The Indian government has approved a draft of the Digital Personal Data Protection Bill, which requires consent before collecting personal data and imposes penalties for data breaches. The bill is expected to be presented in the upcoming session of Parliament. While the contents of the Bill will remain confidential until it is brought in Parliament.
Nearly six years after the Supreme Court held privacy to be a fundamental right, the Centre has made a second attempt at framing legislation for protection of data. The Digital Personal Data Protection Bill, 2022, a draft of which was floated in November, is expected to be tabled in Parliament’s Monsoon Session that begins on July 20.
The Bill is crucial because irrespective of our levels of digital literacy or comfort with digital technologies, digitalisation and data will inevitably and increasingly impact vital aspects of our public and private lives. But, a question is on ,does the draft Bill adequately address the still extant public concerns that led to the unanimous privacy judgment by a nine-judge bench of the Supreme Court almost six years back?
Legal experts says, Surprisingly, there are as yet no standards for either of these tests. Hence, the measures of post-violation complaints and penalties — of the type envisaged in the last draft of the Bill — are not adequate for protection and mitigation. Protection from indirect harms needs to be ex-ante rather than ex-post, and data fiduciaries and data controllers need to have exacting standards for ex-ante privacy protection and purpose limitation.
Secondly, there are certain challenges over this draft bill like, problematic aspect of the draft Bill appears to be its over-dependence on consent. Apart from unreasonably putting the onus on unsuspecting individuals to correctly recognise all privacy risks entailed in complicated digital applications, consent also often presents a false choice.
Denying consent in pervasive applications may unreasonably limit options, cause hardships or put barriers to freedom of expression. Hence, effective data protection requires an accountability-based rather than a consent-based framework which puts the onus on data controllers and fiduciaries, irrespective of the level of consent rather than on individuals.
This is not to say that consent is not required but that one cannot hide behind consent for privacy protection. Also, the current section on “deemed consent” seems to grant dangerous powers to the state or even employers. The clauses of deemed consent under “in public interest” or “for provision of any service or benefit to the Data Principal… by the State or any instrumentality of the State” appears to be unacceptably empowering.
The draft Bill was also completely silent about the standards of anonymisation, encryption and access control. These are not merely technical and operational issues, but crucial considerations for digitalisation and data without which any data protection discourse is woefully incomplete.
In summary, the current draft Bill falls short of expectations in many respects. Most significantly, it bears testimony to a mindset of technocrats and the executive to somehow bypass the objections and concerns .
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.