Draft digital personal data protection bill: Govt exemptions ‘vague’, little regulator independence, say experts

In the Bill itself, there are no specified safeguards around such an exemption, as has been prescribed in at least two earlier iterations of the Bill, experts said. After a Joint Committee of Parliament (JCP) had deliberated upon the now shelved 2019 version of the previous Bill, it had recommended that the government be exempted only under a “just, fair, reasonable and proportionate procedure”. However, the mention of such safeguards are missing in the latest version.

“Not only has the new Bill omitted the JCP recommendation of adding just, fair, reasonable and proportionate procedure, it has also removed the check given under the 2019 bill where they had to give reasons explaining why such exemption was granted,” said Kazim Rizvi, founding director of the Delhi-based policy think-tank Dialogue. “There is a need to narrow the scope of the provision of such exemptions by listing out specific instances or purposes to reduce the potential for misuse of such exemptions.”

The exemptions to the government, argued the digital rights group Internet Freedom Foundation (IFF), are “excessively vague and broad”. “If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance,” IFF said.

The exemption also may not qualify the provision with the test of ‘necessity’ and ‘proportionality’ as laid down in the landmark right to privacy judgment of 2017, which “explicitly mandates ‘necessary and proportional’ standard as was envisaged in the Justice BN Srikrishna’s report and the Personal Data Protection Bill, 2018,” Rizvi said.

Concerns have also been raised around the independence of the proposed ‘Data Protection Board’ which is expected to act as the enforcer of the provisions of the revamped Bill. As per the draft law, the appointment of the chairperson and members of the board is completely left to the discretion of the central government.

“While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a central government set up board. The government continues to have a say in the composition of the board, terms of service, etc.,” said Nehaa Chaudhari, partner at the Delhi-based Ikigai Law.

Notably, under the 2019 version of the Bill, the Data Protection Authority was empowered to frame regulations around data protection while the government was allowed to formulate rules. However, in the latest version, the Data Protection Board’s powers to make regulations has been done away with, Chaudhari said.

This seeming lack of independence of the Board, Rizvi said, could possibly prove to be detrimental when the Data Protection Board — to be appointed by the Centre — has to adjudicate on matters related to the government itself.

“The lack of information on the composition and aspects of the Data Protection Board is concerning, in addition to the central government constituting the same. Also, purely executive-driven appointments will bring into question the ability of such a board to perform as an independent arbitrator in cases involving the government,” said Rizvi.

The government has invited comments to the Bill until December 17.

However, in a seeming lack of transparency, the government has said that stakeholders’ comments submitted to the Bill will not be made public “to enable persons submitting feedback to provide the same freely”.