Big Brother has finally donned the cloak of immunity from prosecution by widening the ambit of the good faith principle to itself in the digital personal data protection bill introduced in the Lok Sabha last week. The Centre cannot be dragged to court for any action that may have compromised an individual’s stack of personal data because the legislation sanctifies the argument that it must have acted in good faith. The carapace afforded by the good faith law was initially extended only to the Data Protection Board of India — the entity that will oversee and administer the data protection law — under the provisions of the draft bill that was floated for discussion last December. The new legislation has undergone significant changes and could still raise the hackles of free speech advocates.
In the draft bill of 2022, the Centre and its menagerie of federal investigative agencies had already squirmed out of the clutches of several compliance provisions. The shield against the invasion of privacy rights enshrined in Article 14 of the Constitution crumbles further in the new bill, which was passed by the Lok Sabha after a perfunctory debate on Monday, as it allows the Centre to notify certain data fiduciaries, including start-ups, that will not need to seek prior consent from individuals before processing their data, sharing it with other fiduciaries, or erasing data on request. The use of start-ups with special privileges is being justified on the ground that the Centre may not have the bandwidth to process massive volumes of data and may need to hire the services of these startups — a frightening prospect that could imperil the secrecy and integrity of personal data. The Narendra Modi government has also caved in to pressure from giant global companies and permitted cross-border transfer of personal data. However, it has adopted a blacklist approach. This means that the government will specify geographies where such information cannot be processed. This is in sharp contrast to the European Union, which certifies nations where personal data can be processed based on their ability to create systems that help prevent data leaks. Industry is really pleased that a data breach will not invite criminal prosecution and the dire threat of prison sentences. The maximum monetary penalty has been halved to Rs 2.5 billion from Rs 5 billion in last year’s draft bill. But a new section has been cleverly wormed into the legislation under which all sums collected by way of penalties will be credited to the Centre’s coffers. This buries the notion that the individual is entitled to compensation for any breach of his or her privacy rights.