Draft data protection bill gives absolute discretion to executive, says NGO

The draft Digital Data Protection Bill, 2022, released by the Ministry of Electronics and Information Technology for public comments fails to take into account the nuanced understanding and approach towards governing personal data, developed during the past half decade, says Pradeep S Mehta, secretary general, CUTS International. It provides absolute discretion to the executive to either protect or neglect personal data protection needs of the citizens, he adds.

The civil society organisation's review of the draft bill points out the bill differs from its previous version, as it skips mention of fundamental right to privacy in its preamble and narrows the scope of the law from data protection to digital personal data protection excluding non-personal data. In doing so, the bill takes away the categorisation of personal data, especially sensitive personal data, thereby painting all personal data with the same regulatory brush, Mehta says. “The bill provides a broad scope and unrestrained powers to the government to prescribe on critical issues at a later date. Such powers, if not carefully and judicially used, can do more harm than good” . 

He also criticised the bill for moving away from the interests of data principals by incorporating provisions like deemed consent for processing of personal data in public interest, defined quite broadly. “In same vein, it weakens the regulatory, supervisory, and enforcement architecture by replacing the previously proposed data protection regulator with a board, directly in control of the government. This seems to be continuing the trend of the draft telecommunication bill which also weakens TRAI and empowers the executive which is difficult to hold to account, when compared with independent regulators,” Mehta points out.

According to him, while the upper limit of financial penalties is significant, the diminutive status of the board does not inspire confidence in carrying out in-depth assessment and imposing proportional penalties on defaulters. The bill also does not provide for the creation of data protection fund to ensure use of such penalties in consumer interest. However, Mehta welcomed the removal of criminal liabilities from the revised draft bill and the changes made in the classification of significant data fiduciaries. 

While he termed the move to allow transfer of personal data outside India as a step forward, Mehta was concerned the bill provides significant unreasonable discretion to the central government to notify trusted countries for such transfer, without necessary principles or procedural safeguards. 

The ministry claims the bill will establish the comprehensive legal framework governing digital personal data protection in India. Stating the bill provides for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes, the ministry has invited feedback from the public on the draft bill till December 17.