New Data Protection Bill is about empowering corporates, not citizens

The Personal Data Protection Bill, in its earlier avatar, was put in the deep freeze after the then US President Donald Trump publicly criticised its data localization clause at the 14th G20 meet in Osaka, Japan, in June 2019. 

After a long wait, the much-needed Bill, in its new version as the Digital Personal Data Protection Bill, 2022, was resurrected and put on public domain, coinciding with the 17th G20 meet in Bali, Indonesia, last week. There is no trace of the original data localisation provision.

IT Minister Ashwini Vaishnaw is now justifying his government’s U-turn on data localisation in the name of facilitating “free flow of information.” Of course, it is a different matter that the government discovered the virtue of “free flow of information” only after the US officials threatened to retaliate by reducing H-1B visas if the Indian government persisted with its data localization precondition.

Climbdown under pressure

The old version of the Bill was opposed not only by Trump. All major global digitech biggies, like Twitter, Facebook (now Meta), and Google, shot off letters individually to the Ministry of Information Technology (MeitY), objecting to data localisation and what they saw as other restrictive provisions, such as giving government agencies access to any data at any time. The concerns of the big corporates have now been addressed but not so much the privacy concerns of citizens.

Also read: A look at draft Digital Personal Data Protection Bill 2022, and what it proposes

Srinivas Kodali, an independent researcher on data security, told The Federal, “This Digital Personal Data Protection Bill, 2022 is not so much about protecting the right to privacy of citizens. Rather, it is meant to protect the data security of corporates and prevent breaches in their databases. The Joint Parliamentary Committee’s report on the earlier version of this Bill came up with several recommendations, including bestowing upon the citizen (dubbed ‘data principal’ in the Bill) the right to withdraw consent to collect, store, and use her/his personal data. 

“The Supreme Court, too, had made some observations on citizen’s right to privacy. This Bill does not incorporate those suggestions, and it is a much-diluted version of even the earlier Bill. It offers lots of loopholes and leeway to the corporates at the expense of citizens’ privacy.”

Empowering citizens

Under the proposed data protection law, can the citizens have the power to erase their personal data from the database of any data fiduciary? At first sight, the answer is yes. But Clause 13 of the Bill has attached a caveat to this power. Clause 13 (2) (d) states that a data fiduciary should erase the personal data of a data principal upon a request from him/her “only if their personal data is no longer necessary for the purpose for which it was processed.” In circumstances other than this, the data principal has no right to prevent the data fiduciary from collecting her/his personal data and using it.

The Bill also tries to deter the citizens by proposing a fine for filing “frivolous” complaints without defining what “frivolous” means.

The penalties on data fiduciaries for the violation of provisions stipulated in the Bill — ranging up to ₹500 crore for every instance of violation —are mind-bogglingly high. But the trick of the trade is that the stiffer the penalties, lower are the chances of enforcing them. 

Can anyone visualise a government imposing a fine of ₹500 crore on an e-commerce major like Amazon because the law book says so? At first, it might seem that the government is mainly targeting big corporate internet intermediaries like Twitter, Meta, and Google, characterising them as “significant data fiduciary,” as more than 98% of Indian firms won’t have that much turnover. Still, as long as stiffer penalties are there in the law book, the chances of some isolated magistrate, a stickler to the law text, overzealously invoking them against some erring small firm will always remain.

Discretionary powers for bureaucrats

The Internet Freedom Foundation (IFF) has pointed out that of the 30 clauses in the Bill, the job of clearly defining or concretely elaborating 18 has been left to the ministerial bureaucrats with the phrase “as may be prescribed.”

While introducing the principle that a citizen should give his/her consent for processing his/her personal data, it violates its spirit in the same breath by introducing the concept of “deemed consent” in certain cases where the government agencies can take the personal data of citizens for granted and use them allegedly in the interest of “public order” and “public interest” without clarifying what these vague expressions stand for.

Also read: Data Protection Bill pulled: what’s behind U-turn, what’s in the offing

In an interview to a newspaper, Vaishnaw has hinted that start-ups and SMEs might be exempted from the provisions of the proposed Act according to provision 18 (3). Of course, under Section 18 (3), the government would have the power to exempt any data fiduciary or any class of data fiduciaries from compliance with the key provisions of the Bill. 

Why this craving on the part of the government to empower itself with discretionary powers without exempting SMEs and start-ups from compliance in the Bill itself? Can it not turn into a power of blackmail and extortion in the hands of unscrupulous officials?

Data Protection Board as proxy outfit

The 2019 version of the Bill proposed a Data Protection Authority as an independent statutory authority as the final arbiter on disputes as well as the institutional power enforcing the Data Protection Act. The 2022 Bill has replaced it with a Data Protection Board, whose members would be appointed by the ministry and work as per the rules framed by the MeitY.

Stiff penalties have been stated, but neither the violations nor who would be liable have been clearly defined. For example, millions of small businesses would be storing their databases in the servers of companies offering cloud computing and data analytics services. If any breach of personal data is stored in them, who would be liable? The small business storing the data or the company offering cloud services or the firm that supplied the data security devices for the cloud company? The Bill doesn’t even visualise such tricky practical questions that are bound to arise and, hence, does not address them.

Let us take the case of an NGO like Pratham collecting personal information of millions of children, including the marks scored in different subjects. Let us assume that an edutech firm like Byju’s buys the data to target its ad messages at poorly performing students or their parents to sell its coaching packages. Under the new law, both Pratham and Byju’s will have to obtain prior consent from the parents of each child separately. Is this a practicable proposition? The Bill would only make all the edutech firms wind up.

Where state responsibility ends

The responsibility of the state in data protection, including personal data protection, does not stop at enacting a data protection law. All companies storing data and those dealing with personal data of consumers will now have to make huge investments within a reasonable time that would be stipulated by the rules framed after this law comes into force. Numerous SMEs and start-ups, too, handle personal data. 

The government should offer not only tax exemption for their investment in data protection but it should arrange for subsidised distribution of data protection technologies to the weakest among them, since they cannot afford to buy them on their own.

Also read: Pegasus rising: Data protection bill could save govt from accountability

More importantly, the government must increase its capacity manifold times to hunt down cyber criminals and hackers who also steal personal data, which is a pathetically neglected area as of now. Individual citizens, too, deserve cheaper — if not free — distribution of anti-malware packages. Hence, tax concessions to companies marketing data protection software would be in public interest. The new Bill does not prompt the government to do any of these.

Anushka Jain, Policy Counsel, IFF, proposed some positive additions to the Bill. She told The Federal, “First and foremost, the Bill should have carried provisions to curb the agencies of the state from turning the state into a surveillance state. Secondly, it should have made the regulatory body independent instead of reducing it to a mere appendage of the ministry. Any data protection law can really empower the citizens only if they do this.”