“The provisions granting exemption to the government and government bodies from all sections of the law in the draft Digital Personal Data Protection (DPDP) Bill, 2023, cause “great concern,” says Justice (retired) B.N. Srikrishna of the Supreme Court, who had proposed the first draft of the Bill in 2018.
The Union Cabinet on July 5 cleared the Bill that essentially allows laypersons to complain to the Data Protection Board of India, consisting of technical experts constituted by the government, if they have reason to believe that their personal data has been used without their consent, for example, cell phone numbers or Aadhaar details.
Changes unclear
The DPDP Bill also outlines practices for entities that collect personal data, how that data should be stored and processed to ensure there is no breach, as well as rights of the persons whose data is being used. It is not clear what changes, if any, have been made to the DPDP and it will be tabled in the upcoming monsoon session of Parliament scheduled to begin on July 20.
Talking to The Hindu, Justice Srikrishna says the draft causes “great concern” over the provisions that grant exemption to government and its bodies. He said, “The provisions granting exemption to the government and government bodies from all sections of the law in the draft Bill cause great concern.” He added, “The draft gives too much margin to the government and does little to protect individuals’ fundamental right of data privacy.”
In an interview with The Hindu in November 2022, Justice Srikrishna had said, “The Bill is fundamentally flawed as it would permit, and may encourage, the executive to act capriciously and infringe on the fundamental right of privacy of personal data. The so-called regulator will be a puppet of the government and will have no independence.”
‘Independent regulator needed’
He had also said, “The robust and independent regulator like the Data Protection Authority envisaged in the 2018 draft is needed. The Board contemplated under the present Bill will ‘be a captive of the government. The qualifications, tenure, procedure of appointment have all been relegated to delegated legislation. It is worse than the previous Bill. There is complete failure to address the issue if the blanket exemptions are granted. .”
The draft in its current avatar will levy a penalty of ₹500 crore in case of data breaches and courts and enforcement agencies enjoy wide exemptions from key requirements. As the Bill’s requirements do not apply when “personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law” or “the processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function”.