New draft of Data Protection Bill is 'toothless'
To ensure data protection, some persistent gaps need to be closed.

The Union Government has released a new version of the Personal Data Protection Bill, now known as the Digital Personal Data Protection Bill, 2022.

The bill was introduced three months after the Personal Data Protection Bill of 2019. The central government rolled back the Data Security Bill, 2018 citing that it will seek wider consultations to make the bill more comprehensive so that it meets the modern-day challenges and issues pertaining to data security.

The Data Security Bill, 2018, was retracted by the central government with the justification that it will now undergo more extensive discussions in order to make it more comprehensive and address current Data Security difficulties and issues but the recent release of new draft bill makes it apparent that the Central Government has fallen short to fulfil its constitutional obligations to protect the Indian people's right to privacy, as well as to enact the comprehensive law that it had promised.

What are the issues in the bill

1. The new data protection bill, unlike the 2018 Data Security Bill, does not compel data fiduciaries to only gather personal data that is necessary for the purpose of processing. It is disappointing that there is no mention of a data collection cap in the revised draft since this could encourage data fiduciaries to acquire data that is not essential.
    
2. There are no regulations relating to the data fiduciaries revealing information to the data principals about the duration of data storage, recipients of data sharing, etc. Draft bill could have included such provisions to address the individual's concerns for privacy. Such type of provisions is included in various Data Protection laws including the General Data Protection Regulations of the European Union.
    
3. In contrast to the Data Security Measure of 2018, which called for the creation of a Data Protection Authority the new draft proposes the formation of a Data Protection Board of India, the strength and composition of which, as well as the process of selection, will be determined by the Union government.
   
   As with previous version of the bill, this is not in purview with the recommendations from the Sri Krishna Committee, which allowed for judicial oversight in the data protection authority selection process. Thus, there are concerns regarding sufficient amount of Independence of the Data Protection Board.
   
   "The Data Board will become a captive entity of the government and completely lack the independence that is required for a regulator." said B.N Sri Krishna, who was the chairperson of the Sri Krishna committee setup to give recommendations to draft the Data Protection Bill in 2017.
    
4. It is a known truth that the government too collects data, and the bill expressly allows any data collection or processing in the name of the public interest. The government is also a data fiduciary, collecting vast amounts of personal data. In the new draft there are no provisions of judicial approval or parliamentary insights to check the government in case of uninformed and non-consensual data collection.
   
   There are concerns that the government might use such provisions for its vested and political interests. The 2018 bill prohibited state institutions from obtaining uninformed consent from data subjects or processing their data for purposes other than "state security," and it also suggested for a law to provide for parliamentary check and judicial consent for non-consensual access to personal data.
    
5. The offline data collection, processing, and breaches are not covered by the bill. This regulation only applies to data that is digital or that has been converted from an offline format to a digital one. To protect the privacy of offline consumers, it is critical to limit the collection of offline personal data to the greatest extent possible. A consumer's privacy will be jeopardised if offline personal data is not included.
   
   The Bill could have included offline personal data under its purview by clearly defining the types of offline data for different entities that could be collected physically. The absence of offline personal data will have an impact on the privacy rights of a prospective consumer who provides his or her personal data in the offline market. "I think this is a glaring loophole.
   
   Making the Bill only applicable to digital data leaves offline and hard copies of data unaffected. There is no law that requires all personal data to be maintained digitally today, and an entity may choose to keep personal data offline or on hard copies to avoid compliance." B.N Sri Krishna stated in an interview

What can be the way ahead?
In Justice K. S. Puttaswamy (Retd) vs Union of India, a nine-judge bench of the Supreme Court unanimously held in August 2017 that "the people of India have a constitutionally protected fundamental right to privacy that is an fundamental part of right to life and liberty under Article 21". The General Data Protection Regulation focuses on creating a comprehensive data protection law for personal data processing.

The right to privacy is enshrined as a fundamental right in the EU, with the goal of protecting an individual's dignity and control over the data one generates. The government must refer its provisions for a better comprehensive and inclusive law that covers all the aspects of personal data security and safety.

Under the chairmanship of Justice BN Sri Krishna, the Sri Krishna Committee submitted a detailed report and a draft of the Personal Data Protection Bill in 2018, which has been side lined by the government. The Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) is now open for public comment, and the government plans to introduce the Bill in Parliament during the 2023 budget session.

Because the current government has a strong majority in both houses of Parliament, the bill is likely to pass without amendments. Given the government's history of rushing bills through without proper consultations and discussions with stakeholders, this draft bill is likely to become a law.

The government is expected to hold extensive consultations as this bill will directly impact an individual's right to privacy, which is a fundamental right following the Puttaswamy judgement.

Written By:
Akash Yogendra Singh, Law student at New Law College, Pune