The Data Protection Bill, 2022 fails Indians substantively and procedurally

Five years on from the Supreme Court’s Puttaswamy judgment, which recognised the fundamental right to privacy, we have now been presented with the third version of a data protection bill. What started out (way back in 2011) as an attempt to advance digital privacy and dignity, has now become alienated from what is supposed to be the very core of a data protection law, i.e. the citizens.

In doing so, the Digital Personal Data Protection Bill, 2022 fails to provide both substantive and procedural justice to India’s “Digital Nagriks”. 

The Data Protection Bill, 2022 appears to have completely forgotten, or worse ignored, the Puttaswamy judgment of the Supreme Court. By outlining the conditions under which the State may intervene or infringe upon an individual’s right to privacy, the Supreme Court prescribed certain limitations on the State, which ultimately advanced protection of data and informational privacy. However, the Data Protection Bill, 2022 replicates the wide and vague exemptions provided to the State in its previous iterations, without meeting the standards of suitability, necessity, and proportionality established in the judgment.

While on the one hand, the Data Protection Bill, 2022 doesn’t elaborate on the undefined grounds for exemption such as ‘public order’, on the other, it fails to incorporate the Joint Parliamentary Committee’s suggestion to introduce “just, fair, reasonable, and proportionate procedure” as a safeguard against the exemption clause. The Data Protection Bill, 2022 does not even acknowledge that its provisions will impact the fundamental right to privacy of Indians; the only instance of the word ‘privacy’ appearing in the Data Protection Bill, 2022 is when it quotes a particular provision of the Right to Information (RTI) Act sought to be amended to remove the word ‘privacy’.

In fact, the Data Protection Bill, 2022, which must provide primacy to individual rights, actually undermines it in favour of the interests of data fiduciaries. This is most clearly reflected in Clause 8, or the “deemed consent” clause, where the interests of data fiduciaries in processing data for reasonable and fair purpose may outweigh any adverse effect on the rights of the data principal. Similarly, the wide exemptions provided under Clause 18 leave but a few real categories of information which may actually be controlled by the data principal according to her wishes. A right to erasure exists, under Clause 13, but is subject again to wide exceptions that will realistically leave very few data points that may reasonably be erased at the instruction of a data principal.

Worryingly, the Data Protection Bill, 2022 furthers an idea of tribunalisation that India’s legal journey must move away from. It introduces a Data Protection Board, and then goes on to provide it exclusive jurisdiction over all disputes arising out of the provisions of the Bill. In doing so, it also explicitly excludes the jurisdiction of civil courts. While creating a specialised tribunal to deal with data protection issues is an attractive concept, it ignores two major issues. First, tribunalisation necessarily undermines the stature of the judiciary, by offering more control to the executive branch of government. This is dangerous for the constitutional principle of the separation of powers, and also dangerous in the very real historical context of where the Indian polity finds itself today, with the court system itself being under threat of completely losing its independence to the executive. 

Secondly, even though the judiciary is bogged down with pendency, India has not had an encouraging experience with tribunals in reality. Tribunals in India have poor infrastructure, and a poorer working record. For example, the Central Information Commission currently faces an understaffing and pendency crisis so severe, that cases filed today do not come up for first hearing for at least two years after their filing, and Commissioners are unable to post any cases for a second hearing, instead opting to hurriedly decide and finish a case, without regard to justice actually being done. For these reasons, Senior Advocate Arvind Datar argued that taking away disputes from courts and vesting them in tribunals has proved to be disastrous to the Indian legal system.

Further, the Data Protection Bill’s move away from restorative justice to retributive justice hangs India’s “Digital Nagriks” out to dry. Section 43A of the Information Technology Act provides damages to affected users in case of a data breach, but will be replaced with a penal provision in Clause 25 of the Bill. Clause 25 contemplates monetary fines, which will only line the government’s treasury, but does not provide any relief to directly affected persons. Awarding damages is important because it centres the user who has suffered the loss of their personal and sensitive data. That this is not a priority of the Data Protection Bill, 2022 is clear from the phrasing of its Objects Clause, which fairly admits in the first sentence that its purpose is the processing of digital personal data, while recognising the right of individuals to protect their personal data, and not, crucially, the other way around.

The Data Protection Bill, 2022 is an unfortunate departure from the ethos of the Puttaswamy judgment, and other advancements made in Indian jurisprudence, which have been instrumental in centreing the focus on individual rights in the discourse around privacy. The Data Protection Bill’s failure to categorically acknowledge the natural person as owner of their personal data is in part the reason behind the unnecessary or unreasonable restrictions placed on the exercise of individual rights.

The road to redemption for the Data Protection Bill, 2022 can thus only begin with the State reminding itself who is at the centre of this Bill, and whose right it is the State’s duty to prioritise, promote and protect. In addition to re-centring the substantive focus from corporate fiduciaries back to the individual data principals, the Data Protection Bill, 2022 also needs to re-look the procedural structures it offers to affected persons. Left in its current form, the Data Protection Bill, 2022 reads more like a Data Fiduciary Protection Bill.

Tanmay Singh is Senior Litigation Counsel and Tejasi Panjiar is Associate Policy Counsel at Internet Freedom Foundation.