Data protection bill: Big Brother retains escape hatch
The Centre and its vast menagerie of federal agencies have again squirmed out of the clutches of the proposed personal data protection law.
On Friday, information technology minister Ashwini Vaishnaw announced the release of the draft Digital Personal Data Protection Bill 2022 on Twitter and sought views from stakeholders by December 17.
The big beef that cyber experts have with the new proposed law is that it continues to give the government a free pass to ride roughshod on an individual’s right to data privacy even as it cranks up the maximum penalty on data fiduciaries violating its provisions to as high as Rs 500 crore.
Concerns over the Big Brother syndrome had dogged an earlier version of the bill in 2019, and it was eventually withdrawn in August this year.
At that time, Vaishnaw had promised a new comprehensive law that would consider all the suggestions that had been made, including those in the dissent notes of Opposition legislators who were part of a 30-member joint parliamentary committee that extensively discussed the contentious issues relating to data privacy before submitting a report last December.
But it all came to naught.
The new draft bill states baldly that certain crucial provisions of the legislation -- notably sub-section (6) of section 9 -– “shall not apply in respect of processing by the State or any instrumentality of the State”.
This proviso requires the data fiduciaries – basically providers of any kind of service to an individual – to scrub the data from their servers when no purpose is served in retaining the data or its retention is no longer necessary for legal or business purposes.
But the State and its cohorts are freed from the obligation to scrub the personal data that has been shared with them, which means government entities can store personal data for an indefinite period of time.
“The purpose of this bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” said an explanatory note appended to the draft bill.
Cyber law experts slammed the bill for the manner in which it gave the government unbridled power to retain personal data of an individual for an indefinite period.
“We have on the table a weak and ill-crafted draft that absolutely lacks focus. India had a minimalist data protection law under Section 43A of the Information Technology Act but with some support from more robust Sensitive Personal Data Rules. All of the principles that were built into the Rules stand diluted in this draft,” said N.S. Nappinai, founder of cyber safety initiative Cyber Saathi.
“The exemptions, read with the deemed consent provisions, in effect take away any protections that Indians already have as on date and substantially give the government a free pass. One has to hope that this draft will not wend its way to Parliament,” she added.
Karnika Seth, a cyber law expert, said: “Section 18(4) (exemption to government and its agencies) will need to be reviewed as personal data ought to be retained only for such time till a lawful purpose is served. Any attempt to retain data beyond that cannot be justified. The proposed exemption for the government and its agencies needs to be for a justifiable cause and in accordance with the rule of law.”
Apar Gupta of the Internet Freedom Foundation said: “There is a considerable dilution in the powers of the new regulatory body, the proposed Data Protection Board. It lacks autonomy and independence, and will be created and appointed on conditions ‘as may be prescribed’. Can such a board reasonably enforce compliance from public authorities?”
A range of litmus tests has been set for large repositories of personal data that will be characterised as significant data fiduciaries with understandably higher standards of probity.
One of the deeply troubling yardsticks for the assessment and classification of these entities is the “risk” they pose to electoral democracy.
The bill does not amplify what this means. But in pure semantic terms there seems to be an escalation in the sensitivity of this government to the barrage of social media criticism that it now faces. In the earlier bill of 2019, there was a specific mention of social media intermediaries (which isn’t there this time). The proviso said that their actions would be assessed for “a significant impact on electoral democracy, security of the state, public order or the sovereignty and integrity of India”.
The nuancing has clearly changed: from a diffuse phrase like a “significant impact” this has been upped to a very bald statement of “risk to electoral democracy”. It is hard to tell what prompted the Modi government to articulate such a risk.
Right to nominate
There has been a lot of discussion on the digital footprint that an individual continues to enjoy long past his death – and the problems that this could pose.
The bill provides for the right to nominate an individual who shall exercise the rights of the data principal in the event of death or a medical situation where he cannot “exercise his rights…due to unsoundness of mind or body”.
Another interesting provision is that an individual will be able to demand a summary of all the personal data that a service provider has processed. If an individual is dissatisfied with the response from the data fiduciary or fails to receive a response within seven days, he or she can register a complaint with the data protection board.