of the constitution,” he said. “They are trying to introduce provisions that call for preventive action that is beyond the purview of even the CRPC (the criminal procedure code.”
Internet Freedom Foundation trustee Apar Gupta concurred with Srikrishna, stating that several of the issues with respect to the deemed consent clause continue to persist. “For instance, an employer can, without taking the consent of a prospective employee, take and store information without notifying that they hold it,” he said.
Nappinai told HT on Wednesday that the provision negates the purpose of the enactment and militates against the letter and spirit of Puttaswamy privacy judgment.
There were also concerns with the independence of the DPB and the recourse available to users if their data is breached. “There is no right for compensation to individuals in case of a data breach. The Board is toothless as most power is given to the executive to prescribe through Rules,” said Choudhury.
“The central government itself will likely be the largest litigant in terms of the data it collects so in that sense, the DPB will not truly be independent,” added Chima.