To say that the provisions of the Digital Personal Data Protection Bill, 2022 are disappointing is an understatement.
Rather than building on the discourse over data protection that has taken place in India since the judgment of the Supreme Court in Justice (Retd) KS Puttaswamy vs Union of India (2017), it reduces the protections for an individuals’ data online to a near nullity.
Among the DPDP bill’s main defects: it allows the government vast, unguided powers to exempt itself and its agencies from the law; it leaves vague what kinds of personal data of data principals—persons to whom this data relates to—are protected and to what extent; and the duties it imposes on data fiduciaries—agencies which possess, collect and process data—are so minimal and vague, it will hardly make a difference to the way “big tech” operates in India. Perhaps, the biggest failing in the Bill is the complete lack of any feasible enforcement mechanism to address violations of the law.
While Clause 19 of the DPDP bill provides for the creation of a Data Protection Board of India, it is shorn of details on what such a Board will look like and what it will do. The board is not created by the law itself but proposed to be created by the government at some later point of time after the DPDP bill becomes law. Its composition is also not provided in the law, neither are the terms and conditions of the persons who will serve on such a board.
There’s a provision for a “chief executive” of the board but the DPDP bill is entirely silent on what the qualifications, powers and responsibilities of the individual who occupies this post will be.
This is an unsatisfactory way of drafting important laws such as this. It would have been one thing had the law set out rights and duties and left the same to be decided by the courts in accordance with civil procedure law and evidence law.
Courts enjoying constitutional status and the existing body of procedural and evidence laws having matured sufficiently, it would have given clarity to data principals on what remedies they have in case of a violation of the law by a data fiduciary.
Instead, the law mandates that the Board will be the sole body responsible for addressing violations of the law by data fiduciaries, and fails to provide clarity on what this board will look like and whether it will be capable of functioning independently and effectively.
The contrast with other legislations, which set up regulatory agencies, could not be more striking. Chapter II of the Securities and Exchange Board of India Act, 1992 details the composition of the SEBI in great detail, listing out how members will be appointed, removed, how meetings will be conducted, et al. Likewise, the Competition Act, 2002 for the Competition Commission of India and the Insolvency and Bankruptcy Code, 2016 for the Insolvency and Bankruptcy Board of India.
These are agencies vested with the power to enforce large, if not all parts of their respective laws and their composition, powers and functions are listed out in detail. They have a mix of legislative, executive and judicial powers and are well-equipped to exercise all.
Even in the previous iterations of the Personal Data Protection Bill, detailed provisions set out the composition and the functioning of what was called the “Data Protection Authority”.
Chapter X in the 2018 version of the Personal Data Protection Bill and Chapter IX in the 2019 version detailed how the authority would be constituted and function.
The authority itself was far more empowered, having been given the power to make regulations, conduct inquiries, undertake search and seizure operations, et al, in addition to adjudicating penalties. The DPDP bill retains little or none of these.
Given the centrality of the board to the enforcement of the DPDP bill, it reflects poorly on the law that it makes no effort in giving clarity on what this body will look like and how it will be constituted.
There are also constitutional concerns with the manner in which no details are provided in the law itself. The Supreme Court in Puttaswamy clarified that an individual enjoys the right to privacy against both private parties and the government itself.
In that context, a law giving the union government—a potential data fiduciary itself—the power to entirely determine the composition of the board, the terms of service of the members of the board and to remove the members in whatever manner it chooses would not pass constitutional muster. More so, since the board undertakes a largely judicial function of adjudicating upon the complaints made by data principals.
Given that the law takes away the jurisdiction of courts and gives it to the board, the lack of legislative guidelines on how the board will be constituted could fall afoul of the Supreme Court’s judgment in Madras Bar Association v Union of India (2014).
Though the board is not a “tribunal” in name, it is exercising functions that would have been exercised by a civil court, save for the exclusion of the jurisdiction of the civil court in the DPDP bill.
In effect, the Government, a potential party to cases before the board, is given control over the board itself. Though an appeal is provided for from the orders of the board to “the High Court”, the remedy for a data principal, who suffers because of a violation of the DPDP bill, looks illusory.
Absent an independent and effective agency to enforce the mandate of the law, the DPDP bill will end up as just a collection of homilies on paper. One hopes that the union government will address this glaring gap in the DPDP bill ahead of its eventual introduction in parliament. Bloomberg