Dalima Pushkarna, second-year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow, discusses issues still present in India's new Personal Data Protection Bill...
The Indian government, on August 4, 2022, withdrew the Personal Data Protection Bill 2019 from the parliament. Though no significant reason was given by the government, the Minister of IT, Ashwini Vaishnav, said that this bill was being revamped as it was paving the way for a complete draft and suited the present legal systems of India better.
Finally, on November 22, 2022, the Ministry of Electronics and Information technology released a new draft of the bill known as the Digital Personal Data Protection Bill, 2022, catering to data only present in digital format, unlike its predecessor, which has all kinds of data under its purview.
The bill is yet to be released in the parliament and is presently in the public domain for the general public’s scrutiny and opinion. The bill has gained applause for its easy and lucid language and for using the pronouns she/her in the draft. While the bill has earned much praise, specific issues in the bill should be reconsidered by the union government before releasing a final draft, as the current draft is different from its predecessor in various ways.
Immense Power to the Central Government
When we look at the new draft, one thing we find familiar in most clauses is that the central government has a vital role to play in the bill.
The GDPR is responsible for data protection in the European Union and makes it obligatory for the member states to set up an independent supervisory authority to monitor the regulation’s application. The supervising authority’s roles and duties and the procedure for its selection of members are clearly mentioned in the rules. But in India’s case, from establishing the Data Protection Board to deciding the powers and functions of the board, immense power is provided to the central government. Hence, the central government exercises greater control over the proposed DPB because it will appoint members of the DPB, set out the terms and conditions of appointment, and lay out the functions that the DPB will perform.
Section 18 of the bill, which talks about the exemptions provided, also allows the central government to make critical decisions regarding transferring personal data outside India. Hence, a massive chunk of operative powers in the bill has been given to the central government without imposing any system of checks and balances on the central government.
Clauses 33 and 34 of the 2021 bill provided for data localization and conditional cross-border transfer of data. It offered a three-tiered categorization based on which personal data could be moved across borders. The JPC report also recommended formulating a comprehensive data localization policy. Apart from this, the Srikrishna committee, composed in 2018, also harnessed the need for data localization in India. But this new legislative piece issued by the committee is entirely silent on the issue of data localization. The present regime of India requires at least some guidelines on data localization to balance the need for sovereign interest and business in India.
Vagueness of Language, Vast Surveillance
While the bill is applauded for its simple and lucid language, it is riddled with vagueness. This vagueness can be seen as giving immense power to the central government and the idea of excessive delegation. In many provisions, the phrase “about the objectives of the act as may be prescribed” is mentioned. Usually, these methods and objectives must be prescribed beforehand, but this seems to be missing in the current draft. It puts no bar on the central government’s power and threatens the citizens’ privacy.
Adding to this, the bill also needs to classify personal data. In the previous statement, clause 15 organized certain kinds of personal data as sensitive personal data. It made different rules sharing far more outstanding obligations put on the data fiduciary while sharing the sensitive personal data of an individual, which were explicitly mentioned in clause 34 of the bill. Furthermore, in this new draft, the government has introduced the concept of “deemed consent,” which means that consent can be deemed and need not be explicit in certain situations. But there are still certain reservations and ambiguities about the same. More so, the power to specify fair and reasonable purpose now vests with the central government; hence the new draft is giving more and more control to the central government.
Amendments in the RTI Act, 2019
Clause 30 of the new draft discusses amendments in clause (j) section 8 of the RTI Act. It suggests that this provision should be amended to make it impossible for citizens to receive personal information about a person under this act. The supporters of this amendment say that this aligns with the Puttaswamy judgment of the Supreme Court, which made the right to privacy a fundamental right of the citizens under Article 21 of the constitution as it aims to protect the privacy of individuals. But this amendment can be called excessive in nature and not just, fair and reasonable. The Supreme Court, in the Puttaswamy judgment, held privacy to be a fundamental right enshrined under Article 21 of the constitution but also went on to say that it was not an absolute right, and certain reasonable restrictions could be imposed on the right to privacy for achieving specific legitimate aims like national security. Thereby, collecting an individual’s personal information may sometimes be essential to perform some legitimate objective, but this amendment makes it impossible for us to do so.
In contrast to the preceding PDP Bill, which businesses and start-ups criticized for being compliance-intensive, the DPDP Bill is an effort by the government to create a specific and understandable law on data protection in the nation. However, the DPDP Bill must define critical aspects to streamline the earlier text. For instance, the bill introduced the concept of “deemed consent” in broad and vague terms. However, the recommendation of the JPC, non-personal data is kept outside the bill’s purview. Furthermore, there is no mechanism to ensure the accountability of the central government, which has been given significant powers in the statement. Hence, there is still a need to relook at the bill and address the concerns raised by the stakeholders.
Dalima Pushkarna is a second-year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow.
Suggested citation: Dalima Pushkarna, Digital Personal Data Protection Bill: Way to an Ambiguous Data Protection Regime in India?, JURIST – Student Commentary, December 23, 2022, https://www.jurist.org/commentary/2022/12/dalima-pushkarna-digital-personal-data-protection-bill/.
This article was prepared for publication by Hayley Behal, JURIST Commentary Managing Editor. Please direct any questions or comments to her at firstname.lastname@example.org
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.