Retired Supreme Court judge BN Srikrishna, who led the committee that drafted the Personal Data Protection Bill in July 2018, said that the draft of the new Digital Protection Data Bill (DPDB) contains provisions that give the government too much power in terms of exemptions from the bill’s provisions.
“The government can exempt entire provisions of the Act in respect to any government department, company and so on. That cannot be done. If you do that, then you are virtually giving by one hand and taking away by other,” Srikrishna told Moneycontrol.
Srikrishna said that the exemptions granted to the government by the bill were “much worse” than in the PDP bill.
“At least the previous one had provisions that if one had to access the data of an individual, they (the government) would have had to do it in a fair and reasonable manner. This bill does not even have those restrictions,” he said.
The Indian government released the DPDB bill for consultation last week, months after withdrawing the Personal Data Protection Bill 2019, which had been under consideration for years.
The government had then reasoned that the PDP Bill 2019 had provisions that went beyond the ambit of data protection (such as data localisation), making compliance difficult for start-ups.
Earlier, when the bill was withdrawn, Srikrishna urged the government to prioritise citizens during the drafting of the new bill. However, the latest version of the bill has been met with criticism from lawyers and activists.
Data Protection Board
Srikrishna also pointed out that the Data Protection Board of India, which will be responsible for ensuring DPDB compliance, has provisions that will make it difficult for it to be independent of the government.
“Who should be a member of the Board? What will be its qualification? There is nothing on that front in the bill. The government can very well back up the board with its own officers, and the board will not be independent,” he said.
He highlighted the independence of regulators such as the Securities and Exchange Board of India (Sebi) and the Reserve Bank of India (RBI).
“The Board should have independent members, experts in the field such as academicians, maybe practitioners, even people from abroad. It can be headed by an independent person like a retired judge,” he opined.
What about offline data
Another point of concern highlighted by Srikrishna was the law’s applicability to offline data.
“This bill is made applicable to only digital data. What if I have offline data? Will the bill not apply? This is a loophole,” he said adding that a company can exploit this rule by collecting personal data offline.
On the global stage
The retired judge also said that if the bill becomes law, it may not be viewed favourably in the international community.
“If you have such wide exemptions given to government agencies, Europeans may say tomorrow that data that may get transferred to India is not protected at all.”
“In this current bill, it is laid down that they will have a whitelist of countries to which data can be transferred to; but the question is will India be on the whitelist of these countries?” he added. Moneycontrol