[ad_1]
Mumbai: From setting up a committee in 2017 to subsequently going through countless drafts and consultations, the Ministry of Electronics and Information Technology (MeitY) on Friday 18 November released its fourth version of the Digital Personal Data Protection (DPDP) Bill 2022 .The 24-page draft, open for public comment until Dec. 17, is a significantly watered-down version of those proposed in 2018 and 2019.
The draft law includes 22 clauses, compared to more than 90 clauses in earlier versions, and imposes heavy penalties for data breaches and non-compliance with the law. But it also contains several exemptions and new clauses that legal experts say hand a “vague,” “unmanageable power” to the government that could be used against the very citizens the bill is supposed to protect.
The Union government, in an explanatory note released to the draft law, claimed that it was prepared “plain and simple language so that even a person with a rudimentary understanding of the law can understand its provisions”. However, India’s digital freedoms organisation, the Internet Freedom Foundation (IFF), said it left the draft law “devoid of first principles in several places”.
The objections do not end there. In a detailed note, the organization raised a number of concerns.
Clause 18, as proposed in the new DPDP Bill 2022, IFF said, replicates the clauses mentioned in the 2021 version. “Specifically, Clause 18(2)(a) of the DPDP Bill 2022. “, the IFF statement said, “replicates Clause 35 of the Data Protection Bill, 2021 and allows the Union Government to exempt any ‘instrumental act’ of the State from the application of the DPDPB, 2022 in the interest of ‘sovereignty and the integrity of India, the security of the State, friendly relations with foreign States, the maintenance of public order or the prevention of incitement to any established offense connected with any of them’.
“This,” the IFF pointed out, “would give notified government authorities immunity from law enforcement, which could lead to massive violations of citizens’ privacy.”
The organization also highlighted the vague wording used in several parts of the draft law, which it says leaves it open to misinterpretation and abuse. Once government instruments are left outside the legal purview, “the collection and processing of data in the absence of any data protection standards could lead to mass surveillance,” the IFF warned.
Civil rights activist Mishi Choudhary calls the Data Protection Board, as defined in the 2022 bill, “toothless.” Choudhary says this is because “most of the power is given to the executive to prescribe through rules”.
Under Clause 19, how to constitute this board is left to the discretion of the Union Government. The selection process and composition of the board, its terms and conditions of appointment and service, and the removal of its chairman and other members are prescribed by the Union government, making them the sole decision-making agency.
According to the draft law, the board will monitor compliance with the law not only by the private sector, but also by government agencies. Experts pointed out that when the government itself directly controls the functioning of the board, its autonomy is compromised.
Although the bill proposes heavy penalties of over Rs. 5 crore, there is no provision for compensation, Choudhary points out. Prasanna S., a Delhi-based lawyer who worked on the Aadhar case and advocated for a strong privacy law in the country, echoed Choudhary’s concerns.
“In the event of a data breach, the victim, under the proposed law, cannot seek monetary compensation in any form,” he said.
And worst of all, the bill includes “data principal obligations”. This, Prasanna says, is unheard of and does not exist anywhere else in any data privacy law.
“Think about a situation where you walk into a store and they ask for personal information like your name and phone number,” he told Prasanna. “In all likelihood, one would want to avoid confrontation and just give a bit of false information and forget about it.” This, under the new bill, can be held against the data principal.
Clause 16 (3) states: “The data provider shall not under any circumstances, including while applying for a document, service, unique identifier, proof of identity or proof of address, provide false data or conceal any material information or impersonates another person. ”
Prasanna points out that this issue, when brought before the board, could result in a person being fined for false information. And failure to comply with Clause 16 of the proposed bill could attract a penalty of up to Rs 10,000 on the data principal.
The Data Protection Act has been in the works since 2017. At the time the Supreme Court delivered the landmark Puttaswamy judgment, the government was obliged to come up with a law to protect the rights of its citizens. In the Puttaswamy judgment, the court held that privacy is a fundamental right of Indian citizens.
The government then responded by setting up a committee headed by retired Supreme Court judge BN Srikrishna. This committee came out with a white paper and the first draft of the Data Protection Bill, 2018. Another version was subsequently introduced in 2019 and referred to a Joint Parliamentary Committee (JPC).
In December last year, after several extensions, the JPC tabled both a report on the 2019 Bill and a new draft of the Data Protection Bill 2021. Suddenly, in August this year, MeitY decided to withdraw the 2021 Bill. , claiming that the JPC recommended 81 amendments to it.
Prasanna says each of these drafts has a particular approach. In 2017, the government set up the commission only to appease the Supreme Court, he says. “The 2018 bill was all about protecting business interests. In 2019, the new bill shifted from business interests to protecting state interests. And the latter is all about protecting the government and that data principals stay within boundaries,” he concludes.
Along with the drawbacks, however, the IFF also pointed to a few positives. A significant problem with previous iterations of the bill, IFF said, was that they did not require trustees to notify data principals in the event of a breach. “This way, users whose data has been breached would not even know that their data has been compromised,” the IFF said in a statement.
But clause 9(3) of the DPDPB, 2022 obliges trustees to notify the board and data principals when there is a breach, regardless of its nature.
“Another positive side of the bill is that significant obstacles have been imposed on the processing of children’s personal data,” IFF states. Clause 10(3) of the new draft prohibits tracking or behavioral monitoring of children or targeted advertising aimed at children. This provision, says the IFF, is welcome, “but the Union Government is permitted to exempt data fiduciaries from both requirements.”
Another important point the IFF made in the memo, which its executive director and advocate Apar Gupta reiterated in his media interviews soon after the bill was released, was the mention of the phrase “as may be prescribed.” The phrase appears in the draft a total of 18 times.
“This is emblematic of the vague and uncontrolled powers that the Union government has reserved for itself to frame rules at a later stage in the absence of legislative guidance,” the IFF noted.
[ad_2]
Source link