The Digital Data Protection Bill, 2022 And The Concerns Associated

Need For An Unblemished Law On Data Protection In India

As per the UN, India is set to be the most populated country in the world by 2023. The growing population implies growing interactions with digital devices and the internet, consequently resulting in a humongous amount of generated digital data by the users or the "data principals." This data, which is largely available on the internet, can be effectively accessed and used by the mega-companies or organizations which are referred to as "data fiduciaries" sometimes even without intimidating the data privacy and infringing their Right to Privacy which is a fundamental right under Article 21 of the constitution. These data fiduciaries are generally very strong and have unbridled bargaining powers as they, up to an extent, influence the economy and politics of a country. Such a bill, thus, provides for a proper framework of rights, duties, and recourses for the data principals so that the problem of disproportionate power of the fiduciaries vis-à-vis data principles gets adequately addressed.

India, for long, has struggled to table a nearly flawless and not-so-controversial law on privacy. The present legal framework which primarily governs privacy under the Information Technology Act (IT Act), 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (IT Rules), 2011 nearly fails to keep up with the technological advancements and the growing exigency to have a proper data protection law, especially after the aforementioned 2017 judgement of privacy. Thus, the need to enact an unblemished law on privacy and data protection in India is undisputed.

Deviation Of Latest Bill From The Personal Data Protection Bill, 2019

As opposed to 90 in the previous version, the Digital Data Protection Bill, 2022 has only 30 clauses. It means that a big but crucial fragment of subsequent rulemaking has been delegated, which raises concerns about excessive delegation. The 2022 version of the bill only covers the automated or digital data and not manual data. Also, some provisions of the 2022 bill are deemed imprecise or vague in certain aspects. For instance, the definition and degree of public interest "in public interest" can be subject to misinterpretation. The phrase "as may be prescribed" has been used around 18 times in the bill. The bill indirectly gives excess powers to the Center.

Another and one of the most crucial changes which have been made in this version of the bill for the good is in the matter of cross-border data flow. The present bill allows for the free movement of data across borders or the cross-border flow of data. It allows for the data transfer to countries and territories which would be notified by the Central government. On the other hand, the 2019 version of the bill stipulated a three-tiered categorization of the cross-border flow of sensitive personal data. The government was skeptical of cross-border data flow and had a restrictive view on the same. The data fiduciaries generally oppose such localization of data maintaining that it leads to increased functional and data storage costs.

The peculiar feature which is special to the current bill is the set of duties imposed on the data principals in clause 16. These duties are somewhat not called for. As specified in Schedule 1 of the bill, non-compliance with any of the sub-clause of clause 16, a penalty of ₹10000 may be imposed on the data principal.

The current bill also does not explicitly mention the "right to be forgotten" according to which a data principal can request the data fiduciary to remove their personal data when it stops serving any fruitful purpose, or simply when the personal information is no more needed. Although, the Digital Data Protection Bill, 2022 has subsumed the right to be forgotten under the "right to erasure", wherein a data principal can ask for erasure or correction of their personal data.

The Weakening Of The RTI

The Right to Information or the RTI Act, 2005 is one of the most effective and robust laws in India that ensures transparency. The Digital Data Protection Bill, 2022 proposes to amend the RTI Act. Clause 30(2) of the current bill suggests a potentially dangerous and unwarranted amendment to Section 8.1(j) of the RTI Act. Many RTI activists such as Shailesh Gandhi negate the proposal as an attempt by the Central government to weaken the transparency law of the country. Section 8.1(j) of the RTI Act is one of the exceptions where citizens cannot be provided information under the act. It stipulates that any information which has no relation to the public interest or which causes an unwarranted invasion of the privacy of an individual shall not be disclosed. This provision has been misused by governments to aid those who are corrupt. The amendment clause would state that the Central government is not obliged to public information which relates to personal information. The 2022 bill also seeks to delete the proviso accompanying the aforementioned section of the RTI Act which specifies that individuals will not be denied any information that cannot be denied to the Parliament or a State Legislature.

The Unbriddled Powers Vested With The Center

Leaving a huge chunk of the critical operative part of the bill for subsequent rule-making for the Central government and a few provisions of the bill is evidence of the excess power that has been vested with the Center.

For instance, clause 19 of the bill talks about the Data Protection Board of India. According to the provisions of the bill, the board, which will have the powers equivalent to that of a civil court, would entirely be constructed by the Central government. The strength, functioning, appointment, and removal of its officials shall be "as may be prescribed" by the Central government. Instead, the board should function independently of the government and should be able to adequately implement the fundamental rights of the citizens ensuring justice.

Furthermore, the bill authorizes the Central government to exempt any State body, which it deems fit, to be exempted from it. This authority will not only grossly violate the principles of natural justice but also aid those who are corrupt. Empowering the government to this extent is unacceptable in a democratic country.

To summarise, a full-proof legislation on data protection is the need of the hour in India. But its provisions must be carefully constructed to strike an adequate balance between the protection of individual rights and the interests of the fiduciaries. To ensure transparency, giving excess power to the government should be avoided at its best, which is not the case in the current bill. If a wholesome examination and evaluation of the bill are done prudently, one may conclude that the bill is somewhat problematic and needs to be revisited at its earliest. Public opinion must be considered while framing a law on such crucial matters. As the bill is being criticized on a large scale, it is sincerely hoped that the government considers the genuine concerns of the public and experts and comes up with an adequate and better bill.

Views are personal.