Apar Gupta writes: Digital Data Protection Bill uses brevity and vagueness to empower government, undermine privacy

This can be noticed in Clause 18, which contains exemptions from the data protection rights contained within the Digital Data Protection Bill, 2022. Under it, the central government can exempt any government authority from its application by a mere notification stating it satisfies grounds matching the language of Article 19(2) of the Constitution. This is a lower standard than the one prescribed under the privacy judgment. Further, the government can now even exempt private sector entities that may include individual companies or a class of them, by assessing the volume and nature of personal data. Clause 18(4) further exempts any state authority from deletion of data after use, which in effect will permit them to store personal data indefinitely in contravention of the principle of purpose limitation. This is a concerning expansion of state power that tilts the law against the interests of individual privacy.

Second, the concentration of power in the executive branch becomes clearer as the Digital Data Protection Bill, 2022 omits legislative guidance that is a vital part of any law to ensure that executive power is exercised reasonably. Within the 30 clauses, the phrase, “as may be prescribed” is contained in 18 instances. For instance, the compliance and regulatory enforcement to be conducted by a Data Protection Board of India will lack autonomy in appointment or functioning. As per Clause 19(2), the strength and composition, the process of selection and removal of the Chairperson and other members are all, “as may be prescribed”. Further, under Clause 19(3), the Chief Executive who will manage this Data Protection Board will be appointed and the terms and conditions as well will be determined by the central government. Hence, the Ministry of Electronics and IT will have direct oversight over the Data Protection Board of India. It is reasonable to ask at this juncture: Will any such board be able to exercise any oversight and issue fines on any government authority? Such lack of detail is only one among many. Vagueness animates several proposed clauses that create vast regulatory power for the central government. They will determine significant policy choices that are usually first prescribed, but presently absent in legislative guidance. It has been India’s constitutional experience that such unhappy drafting often manifests in the arbitrary exercise of executive power.

Finally, the section on user rights is not only underdeveloped but even now contains penalties for users, who are essentially the beneficiaries of a data protection law. For instance, Clause 6 which requires user consent before data collection, unlike the previous version now no longer requires a notice of with which third parties the data will be shared, the duration for storage and whether it will be transferred to other countries. One of the most curious provisions is Clause 16 which places a duty on users to, “furnish such information as is verifiably authentic”, or face a potential penalty for a fine. When you bundle this with the requirements for authentication that are proposed for users in the Telecommunications Bill, 2022, it can mean the death of online anonymity and pseudonymous identities with the creation of a vast surveillance apparatus. Essentially, each online service is KYC verified or a user faces penalties and denial of service. Hence, any commendation to the Central Government for the deletion of an earlier requirement in the verification for social media is only half made out. To conclude, the simplicity of the drafting choices of the Digital Data Protection Bill, 2022 comes at the price of individual privacy.

The writer is co-founder and executive director, Internet Freedom Foundation