The Digital Personal Data Protection Bill
by Maitreyi

The Union Government has recently stated that a draft of the Data protection Bill would be tabled in the monsoon session of Parliament.

Our personal data has become a commodity, used by businesses worldwide to shape our behaviour and, on the other hand, for the government, the same data is used a tool to expand its control and regulation over citizens. A proposed bill on Data protection would be required to act against such possibilities. That, however, is not the case.
In August, 2017 a nine-judge bench of the Supreme Court, in Justice K.S. Puttaswamy vs Union of India, unanimously affirmed that the right to privacy is a fundamental right under the Indian Constitution. Earlier in 2017, the Union Government had constituted a Committee under the Chairmanship of Justice B.N. Srikrishna to study issues relating to data protection and to suggest a draft data protection bill. The Committee gave its Report in 2018 along with a Draft Bill. Thereafter, a Bill with the stated objection for protection of data was first introduced in 2019 and referred to a Joint Parliamentary Committee. After much criticism, the bill was withdrawn in August, 2022, and in November, 2022, the Digital Personal Data Protection Bill 2022 was introduced.

As of now, the most recent draft of the Bill approved by the Union remains undisclosed, leaving us to base our analysis on the contents of the November 2022 version. The provisions of this Bill suggest that the intent of the Bill is not on data and privacy protection. Instead, it serves as a means to grant a seal of approval for the perpetuation of a surveillance state, and become a mechanism to control citizens rather than protect data.

Perpetuation of a surveillance state and the commodification of data through Exemptions

Section 18(2) of the Bill grants overarching powers to the Union Government to exempt any instrumentality of state from the application of the provisions of the Bill for vague and over broad reasons that include “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”.

Section 18(4), exempts instrumentalities of state from the requirement of erasing personal data after its purpose has been fulfilled. Section 8(9) empowers the Union government to establish "fair and reasonable" reasons for which personal data can be used without explicit consent, and consent is deemed. This gives the government undue and overreaching influence, which they can use to their advantage, putting citizens' personal data in the government's hands without their permission.

These provisions permits the government to collect data about citizens, retain such data and create profiles for surveillance, essentially, without any restriction. Under these circumstances, the ’Right to Privacy’ confirmed by the Supreme Court in 2017 loses all meaning and the law essentially legitimizes the establishment of a surveillance state.

In regard to private entities, Section 18(3) empowers the Union Government to exempt private entities, “having regard to the volume and nature of personal data processed” from various provisions of the law - including the duty to issue a notice before collecting data, the duty to not to retain data after the purpose for which it was collected is completed and the duty to provide information as to the purposes and uses of the collected data. Without clear guidelines in regard to the basis for such exemptions, one can only imagine the manner in which Big Tech would weaponize these provisions of the law

Erasing Consent in the name of “Deemed Consent”

The Bill mandates that personal data may be processed for the lawful purpose for which an individual has given explicit consent. However, Section 8 introduces situations where consent is "deemed" to have been given – meaning that consent is presumed even if it has not been expressly provided in reality.

Consent is ‘deemed’ to have been given when such use is considered to be in ‘Public Interest’. And, what are the grounds for considering something to be of ‘Public interest’?

Among others - Prevention and detection of fraud; mergers & acquisitions; network and information security; Credit Scores; operation of search engines for processing of publicly available personal data; processing of publicly available personal data; and recovery of debt. The indicative list itself shows the overbroad use of the term public interest – in what way, for instance, can recovery of debt and credit scoring, which requires the collection of private and sensitive financial data for private purposes even be understood as public interest and be provided to others without the explicit permission of the individual in each and every such query.

Similarly, Section 8 provides for deemed consent for the purposes of employment, which has to be viewed as a further intensification of the “dictatorship of the private employer”. The 2019 Bill treated employment as a basis for processing only non-sensitive personal data - sensitive details like sexual orientation, sex life, transgender status, caste, religious affiliation etc. were covered under ‘sensitive personal data’.

A weak enforcement system

The Bill requires the Union Government to set up the Data Protection Board of India responsible for addressing non-compliances, imposing penalties and directing remedial actions in cases of data breach.

Two key distinctions between the 2018 Draft proposed by the Justice Srikrishna Committee and the 2022 Bill highlight concerns about the weakened nature and independence of the Board.

Under the 2018 bill the Selection Committee of the Board included the Chief Justice of India or a Supreme Court Judge - Such judicial presence has been omitted in the 2022 Bill and the selection process of the Board is now to be determined by the Government.

Secondly, the 2018 Bill explicitly safeguarded the salaries and allowances of the chairperson and members of the DPAI throughout their tenure, ensuring financial security that would support the independence of the institution. However, the 2022 bill lacks such guarantees, leaving the matter of financial security at the discretion of the Union Government. It would be important to recall a similar change made in the RTI (Amendment) Act, 2019.

These provisions raise crucial concerns about the independence of the Board, that is tasked with the responsibility of penalizing and acting upon non-compliances of the law.

Add to this, the penalty introduced in the Bill of Rs. 10,000/- for registering a “false or frivolous grievance” - this would deter the free exercise of rights for the fear of facing penalties.

Sacrificing Privacy for Global Business and State Surveillance

In the 2017 Right to Privacy judgment, Justice Chandrachud writes “Dignity cannot exist without privacy. Both reside within the inalienable values of life, liberty and freedom which the Constitution has recognized. Privacy is the ultimate expression of the sanctity of the individual. It is a constitutional value which straddles across the spectrum of fundamental rights and protects for the individual a zone of choice and self-determination.”

The Prime Minister, Narendra Modi, while speaking about the Bill only said that it would improve the country’s global standing - He chose to not speak of the people’s right to privacy that was to be the focus of the Bill.

This is only reflective of what the 2022 Bill has to offer. In the name of data protection, it effectively sanctions state surveillance and allows for personnel data to be commodified and used by business. The Bill takes us down a dangerous road of sanctioning the violation of the right to privacy and grants excessive power to the State, rendering the right to privacy meaningless, encroaching upon the very essence of life, liberty and freedom itself.

The Digital Personal Data Protection Bill