Privacy has always been a nebulous concept. Ever since a nine-member bench of the Supreme Court handed down the Puttaswamy verdict in 2017, the Narendra Modi government and the privacy advocates have been at loggerheads to determine how wide and deep the privacy moat should be. The latest draft legislation — styled as the digital personal data protection bill, 2022 — has, once again, set the privacy dovecotes aflutter. For a start, the proposed bill limits itself to the processing of digital personal data. This is a narrow ambit and amounts to a virtual rejection of the recommendation of the joint parliamentary committee report submitted in December last year which had suggested that the legislation should cover both personal and non-personal data because it is impossible to differentiate between the two. The JPC had deep reservations about the effectiveness of data anonymisation, which, apparently, precludes re-identification of the individual — a misgiving that the Centre does not seem to share. Second, the draft bill gives the State and federal agencies exemption from the rigours of its provisions. This amounts to an egregious invasion of personal privacy and flies in the face of the Puttaswamy verdict and the recommendations of the JPC. Third, it has diluted the role of the regulator. The earlier bill framed in 2018, which had 98 clauses against 30 in the current draft, had provided for a data protection authority headed by a chairperson and more than six whole-time members. The scope of the authority and the tenure of its members were clearly spelt out. The new bill provides for a data protection board with the risk that the semantic change may signal a diminution of its independence and powers. The composition of the board and the process of selection and the terms of appointment will be prescribed later. This does not inspire confidence.
Private entities that access data face stiff penalties that can run up to an astronomical Rs 500 crore from Rs 15 crore earlier. The government has also relaxed data localisation rules, bowing to pressure from large social platforms. It will allow data fiduciaries to transfer data to other countries after an assessment of certain factors. This appears to take a cue from the European Union’s General Data Protection Regulation, which permits data transfer only if the third country has appropriate safeguards and affords legal remedies. The refusal to spell out the factors that will be considered while cherry-picking nations to which data transfer will be allowed only serves to amplify concerns.