The Ministry of Electronics and Information Technology (MeitY) recently published the draft Digital Personal Data Protection Bill, 2022 (DPDPB 2022) and invited comments on the same three-and-a-half-months after the withdrawal of PDP Bill 2019 from Parliament in August 2022.
Hence, it is useful to analyse the past, the pivot, the process of consultation, the principles, the procedure for grievance redressal, and the powers with the government before making a proposal.
Since the nine-judge Constitution Bench of the Supreme Court had upheld the right to privacy as a fundamental right in 2017, five different documents on data protection law have been placed in the public domain time in as many years.
First, a committee of experts chaired by Justice BN Srikrishna published a white paper seeking comments in 2017. Second, it submitted its report and draft Data Protection Bill, 2018 (DPB 2018) to the government. Third, after inviting comments on the DPB 2018, the government introduced the Personal Data Protection Bill, 2019 (PDPB 2019) in Parliament and the same was referred to a Joint Parliamentary Committee (JPC). Fourth, the JPC report including numerous amendments was tabled in 2021 after two years of deliberations. Fifth is of course, the DPDPB 2022.
However, it is a misconception that the discussions on privacy law in India began only after the 2017 privacy judgment that had emanated from a public interest litigation challenging constitutional validity of Aadhaar.
When the government set up the Unique Identification Authority of India (UIDAI) in 2009, privacy concerns were voiced afresh notwithstanding that in 2008 itself, some provisions pertaining to personal data protection had been included (by way of the 2008 amendments to the Information Technology Act, 2000.
To its credit, the government commenced consultations for a privacy law in 2010 even before the first Aadhaar enrolment by the UIDAI. Incidentally, that endeavour was anchored by the Department of Personnel and Training (DPT), the same department that administers the Right to Information (RTI) Act.
A group of experts chaired by Justice AP Shah had also prepared a report for the erstwhile Planning Commission to which the UIDAI was then attached. Over the following years, multiple ‘leaked’ drafts surfaced but remained unverified.
Though the term ‘digital’ has been included in the title of the latest draft, the scope of even its immediate predecessor was restricted to ‘digital (personal) data’ only. While this could be attributed to MeitY’s remit, there are some noteworthy pivots.
Firstly, the phrase ‘Right to privacy’ is amiss from the preamble and even the explanatory note. Secondly, ‘Non-Personal Data’ (NPD) is totally out of the scope now. Thirdly, imprisonment provisions have gone out and the financial penalties are capped to specific values and no longer predicated on the global revenues. Fourthly, the proposed amendment to the RTI Act under DPDPB seems misplaced since the ‘information’ under RTI goes beyond digital personal data. In addition, considering that one is increasingly likely to become a digital citizen before achieving the age of 18 years, it may be worth lowering the age of consent to at least 16 years, if not lower.
The process
Like the recent draft Telecom Bill, the DPDPB relies on simple language shorn of proviso, and includes illustrations.
While the decision to undertake public consultation is welcome, MeitY should publish the comments received on its website, in line with the Pre-Legislative Consultative Policy, 2014. In fact, further window for counter-comments would also be useful. Comments and counter-comments should be published, perhaps without identifying those who wish to remain unanimous. Submission of comments should be possible in other channels besides MyGov.
In addition, it would be desirable for the Bill to be referred to a parliamentary committee as and when the same is introduced.
The explanatory note enumerates seven principles, like the nine proposed by the group of experts chaired by Justice Shah in 2012. With slight variations of terminology, these are universal, well almost. However, an explanatory note has only persuasive value and not the full force of law.
Certain powers are vested with the executive rather than being codified within the principal legislation. These include powers for notifying subordinate legislation, administrative steps and, at times, even powers for carving out exceptions and exemptions.
Firstly, the power to make rules must be narrowly crafted; for example, while the discretion for salary and perks for the chairperson and the members of the Data Protection Board of India (DPBI) may be vested with the government, numerical strength of DPBI, members’ qualifications and the tenure must be specified within the principal legislation.
Secondly, even a ‘lawful purpose’ aka ‘legality’ cannot justify ‘deemed consent’ unless it also meets the other two parts of the triple test — ‘necessity’ and ‘proportionality’. Thirdly, exemptions from compliance, partially or completely, must be limited to agencies responsible for law enforcement, intelligence, and national security only. Last but not the least, such powers must be subject to institutionalised judicial or legislative oversight.
Notwithstanding the direction within the principal legislation to use ‘digital’ technologies, the DPBI must proactively institutionalise and facilitate grievance redressal by those who want to or may be forced to use non-digital modes. Even a person without digital access or digital literacy should be able to exercise legal protection of one’s ‘digital personal data.’
Therefore, the consultation process must be more iterative and inclusive; the principles must be enshrined within the principal law; the age of consent be reconsidered, the government powers must be narrowed down and subject to external oversight. Lastly, the grievance redressal should be simpler.
Since ‘Digital Personal Data Protection’ is a subset of the fundamental ‘right to privacy’, DPDPB may be necessary but is insufficient for the latter’s assertion and enjoyment in its entirety.
The writer is Senior Visiting Fellow, ICRIER