November 19, 2022
The Ministry of Electronics and Information Technology has released a new draft of India’s awaited data protection law, intending to lay down a simplified framework to balance the right of individuals to protect personal data, and the need for data fiduciaries to process it.
The bill, however, fails to take into account the nuanced understanding and approach towards governing personal data, developed during the past half decade. It provides absolute discretion to the executive to either protect or neglect personal data protection needs of the citizens.
Moving away from its previous version, the bill skips mention of fundamental right to privacy in its preamble and narrows the scope of the law from data protection to digital personal data protection excluding non-personal data, which is rather desirable. In doing so, the bill takes away the categorisation of personal data, especially sensitive personal data, thereby painting all personal data with the same regulatory brush.
“The bill provides a broad scope and unrestrained powers to the government to prescribe on critical issues at a later date. Such powers, if not carefully and judicially used, can do more harm than good.” said Pradeep S Mehta, Secretary General, CUTS International.
The bill has moved away from the interests of data principals by incorporating provisions like deemed consent for processing of personal data in public interest, defined quite broadly. In same vein, it weakens the regulatory, supervisory, and enforcement architecture by replacing the previously proposed data protection regulator with a board, directly in control of the government. This seems to be continuing the trend of the draft telecommunication bill which also weakens TRAI and empowers the executive which is difficult to hold to account, when compared with independent regulators.
While the upper limit of financial penalties is significant, the diminutive status of the board does not inspire confidence in carrying out in-depth assessment and imposing proportional penalties on defaulters, observed Mehta. The bill also does not provide for creation of data protection fund to ensure use of such penalties in consumer interest. However, removal of criminal liabilities from the bill is a positive step.
It is a welcome move that the classification of significant data fiduciaries has evolved from only the number of registered users as in intermediary rules. The factors include volume and sensitivity of personal data processed, risk of harm to data principal, risk to electoral democracy and public order among others.
While the move to allow transfer of personal data outside India appears to be a step forward, the bill provides significant unreasonable discretion to the central government to notify trusted countries for such transfer, without necessary principles or procedural safeguards. Similarly, the exemptions for processing of personal data of child are vaguely drafted, without necessary guidance to the executive.
The bill could have prescribed better regulation and rule-making processes, including notice and comment period, cost-benefit analysis, and transparent stakeholder consultations. These best practices are the hallmark of maturing regulatory ecosystem, and can also help in appropriate exercise of executive discretion.
It also empowers the central government to exempt instrumentalities of state from its provisions without adequate checks and balances, ignoring principles of legality, necessity, and proportionality, as laid down in the Puttaswamy judgement.
One had also hoped for a more evolved and stronger grievance redressal mechanism to ensure protection of consumer interests from the bill, in coordination with consumer groups and civil society organisations.