Alok Prasanna Kumar, Co-Founder and Karnataka Lead at Vidhi Centre for Legal Policy, led the discussion on the Data Protection Board that the data protection bill, 2022 creates. His remarks in his opening statement, followed by a question and answer session, are excerpted and reproduced below.
I know that we all want to keep this at a level of logic, the law and policy, but I would like to start with an emotional note. When I first read the draft of this bill, it was disheartening. My instinctual reaction was not what is right or wrong about it, but that someone doesn’t care enough to give us a proper data protection bill. To me that was additionally disheartening because what a data protection bill does at the end of the day is to protect the rights of citizens of India. Companies may have certain more obligations, foreign companies may have certain concerns and they are important aspects of it, but the origin of this bill is the Supreme Court affirming that citizens of India have a fundamental right to privacy; the right to privacy needs to be protected and enshrined through proper legislation which provides an enforcement mechanism which outlines the rights, and provides remedies.
We could say that the Data Protection Authority had been overburdened with too many things in the first few drafts of the data protection bill and that it needed to be re-examined. We could say that the right to be forgotten shouldn’t be there. There are many valid criticisms, but the previous bills at least provided a sufficient basis to have these debates to push for certain reforms. When we’re left with a very bare-bones bill in a everything-will-be-determined-at-some-point-in-the-future situation, it cuts off our ability to have this discussion.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until January 2, 2023. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Clause 23 takes away remedy under law
The first thing any law student probably learns is – where there is a right, there is a remedy. It is something very fundamental and core to how the law functions. Let’s understand that the fundamental right to privacy is not just enforced in terms of going to court but it’s supposed to have other remedies as well.
How does the DPDP Bill 2022 envisage that we enforce our rights? It expects us to go to the Data Protection Board. One clause which is the key to understanding the fundamental problem with the Data Protection Board is Clause 22, Sub-clause 3, which says no civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter – I hope you’re counting the “anys” – under the provisions of this act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this act.
There are a lot of legislations which oust the jurisdiction of the civil court. It’s not fundamentally unacceptable or unconstitutional. The Supreme Court has upheld it in certain instances, but what the Supreme Court expects is that when you’re ousting the jurisdiction of a civil court, you provide an equally efficacious alternate remedy. The key term here is efficacious. If you are saying that the data protection legislation flows from our right to privacy, it is about giving you certain rights with respect to your digital personal data. On violation of those rights, there should be some remedy or recourse available to you, but as this bill points out, you can’t go to a civil court for that. This bill, as it stands through Clause 23, is taking away a remedy under law.
There is no provision for seeking compensation
Compensation is the relief that you would get, if you are able to show a certain violation of rights. There is no claim that you can make even in civil court on that basis. It is only penalties which the government may impose. It is to be noted that the same cause of action can have both criminal and civil consequences. The most famous example of this is the Bhopal Gas Tragedy. There were people prosecuted for criminal offenses and the company and certain individuals were also sued for damages because of the massive harm that they caused as a result of the leak. Merely having one kind of remedy cannot exclude the other kind of remedy, which is to remedy the harm caused to you. So this ouster of the civil court clause (in the DPDP bill) to me is very wide, it’s very broad, and it actually takes away some of your rights.
Government’s vague exemptions for itself
The nine judge bench in Puttaswamy case had mentioned that the citizens can claim their right to privacy against both private parties and the government. Obviously, only the government can claim national security and restrict your right to privacy. But the kind of vague exemptions the government can give itself under this act is hugely problematic. When I say government, I specifically mean the executive government and not parliament. This is a legal distinction which I take for granted. The fact that the government will determine who is going to sit on the body, which will then adjudicate on whether the executive government has violated the rights of citizens or not, is problematic both legally and constitutionally. This goes against a basic feature of the Constitution that it shouldn’t be the government that decides what kind of remedy that you get, what kind of remedy that you have, especially for an issue which relates to a violation of your fundamental rights.
Problems with the structure of the Board
There are a lot of drafting problems also with the way in which this body has been structured. Just to draw one conceptual difference: the Data Protection Authority were envisaged as regulators in the previous versions. They were given legislative, executive, and adjudicatory powers. Now, regulators, in India and around the world, tend to have some mix of these three powers. The theory, as it is understood, goes that a regulatory body is a specialized body which understands this field of human endeavour much better than the general Parliament or the general executive or the general judiciary. We give them certain powers so that they are able to ensure this sector is regulated appropriately. The Data Protection Authority in the previous versions were clearly intended to be regulators.
As far as the Data Protection Board is concerned (according to the new bill), it’s not quite clear what its powers are. The initial conclusion that a lot of people have drawn is that this is just an adjudicatory body. But that conclusion may not necessarily be true given. The board will determine non-compliance and impose penalties and perform such other functions as a central government may assign to this board under this law or any other law. Now, this is a problematic open ended clause. It doesn’t tell us what kind of functions could be given. The reason I have called this a drafting problem is because if you pick up any legislation – which creates a regulator, or deals with a certain sector – you will find that there are multiple chapters, which deal with three things which have to be read together: composition, together with functions and powers. Composition is who will be on this body. Functions will be what this body will do. The powers will be the legal authority to all of these things. You need to have a good match of these three things.
There are places where the bill flippantly says standards will be made by the board. There is no mention of standards again in the entire bill. It doesn’t mention the powers and functions of the board fully – “as may be prescribed” seems to be a recurring theme across the board. As a legislation you cannot leave such fundamental enforcement aspects of the law to be determined at some later date because then, it doesn’t function as a law anymore. A law is only meaningful when you can tie the right protector or the duties imposed to the remedies that are offered.
As a final note, I urge you to compare the Consumer Protection Act with this legislation. The Consumer Protection Act, at the end of the day, is supposed to protect the consumer against corporations, against anybody who makes goods. It is supposed to provide an alternate mechanism. You will see how much more detail is present in that legislation. Because these are the details that guide the members on the board to know how they should exercise their powers.
In conclusion, these are the two broad points that I’ve made: on the one hand, there are serious legal and constitutional issues with the way the bill is drafted, especially with reference to the Data Protection Board and, on the other hand, there are serious implementational questions. There is a complete lack of clarity about what the Data Protection Board will be, what it will do for us, how it will function, and what it will effectively do. This suggests a complete lack of care in the way in which this has been drafted. It’s not just the body, which is there to advise the government on nice things, but it’s supposed to be the remedy that we have for protecting our rights with respect to personal data. The fact that there isn’t enough detail provided here and that there isn’t enough thought behind a lot of this is what worries me greatly.
Q&A segment with Mr. Alok Prasanna Kumar
The following are the discussion questions that were answered by Mr. Kumar during our segment on the Data Protection Board:
Is the idea of a Data Protection Board better than having a regulator? Do we need another regulator here?
Alok Kumar Prasanna (APK): “Yes, because let’s understand the modern regulatory state as it is built around us.” The whole idea that we need to have regulators for specialised functions accepts that “it’s not possible for generalists to be able to understand these highly technical and specialized fields.” It needs people who have that rich experience and technical knowledge. It’s not going to come straight out of the central government. I completely agree that it’s a nonsensical argument to make [that] all our regulators have failed, that’s just ad hominem. There are regulators who have failed at their jobs but there are also those who have done well. I know people may feel differently, but they have a functioning banking system, thanks to the RBI. The difference between a Ponzi scheme and a bank is a regulator.
Who would have jurisdiction?
APK: The Data Protection Board. But, if you read it with the clauses which give the government so much power to exclude application of the law to itself, they actually don’t have much jurisdiction over them.
This legislation cannot take away the High Court and the Supreme Court’s powers under the Constitution to examine executive and legislative action on this front.
Can I go to court against my government assuming that they’re setting up the data that they’re collecting after this bill passes in its current form or do I have to go to the board?
APK: Whenever there’s a question of major technology which comes up before the courts, they struggle with this. Yes, constitutionally, you have a right under Article 32 and Article 226 to approach the Supreme Court and the High Court respectively, but this is the key problem. They are not meant to get into heavy questions of fact. There is no procedure. Questions of fact—when the constitution makers put this provision in, their idea was that it will happen at trial. You will be able to “go to your city civil court or your magistrate’s court, on the basis of civil procedure, court evidence, lead evidence, have a certain set of facts decided, and that will go in appeal, or you can then file judicial review.”
“So, yes, you will be able to make constitutional claims,” but you will struggle to produce the evidence, the kind of material actually needed to prove your claim in court. This is because you cannot just expect a generalist to grasp that technical, deep know-how which is needed to regulate certain sectors of the economy.
Will the principle of ‘no one can be a judge in their own case’, since they would have an interest in that, be applicable?
APK: Yes, which is what the Supreme Court says in the Madras Bar Association and the Roger Matthew cases—you can basically decide who will hear your case, even giving the power to the government itself, in this bill, to determine what will be the composition of the board [and its] terms and conditions…through subordinate legislation, through making of rules. [This] is problematic.
Why do you feel like there has to be expertise at the highest level of the principal composition of the board?
APK: “When I say highest level, I mean, in the composition of the board general.” If you have 8 or 10 Members, the chairperson doesn’t have to be of that level, but in that composition of the board, you need to have people who understand issues and bring expert input.
“Individual officials need to be able to have a conversation with the individual officials down the line about technical aspects, right? When I mean technical, I don’t just mean the chairperson at the top. Within the composition, you need sufficient knowledge, people with sufficient experience, sufficient awareness of the field…to be able to make for an effective regulator on the whole because I’m not just talking about any one function. If you’re giving them legislative, executive and judicial functions, you need to be able to do all three.
How does Voluntary undertaking 24 (3) play out in practice? Is it because of odd drafting?
APK: Generally, when parties consent and you have a common document of consent which you submit to a court, the court is still free to make changes to it. It’s not as if the court is accepting the consent. The consent decrees what reflects those changes as well. [The bill reads, “The Board may, after accepting the voluntary undertaking”]. “It should ideally read, the Board may after ‘receiving’ the voluntary undertaking. ‘Accepting’ is wrong. Accepting disclosure of that process, the Board may after receiving the voluntary undertaking and with agreement to give the voluntary taking vary the terms included because that’s what gives it finality.”
Either we have the board where the law won’t say anything but they will do what they like, or you have the act which tells you that they will do what they like. So, is the previous version actually better than this or are we just stuck in this?
APK: Regulators also learn. They learn from their mistakes, make mistakes, figure things out, understand the changing environment and respond to it. But we have to give them that capacity. That is not what this bill does. “Let me put it this way, I wouldn’t say that they’re the best examples of how you should draft for a regulator, but at least they provided enough basis for potential success.”
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Data Protection Bill’s Deemed Consent Provision “Turns Exceptions Into The Norm” #NAMA
- How The Data Protection Bill Restricts Children’s Access To The Internet #NAMA
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA
- How Does The Data Protection Bill Deal With Basic User Rights And Privacy? #NAMA