Draft Personal Data Protection Bill 2023: A rehash of the older versions
To protect citizens’ right to privacy, a personal data protection law is a must and is long overdue. But no data protection law should become an instrument to blackmail businesses with ridiculously hefty penalties even for inadvertent data breaches. It cannot disrupt business and the world of journalism.
More importantly, it should not become a tool to curb freedom of expression of citizens and strengthen state surveillance. After repeatedly revising three of its earlier versions, the Ministry of Electronics and Information Technology (MeitY) has finally tabled the latest Draft Personal Data Protection Bill 2023 (DPDPB 2023) in the ongoing Monsoon Session of Parliament on August 3, 2023 and this version was put in the public domain the next day.
Speaking to The Federal about this new bill, Prateek Waghre, Policy Director of the Internet Freedom Foundation (IFF) said, “The DPDPB, 2023, like its 2022 predecessor, fails to account for concerns raised by civil society through years of consultations across different iterations of the bill in 2018, 2019 and 2021.”
He added: “The Supreme Court of India in Justice KS Puttaswamy vs Union of India, while stating that informational privacy is an important facet of the right to privacy under the fundamental right to life, emphasised that the Union government should examine and put into place a robust regime for data protection. We believe that the DPDPB, 2023 falls woefully short of such ideals. It fails to address many data protection concerns and instead puts in place a regime to facilitate the data processing activities of state and private actors.”
Let us examine in detail what is different in DPDPB, 2023 compared to DPDPB, 2022.
Making ‘consent’ unconditional
Though the latest 2023 version of the bill is basically a rehash of its 2022 version on substantial points, it does differ from the 2022 version in some key respects. One is on defining ‘consent’ given by the data principal (whose personal data is given) to a data fiduciary, which processes this data.
In point 7 on consent, the 2022 version of the Bill stated: “Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.” (Page 7 of the 2022 version)
The new 2023 draft of the bill, in point 6 (1), has changed this by addition an additional proviso “unconditional” as follows:
“6. (1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.” (Page 5 of the 2023 version)
Actually, the consent given by the data principal is not unconditional. It is conditional upon processing by the data fiduciary only for the purpose for which it has been given and also conditional upon the option that the data principal can withdraw her consent at any time of her choice.
So this added “unconditional” proviso effectively means that the data principal has given a free licence for the use of her personal data by the data fiduciary and would have no control over how her personal data is processed or used. In this sense, the latest version of the Draft Bill dilutes the right of the data principal over her data.
New label for ‘Deemed Consent’
The 2022 version of the bill provided for “Deemed Consent” where the consent of the data principal is taken for granted when processing of her personal data is warranted ostensibly on the grounds of tackling the breakdown of public order, or for purposes related to employment, or for (undefined) public interest. But ‘deemed consent’ is an oxymoron and it is not an informed consent expressly conveyed. This clause faced wide public criticism after the 2022 draft was published in July 2022.
Now, to blunt the criticism, the new 2023 version of the bill also provides for taking consent of the data principal for granted for “certain legitimate uses” without contacting the data principal and taking her express approval for processing her personal data.
In Chapter II on Obligations of Data Fiduciary, Point 4(1) states
“A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose —
a.) for which the Data Principal has given her consent; or
b.) For certain legitimate uses.
This either-or contrast is problematic. While defining “certain legitimate uses”, the state or its agencies can presume “consent” to process personal data of citizens in the name of use in the interest of sovereignty and integrity of India or security of the state. Such a blanket permission to track the personal data of any citizen by any state agency without any specific charge or complaint against the citizen would only strengthen the surveillance state. Citizens would have no “Right to be Forgotten”.
The 2023 version of the bill nominally acknowledges the right of a data principal to withdraw her personal data from processing by any dada fiduciary. Simultaneously, it also subverts this right. The DPDPB 2023 excludes from under its purview any personal data made publicly available by a citizen to comply with law. This means the person cannot withdraw that personal data at a later stage if she wants.
The DPDPB 2022 had exempted government agencies from the purview of the bill. DPDPB 2023 goes one step further and exempt the data collected by the government agencies also from the ambit of this law. This means a citizen cannot invoke this law to demand to know what personal data relating to her has been collected and would have no right to withdraw that data from processing.
Law overriding law itself?
In the DPDPB 2023 text, the expression “as may be prescribed” finds mention 28 times. Instead of mentioning the specific contexts in which the law would be applicable in the annexure of the law text itself the bill leaves the job to rules to be formulated in future. This would amount to rules framed by the bureaucrats from the executive prevailing over the law passed by Parliament.
Govt succumbs on data localisation
Above all, the DPDPB 2022 had totally banned transfer of personal data of Indians abroad, especially for processing by data fiduciaries from abroad. But the DPDPB 2023 empowers the government to allow personal data transfer abroad selectively to some countries as decided by the government. This is perhaps the most significant change in DPDPB 2023 from DPDPB 2022.
Actually, after the publication of the DPDPB 2022, there was sustained pressure from the USA and EU and global high-tech majors against its provision for data localisation. The Modi government has obviously succumbed to this pressure. That seems to be the only raison d’etre for a new version of the bill, the DPDPB 2022. Since it is politically sensitive, it has been delayed by a year to cover up this surrender.
Retaining restrictions on Right to Expression
In the elaborate pre-legislative consultation and discussion process, the foremost concern expressed by rights activists, the civil society and even by some political parties was that the bill, if it becomes the law with the same provisions, could become a device to restrict the right to expression.
For instance, the earlier versions of the bill enabled the government to exempt not only any of its agencies but even any private entity from the ambit of the law through a mere executive notification. In other words, the government seeks to pass a law only to exempt itself from its purview.
The government is the biggest data fiduciary in the country as it controls the personal data of citizens starting from Aadhaar data to census data including the elaborate Socio-Economic and Caste Census data, ration card data to educational data and so on. Citizens would have no right to privacy — upheld as a fundamental right by the Puttaswamy judgement of the Supreme Court — if no law can check the government bureaucrats from misusing the personal data of citizens by sharing it with vested interests. The latest version of the bill tabled in the Lok Sabha also retains the same controversial provision despite the loud opposition to it in the earlier versions by the critics.
Curbs on Right to Information Act
The latest version of the Personal Data Protection Bill 2023 also retains another controversial provision proposing an amendment to the provision 8(1) (j) of the RTI Act to expand its ambit and cover all personal data under its purview. Presently, the provision 8(1) (j) of the RTI Act restricts revealing of certain type of personal data which have no bearing upon any public interest.
But the RTI Act empowers the citizens to get personal data on, say, willful defaulters in non-performing assets in the bank, on the personal data of well-to-do people who have stealthily included their names in BPL list to enjoy subsidised PDS foodgrains or to grab other welfare benefits provided by the government to the BPL beneficiaries so that they could scrutinise the list of beneficiaries and seek their removal. Now it might not be possible as the bill proposes exemption of all data which relate to personal information from the purview of the RTI Act.
A rubber stamp board
The oversight and appellate body governing the enforcement of the Personal Data Protection Act envisaged in the bill is the proposed Data Protection Board. Activists have demanded that the chairperson of the board should be appointed by the CJI and not by the MeitY ministry bureaucrats. There is nothing in the latest version of the tabled bill to make it autonomous. A bureaucrat appointed by the ministry would have the final say on who would go scot free for violating the Data Protection Act and who could be penalised as per his/her discretion. There are no governing norms for this board.
Disrupting businesses, news media and streaming services
The bill imposes onerous responsibilities on data fiduciaries, i.e., those who process personal data. Not only owners of social media sites and online e-commerce majors, even publishing houses and news streaming services fall under the ambit of this law which maintain personal data of subscribers, readers or buyers.
The board, for instance, can levy a hefty penalty of up to Rs 250 crore on the columnists, reporters, editors and publishers of a newspaper or news streaming agency or a company owning a social media channel if the reportage had allegedly breached the personal data of any individual.
Investigative journalism is an established part of journalism now and that as well as many routine news stories would have to deal with personal data of individuals. Any vested interest can raise an objection with the proposed Data Protection Board and it can levy a ridiculous fine of up to Rs 250 crore for such personal “data breaches”. The bill doesn’t make a distinction between inadvertent breaches and willful and conscious misuse of data for commercial considerations.
In other words, this law can be misused by bureaucrats loyal to the government to shut down any news/journalistic outlet or any social media channel. An independent media is the foundation of democracy. Despite its share of excesses, the social media too remains a vibrant arena of public opinion and public debate and discussion. The bill sounds the death knell for the independent media and the social media in the country.
The bill offers no deterrent against monopolization of a few big corporate houses — Indian and foreign — over humongous quantity of data of Indians as only a handful of them have set up most of the data centres and control the data.
There were at least three earlier versions of the bill and nearly 100 changes have already been made but the latest version of the bill retains all the controversial and draconian provisions. It makes a mockery of the pre-legislative consultation process.