Draft Data Protection Bill: Free pass to breach privacy

The Digital Personal Data Protection Bill 2022, circulated for public consultation on November 18, is more of a concept note, rather than a piece of legislation, which doesn't even recognise that the right to privacy is a fundamental right – as unanimously pronounced in the Puttaswamy judgement of 2017 and which forms the basis for this legislation.

It contains little to protect privacy, other than right to free consent, grants wholesale exemptions to government agencies to breach privacy without checks and balances and provides for a regulatory mechanism without spelling out its composition, eligibility and selection process – all critical to its functional independence – while vesting all this power with the executive—to be decided in future by the Babus. In short, it seeks to transfer all legislative power to executive – violating the separation of power the Constitution envisages.

A concept note, not a legislation

Why this draft bill should be called a concept note, rather than a piece of legislation?

It is because the draft bill is bereft of specifics (16 pages, 30 clauses as against 56 pages and 98 clauses in the previous 2019 draft bill) and vague about critical matters, like protection of the right to privacy, oversight mechanism and checks and balances against breach by government agencies.

It keeps most things vague: not even a time period for its implementation as the bill says "different dates may be appointed for different provisions of this Act"; makes the rules under it (to be framed later) at par with the law itself, not subordinate to it, by declaring that "unless the context otherwise requires provisions of this Act shall be read as including a reference to Rules made under this Act"; "lawful purpose" is defined as "any purpose which is not expressly forbidden by law" (but which 'law' or laws is not specified) and specific provisions and exceptions have been replaced with multiple "illustration".

Unlike the 2019 version, which foregrounded the bill by declaring "the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy", this one says the "purpose" is "to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes". The new wordings put the right to privacy at par with the "need" to process private data. Besides, it does away with classification of personal data as "sensitive" and "critical" which were prohibited from processing outside India in the 2019 version.

Consequently, the obligations of the "data fiduciary" (who determines the "purpose and means of processing of personal data") is not to protect data privacy, as the 2019 bill said, but is described in general terms (vague) with a declaration that "a person may process personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose" ("lawful purpose" is also vague as explained earlier) without mentioning the role of the data fiduciary at all.

What will guide the data fiduciary since protection of the right to privacy is not declared as its purpose? It is "consent" a person gives "freely" for "processing of her personal data for the specified purpose". But there is "deemed consent" and "exceptions" provisions too, undermine this free consent for specific purpose.

"Deemed consent" includes information given voluntarily as well as without it (including "for the performance of any function under any law" and public "service and benefit") and in "public interest". "Public interest" here goes beyond the usual elements like protecting the sovereignty and integrity of India, friendly relations with foreign countries and public order and include others with potential for misuse like, "security of the state", "detection of fraud", "network and information security", "credit scoring" and "for any fair and reasonable purpose as may be prescribed".

An "explanatory note" circulated with the draft bill justifies this lack of checks and balances on government by stating that "national and public interest is at times greater than the interest of an individual, a clear grounds-based description of exemptions has been incorporated in the Bill".

The 2019 bill had similar exemption but with two notional safeguards: (i) a prior written order specifying the reasons for such exemptions and (b) the procedures, safeguards and oversight for such exemptions would be laid out in future ("as may be specified"). That is why the Joint Parliamentary Committee (JPC), which examined it and suggested 93 amendments in its December 2021 report[iv], specifically sought a "just, fair, reasonable and proportionate procedure" for such exemptions/breaches. The JPC report also reminded the Centre that the Puttaswamy judgement had provided three tests for infringement on privacy: (i) tests of necessity (ii) proportionality (iii) legitimate state action.

This bill is bereft of any such nuances or detail.

The "public interest" exemption is problematic for two main reasons: (i) historic as well as contemporary evidence of its misuse through terror laws (UAPA now and TADA and POTA earlier), sedition law and money laundering law (PMLA, which the ED uses to target political rivals and dissenting voices) and (ii) a carte blanche "exemptions" to government to honour the right to privacy, with no checks and balances and no procedure to be followed.

While the first (evidence of misuse of laws) doesn't need elaboration, the second (carte blanche exemptions to government) is a big cause of concern because of growing allegations of breach of data privacy, snooping and surveillance by the Central agencies – as manifest in allegations, court cases and investigating reports involving Twitter, Google, Whatsapp and Pegasus spyware scandal over the past few years. Irrespective of who is in power, Central agencies like the CBI, ED, DRI and IT are widely known to target political rivals and dissenting voices.

Unformed and executive Board

The other major concern is an unformed "Data Protection Board" – the oversight and regulatory body.

The bill creates a history of sort by not even spelling out the basic structure of the board: "strength and composition" of the board, eligibility of its "chairperson" and "members", selection and appointment process and tenure and service conditions.

For all this, the bill merely says the Centre "may prescribe" and "may determine". No bill in living memory provides for such an unformed oversight and regulatory mechanism and a carte blanche power to executive to do as it pleases. This amounts to handing over legislative power, in this case the Parliament, to executive. For the bill to then claim that "the Board shall function as an independent body" is meaningless. In contrast, the 2019 bill provided all such details (then called Data Protection Authority of India), howsoever, defective (the selection committee comprised of bureaucrats only, undermining independence and neutrality of such appointments).

In fact, it is logical to ask: What is the need for such a legislation? A simple executive order would be enough.

The significance of appointments to the board would be clear from the anguish and concerns of a five-member bench of Supreme Court expressed on November 22 and 23, 2022 while dealing with the selections and appointments of election commissioners (ECs).

The court posed several critical questions and made some observations to ensure the independence, neutrality and effectiveness of Election Commission of India (ECI): (a) it asked the Centre to lay down the procedure for appointments, which the Constitution envisages but never fulfilled (b) it suggested inclusion of Chief Justice of India (CJI) in the appointment committee for neutrality (c) ensure longer tenure of Chief Election Commissioners (CECs), who are allowed a maximum of six years and (d) show the appointment file for the appointment of EC, Arun Goel. To drive home its point, the bench said the first 46 years of independent India saw only 10 CECs, but the last 26 years after TN Seshan saw 15 and the last seven years eight CECs. By no means the court's suggestion for including CJI is adequate for neutrality in selection or appointment (opposition party leader, independent experts are often part of key appointments) but it flags the need to reduce the role of executive.

Now think of the Data Protection Board. It is supposed to ensure the right to privacy but is completely driven by the Centre (executive), which gets wholesale exemptions from any scrutiny. When the breach of privacy goes to the board, the Centre will be the party and the judge. The right to privacy be damned.

No compensation for breaches

The bill makes the breach in the right to privacy a non-criminal matter, providing only for monetary penalty on those who do so but there is no provision for compensation to the victim (as the 2019 bill provided). Worse, it takes away the compensation provided under the IT Act of 2000 (section 43a). It proposes two amendments to the IT Act of 2000: (a) insert Digital Data Protection Act of 2022 in section 43 which deals with "penalty for damage to computer, computer system, etc." and (b) omit section 43a which specifically provides for accessing computer, computer system and computer network "without permission" for compensation.

Another amendment is proposed which dilutes the RTI Act of 2005 – one concrete case of protection of privacy, which is misplaced. The bill proposes to amend section 8(1j) of the RTI Act which reads: "Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information."

Section 8 deals with ten "exemption from disclosure of information” and its sub-section (1j) says if information officers or appellate authority are satisfied that such personal information serves "larger public interest" then they can allow such information to be provided.

The amendment proposes to retain "information which relates to personal information" but cut out the rest ("the disclosure of…"). What this means is that personal information remains one of the ten "exemptions" without checks and balances, that is, the power of information officers and appellate authority to decide a case on its merits (test of public interest) is extinguished.

Why is this a misplaced protection of privacy?

Most RTI queries are about corruption and involves persons – government officials as well as private individuals engaged in public services and handling of natural (public) resources. A blanket exemption, thus, weakens the RTI Act, as former Central Information Commissioner Shailesh Gandhi lamented recently.

Cross-border data flow

While the bill is disappointing for the common man in protection of the right to privacy, it does provide some concessions and reliefs to companies dealing with data for the ease of digital economy.

Unlike the 2019 bill, this one does not classify data as "non-personal" or seeks government control over. It also allows cross-border data transfers (unlike prohibitions on processing of "sensitive" and "critical" personal data outside India in the 2019 bill) but only to specific countries and territories under specific "terms and conditions" both of which would be spelt out later. But it then subjects data processing in those countries/territories if it involves profiling of and offering goods or services to Indians. As for domestic companies, it allows outsourcing/BPO industry to process personal data of people "not within the territory of India" in case the domestic company has got a contract to do from outside India.