The new draft bill on digital personal data protection has resurfaced a fortnight after Fortune India's exhortation regarding India's digital policy paralysis. The draft bill though appears to only move from policy paralysis to tokenism as it appears to be a rush job.
The key provision (disallowing data of Indians from being processed outside India) that would have empowered Government of India to implement the Digital Personal Data Protection Act through this bill is missing.
Section 4(2) of the draft bill states - The provisions of this Act shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to data principals within the territory of India.
This clause basically implies that if the data of Indian citizens is processed in another country, India will impose the statutes of this Act within the territories of that other country. This clause is an overambitious pipe-dream that may render the Bill unpractical. Even the EU is in discussion with the U.S. government to come to an agreement to restrain the unbridled access the U.S. has over the data of European citizens that is stored on U.S. soil. Is it practical to expect India can stop countries like the U.S. from accessing data of Indian citizens that are processed in the U.S. just by enacting a law within India?
No state has rights to dictate terms within the boundaries of another sovereign state. According to The Patriot Act of the U.S., the American government has access to both any data held within their borders and all data of companies that operate within the U.S. The United Kingdom also has the Investigatory Powers Act, giving security services in the U.K. permission to use a wide range of tools for surveillance and hacking. And it will not be far-fetched to presume that many more countries will come up with a similar version of The Patriot Act of the U.S. in the near future. Under the circumstances, can India hope to protect the personal data of its citizens being processed within the sovereign jurisdiction of another nation?
This key provision that was present in the preceding draft bill of 2019 has been removed in the present one and thus the latest version of the draft bill on digital personal data protection is a toothless tiger and a rush job.
The draftsmen also shrank the preceding draft bill proposed in 2019 containing 98 Sections and 14 Chapters to 30 Sections and 6 Chapters in the new draft bill. However, in an attempt to be concise the clarity and specificity that is hallmark of a proper legal document has been lost. Many key elements like a data principal’s right to compensation are absent from the new draft bill. There is no clarity on whether the data principal will be compensated or the penalty money collected from an offender will go entirely into the government’s coffers.
The loss of specificity has rendered the draft bill a mere skeleton of an Act that may get passed by the Legislative body and thereafter filled by the executive arms of the government, giving more power to the executive aka bureaucrats to dictate the terms. For instance, the composition, powers, and functions of the data protection Board of India has been left quite vague. Typically, any board with wide adjudicatory powers is chaired by a judge who has served in the Supreme Court or High Courts. The composition also defines the expertise and experience sought from its members so that they can make qualified and educated judgements. However, leaving the composition of the Data Protection Board of India vague puts a question-mark on the intent of the executive body with respect to the appointees of the Board.
The skeletal draft bill seems to be shy of the tenets of administrative law that expects the legislative arm of the government to delegate as little responsibility as possible to the executive arm in matters of framing laws.
Even the penalty this draft bill seeks to impose is ill-defined and tepid as compared to the previous Draft Bill of 2019.