India’s Data Protection Law: Flawed, But Necessary
Data protection laws can serve multiple purposes. One is pure consumer protection – how to ensure that the person who uses digital services has recourse when their data is misused or lost thanks to negligence or malfeasance. Another is the protection of an individual’s privacy – how to ensure that information about an individual, irrespective of whether they are collecting it as part of a service availed or not, is collected and used with their consent. A third is asserting sovereignty over data and preventing the citizens’ data from being exploited or accessed by foreign governments and entities. A fourth more recent concern perhaps might be to promote competition and prevent ‘big-tech’ from monopolising large parts of the internet because of their advantage in users’ data. Fifth and finally, there’s the need to push back against the growing power of ‘big-tech’ which today controls more and more of the lives of people on the internet through content and services.
Two years in the making, the report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, has finally been tabled in the Houses of Parliament. The Report goes into some detail about the purposes of the draft law and seems to begin with a proper acknowledgement of the importance of data in the modern digital economy. It has tried to understand the link between data protection and privacy, especially given that this exercise took off in right earnestness following the judgment of the Supreme Court of India in Justice (Retd) K Puttaswamy v Union of India in 2017.
Drafts, And Redrafts
In assessing its merits, it must be kept in mind that the draft bill proposed in the report is the third version of a data protection law. The first draft was proposed by the BN Srikrishna Committee in 2018, following which the union government then introduced its draft in 2019 in Parliament. The significant differences between the draft prepared by the BN Srikrishna Committee and the union government are explained here. The 2019 Bill made significant changes to the 2018 Bill causing Justice BN Srikrishna to call it “Orwellian”.
However, the JPC’s 2021 version of the Bill does little to address most of the criticisms levelled against the 2019 Bill.
Among the many changes proposed by the JPC’s version in the 2021 Bill, a key one is the name of the Bill itself - it will be just The Data Protection Bill with the proposed Data Protection Authority having the jurisdiction over the regulation of both personal and non-personal data. This is not to say that all the rules which apply to personal data will also apply to non-personal data or that the distinction between the two will be erased but that given the subject matter of the legislation, it makes sense to have both aspects dealt with by the same agency.
While the 2021 Bill still retains the primary focus which is personal data, it does try to accommodate non-personal data as well. While there may be legal categories of what is ‘personal’ and ‘non-personal’ data, the reality is that drawing a hard boundary between the two is next to impossible if the purpose is protecting an individual’s privacy. To that extent, this is perhaps a reasonable move. However, some of the other recommendations are worrisome.
Justice Srikrishna’s criticism of the 2019 Bill, that it seems to be “loaded in favour of the government” could equally well apply to the 2021 version, if not even more so. Three instances from the 2021 Bill show how.
The most obvious instance of the Bill favouring of the government is found in Clause 35 which allows the government to exempt any agency from the application of the entire law in the interests of “sovereignty and integrity of India, security of the state, friendly relations with foreign countries and public order”. This clause is a vast expansion from the somewhat limited powers given by the 2018 Bill to the union government to exempt certain agencies from the rigours of the law. The 2019 Bill included this clause and it has only been reinforced by the 2021 Bill.
Similarly, where the 2018 and 2019 versions of the Bill provided that the heads of departments of the government bodies which commit offences under the law will be held liable, the 2021 Bill dilutes that by first mandating an “in-house enquiry” to determine who is responsible for the breach or an offence under the law. This relaxation essentially absolves the government from taking any preventive measures to protect personal data collected as any scapegoat can be found after the fact of a data breach or data violation.
We see expanded government control even in the manner in which chairperson and members of the Data Protection Authority are appointed. The appointment committee has been expanded to include a director from one of the IITs and one from the IIMs, along with a subject matter expert nominated by the union government and, somewhat incongruous, the Attorney General for India. Whereas the 2018 Bill involved the Chief Justice of India, the 2019 version of the Bill and the 2021 Bill keep the appointment of the head of the DPA firmly within the hands of the government.
In the name of including subject matter experts, the JPC only increases the number of government appointees on the DPA appointment committee.
These instances show a disquieting tendency of the JPC being ‘more executive minded than the executive’. No doubt data protection laws are not designed to check government surveillance but the 2021 bill renders the citizen even more remedy-less when the government ignores their privacy concerns.
That said, the experience of the last few years has shown that big-tech poses just as much, if not more of a threat to the rights of individuals as governments. While it is disappointing that the 2021 Bill gives so much of a free pass to the government, that does not mean that attempts to regulate the power of big-tech companies are necessarily futile or unworthy. While the digital economy offers much potential for promoting innovation and creating employment in the country, the dangers posed by unregulated big tech companies are real and could nullify such benefits.
In setting norms about how data will be collected, stored and processed by data fiduciaries, and by creating an empowered regulator to respond to the needs of the data principals, all the three versions of India’s data protection law attempt to rein in the worst practices of big-tech in India. Much more remains to be done and once the law is passed, the baton will be handed over to the DPA and the quasi judicial bodies set up under the law to use their powers effectively. As a developing country with a history of democratic government and semblance of rule of law, India’s experience in reining in big-tech will be closely watched worldwide.
If one has to sum up the position on data protection since the Puttaswamy judgement, one might quote Winston Churchill’s famous description of the Battle of El Alamein – “Now this is not the end, it is not even the beginning of the end. But it is, perhaps, the end of the beginning.”
Alok Prasanna Kumar is co-founder and Team Lead, Vidhi Centre for Legal Policy, Karnataka. Vidhi Centre for Legal Policy assisted the BN Srikrishna Committee with research inputs in the preparation of the report and the Bill though I was personally not part of the team working on the same. All views expressed herein are individual and should not be attributed to Vidhi.
The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.