Tuesday, April 16, 2024

A Missed Opportunity

The Bill, passed in the Lok Sabha, has many pros and cons. While it will be a stepping stone towards an Atmanirbhar Bharat, it will severely dent the digital personality hood of an individual

By Ashit Srivastava and Ishita Srivastava

For the fifth year in a row, hopes of a data protection regime in India have remained unfulfilled. Interestingly, smaller neighbours of India have been efficient in this direction, with Sri Lanka enacting its Data Protection Law in 2022. 

The 2017 Puttaswamy-I judgment was a great opportunity for India to enact a sound data protection regime along with privacy rights. While India did appoint a commission under the chairmanship of BN Srikrishna, the novel and courageous Personal Data Protection draft prepared by him did not see the light of day. 

It was in 2018 that the genesis of the first draft was seen. Yet, with four drafts (2018, 2019, 2021 and 2022) put to dust till 2023, there is no sighting of a data protection law coming into existence anytime soon. This is a reflection of the de-prioritisation of citizens’ data. In a country where data drives every service industry (including political parties), there would be fewer takers for a data protection regime.

The draft Digital Personal Data Protection Bill, 2023, does not have many deviations from 2022 though it has set up few prongs of its own. So what are the pros and cons of the bill?

  • Continuation of the exemption clause: The 2023 draft has not deviated from the earlier tradition of exemption clauses. Under Section 17 (2) (a) of the draft, the instrumentalities and agencies of the government are exempted from its provisions if the processing is undertaken in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence. The term “public order” can easily become an umbrella term and may lead to a blank cheque for granting exemption to any overzealous executive agency. 

Secondly, under 17 (3), the government may also exempt any data fiduciary or class of data fiduciary or any startups from compliance of certain essential provisions of the draft. This is reflective of the government’s approach towards businesses in India. The government has been pushing for the idea of an Atmanirbhar Bharat (Self-Reliant India), and surely there cannot be a conception of this without free data flow, especially for service industry-based startups who will require the bulk of data to process. This is a genuine step to bring identity to genuine entrepreneurs in India, but it seriously dents the very base of digital personality hood.

Interestingly, the Joint Parliamentary Committee report of 2021 had also commented on this provision and recommended that the procedure followed by the agencies exempted under the provision should be fair, just, reasonable and proportionate. Ironically, this recommendation did not become a part of the 2022 and 2023 draft.

  • Dent on personality hood: At the core philosophy of the Personal Data Protection regime is the base of digital personality hood. It is the idea of recognising the data principal (the user) as the master of his/her data. This recognition of control or ownership of the user’s data reflects the idea of digital personality hood. This perspective is well recognised across other data protection regimes. For example, under European jurisprudence, the Charter of Fundamental Rights of the European Union under Article 8 recognises protection of personal data as a fundamental right. Additionally, cases such as Bavarian Lager and Population census have emphasised personal data protection as a separate right. Safeguarding this right requires larger control of the data principal over his personal data.
  • Onus on the data principal: This is a unique feature, unseen in other jurisprudence, wherein for the second time, the draft of 2023 and 2022 had imposed a penalty (upto Rs 10,000) on the data principal (the user) for an act of impersonation or suppressing any material information when applying for documents and so on. This seems like a good step, but list of duties under Section 15 demands many duties from the data principal.

For example, Section 15 (a) imposes a duty on the user to comply with all the laws in force while exercising rights under the provision. This might turn out to be an onerous work to undertake. Additionally, the imposition of duties under the design of the Data Protection Law does not fit well with its objective—aiming to bestow on the data principal control of his personal data, so that he can bargain better against multinational corporations and even the State. The law itself is a bargaining tool against bigger entities, knowing that the user has meagre bargaining power and therefore his personal data always is in a state of vulnerability. Therefore, to impose an obligation on him will not be in sync with the objective of personal data protection.

  • Data Protection Board of India: Following the path of the 2022 draft, the 2023 one changed the terminology of the Data Protection Authority of India to Data Protection Board of India. If Section 18 of the draft is read carefully, the centre will notify the appointment procedure of the Board. It shall appoint the chairperson and other members as per the prescribed rules. Though under Section 19 (3) the qualification for the members is given, with the appointing authority being the centre, questions have been raised over its independence.

Also, the role of the Data Protection Ombudsman is the backbone of a data protection regime. It is the Ombudsman who looks into the neutral application of the provisions and spreading awareness about personal data breaches. A thorough reading of Section 27 of the draft says that the role of the Ombudsman is merely of compliance. However, the position of Ombudsman is dynamic, as technology is speeding and the scope of personal data is increasing. Therefore, the Ombudsman has to be at the centre of personal data dialogue. His role cannot be merely of an assistive tool for the government. Currently, the bill has made the government the operational centre of the draft. This severely hampers its neutrality.

  • Data localisation: This is a unique feature from a South Asian perspective. In early 2018 and prior to that, India seemed like a harbinger for pushing for the idea of data localisation, at least in South Asia. Be it the 2018 bill which pushed for blanket data-localisation or the 2019 draft pushing for a bifurcation between sensitive and critical personal data and denoting that critical personal data can only be processed in India, the country showed the way. 

But under the novel draft, there is no such bifurcation. Section 16 (1) of the Bill bestows the power on the government to restrict the transfer of data outside India. The Data Protection Authority originally exercised substantial power on this issue. But again, this Bill has limited the role of the Ombudsman and put the government at a higher pedestal. 

The other issue which is currently brewing in the background of the bill is that it hampers the right to information to large extent. As Section 44 (3) of the draft recommends substituting Section 8 (1) (j) of the Right to Information Act 2005 (exemption provision) with the term “Information which relates to personal information”. This widely worded exemption clause will allow the department to deny Right to Information requests on pretext of personal information. A possible solution for this could be to allow the Data Protection Ombudsman to play the role of balancing between “Personal Information” vis-à-vis “Right to Information”, as there could not be a generalized standard for compromising personal information vis-à-vis right to information. Interestingly, the Srikrishna Committee had recommended such role for an Adjudicating Officer to balance between Personal Data vis-à-vis Right to Information. But this balancing role of the ombudsman is apparently missing. 

So while the current draft will be a stepping stone towards creating India into an Atmanirbhar state, it will severely dent the digital personality hood of an individual. Also, the draft will not completely justify the Bill’s objective. The 2019 draft read with the changes suggested by the Joint Parliamentary Committee 2021 report seemed to have reached near perfection. Yet the deviation from the recommendations of the Committee and unnecessary delay in passing the Bill hint towards a de-prioritised approach towards citizens’ data. 

India’s approach to data protection needs to go into a jurisprudential inquiry as the objective is not clear. 

—Ashit Srivastava is Assistant Professor of Law at Dharmashastra National Law University, Jabalpur, while Ishita Srivastava is an Associate, Tenthpin, a global boutique consultancy

Previous articleJust Deserts?
Next articleFlip-flop Stand?

News Update