Member of Parliament John Brittas wrote a dissent note criticising the report on “Citizens’ Data Security and Privacy” which was presented by the Parliamentary Standing Committee on Communications and Information Technology on August 1.
Brittas expressed his reservations over the report for two reasons:
- The Parliamentary Committee, in violation of Lok Sabha and Rajya Rules, examined the Digital Personal Data Protection (DPDP) Bill when the Bill was not introduced in the parliament and referred to the Committee.
- The report endorses the DPDP Bill and urges the government to enact it despite the Bill’s many shortcomings such as the wide-ranging powers of the government to exempt itself.
In addition to the dissent note placed by Brittas, opposition MPs in the Committee staged a walkout in the last meeting of the Committee for the same reasons as above.
The Digital Personal Data Protection (DPDP) Bill, 2022, was released by the IT Ministry for public feedback in November 2022. The finalised version of the Bill received cabinet approval in July 2023 and is expected to be introduced in the parliament on August 3.
Finalising a report on the Data Protection Bill without its text being made available. Parliamentary Committee on IT is pioneering innovation on rules of procedure. https://t.co/oxnOJ920qi
— Apar Gupta (@apar1984) July 27, 2023
Criticism of the DPDP Bill
While noting that the report itself is void because it examined the DPDP Bill in contravention of parliamentary rules, MP John Brittas nevertheless also submitted his criticisms on the DPDP Bill, which the report endorses. A full text of the MP’s dissent note is available below, but here are some key points:
- Excessive government powers might not meet the proportionality test: The DPDP Bill gives the government “unfettered power to give exemptions to government agencies” and “exempt any Data Fiduciary or a class of Data Fiduciary,” both of which might not meet the proportionality test set out by Supreme Court in the 2017 Puttuswamy judgement.
- Excessive delegated legislation: The DPDP Bill leaves a lot to delegate legislation that the government can frame later. “It seems as if the Government’s favourite catchphrase ‘as may be prescribed’ is the highlight of this draft bill. It has been mentioned 18 times in a 24-page bill with only 30 clauses,” John Brittas wrote.
- Lack of independence of Data Protection Board: “The proposed Data Protection Board of India is at the risk of becoming a puppet of the Centre because everything ranging from composition, qualifications, tenure and procedure of appointment of members would be as per the whims and fancies of the Government,” the MP complained.
- Notice requirements weakened: Compared to past versions, companies don’t have to inform principals about the third parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries.
- Vague non-consensual processing of data permitted: The Bill allows companies to “deem” or assume the consent of the user if the processing is considered necessary for certain use cases.
- Penalty for users: It is “surprising” that the bill proposes a penalty of up to Rs 10,000 for users if they fail to comply with duties prescribed in the bill but does not offer them any compensation in case of a data breach.
- Voluntary undertaking might allow companies to escape punishment: “The Data Protection Board has powers to accept voluntary undertaking with respect to non-compliance with any provisions of the proposed Act. Such a provision allows those who are non-compliant to avoid penalties ranging up to rupees 500 crore by giving a mere undertaking. The bill should clearly state the mechanism which the Data Protection Board would employ to accept such an undertaking.”
- Amendments to RTI Act weaken transparency: The amendments proposed in the Bill to limit information disclosure under the RTI Act “would fundamentally weaken the RTI Act and adversely impact the ability of people to access information and will definitely curtail transparency in the Government.”
- No protection is available for non-digital personal data, anonymized personal data, and non-personal data
- No right to be forgotten or right to data portability
Article continues below ⬇, you might also want to read:
- Controversy around IT panel report on DPDP Bill
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
- Cabinet Clears Data Protection Bill, To Be Introduced In Parliament In Monsoon Session
“Events around the Data Protection Bill represent a multi-layered and consistent erosion of parliamentary processes”: Apar Gupta
In a detailed and insightful Twitter post, Apar Gupta, Founder Director of the Internet Freedom Foundation (IFF), criticised the entire process that the data protection bill has been subjected to since 2019:
“The events around the Data Protection Bill represent a multi-layered and consistent erosion of parliamentary processes. This is how democratic institutions are undermined.
Let us step back to examine engagement on the issue during this term of Parliament.
It is relevant to note that the recommendations of the Joint Committee on the Personal Data Protection Bill, 2019 (JPC) have been completely discarded. Even the formation of this JPC sidestepped the Standing Committee on IT that should have ordinarily received a reference to study and make recommendations on the Data Protection Bill. However, for reasons best known, the preferred route was the JPC, with a reference being proposed by the then cabinet minister, Mr. Ravi Shankar Prasad. This was at the time of the introduction of the Personal Data Protection Bill, 2019, on December 11, 2019. Yes, introduced and referred on the same date.
The JPC was initially headed by Ms. Meenakshi Lekhi in February, 2020 and then by Shri P.P. Chaudhary, it tabled it’s report in Parliament on December 16, 2021. In these intervening long months, much work was done. It lead to tens of hearings and hundreds of submissions to our parliamentarians across political parties. Sometimes it attained high levels of media coverage as a forum to focus accountability on, “big tech”, rather than its proper role to consider changes to a legislative proposal. The JPC report contains 97 amendments, 93 recommendations and seven dissenting notes.
What was the government’s response? Delay, discard and disappoint! The JPC examined Data Protection Bill was withdrawn from the Lok Sabha and the Parliament on August 3, 2022 with a statement by Mr. Vaishnav that a, “comprehensive legal framework” would be introduced. Options such as amendments to the Personal Data Protection Bill, 2019, or the introduction of a fresh bill accompanying the withdrawal were not exercised. Hence, the final recommendation by the JPC for, “the Bill as amended after inclusion of suggestions or recommendations made by the committee be passed” was disregarded at this stage itself.
This was just the start. We were promised a law on data privacy that would be, “comprehensive”. Instead, a draft of a Digital Data Protection Bill, 2022 was made available for public consultation in November, 2022. It had an empty shell of thirty sections, reserving vast swaths of unguided power to the Union Executive. This was a completely fresh draft and by such a choice, the recommendations of the JPC were made completely nugatory. The public consultation responses have not been made public and hence one does not know what changes have occurred before placing them for cabinet approval. At the same time there are favorable press reports from unnamed sources that must be taken with caution.
Forwarding to yesterday. As the finalized text of this Digital Data Protection Bill, 2022 remains secret, a report is finalized without prior notice to the members of the Standing Committee of IT. As per press reports this is to commend this legislative proposal. Even for those who may agree with the substance of the Digital Data Protection Bill, 2022 this erosion of parliamentary processes and conventions in the Standing Committee of IT must lead to worry. We noticed a similar circumvention of procedure and deliberation when the Aadhaar Act was passed as a money bill.
We will never achieve just outcomes by unjust means. It will only reinforce a political culture in which absolute power is the only winner and parliamentary deliberation is seen as weakness.”
Full text of MP John Brittas’ dissent note
NOTE OF DISSENT
- It is imperative to note that the ‘Digital Personal Data Protection Bill’ had neither been introduced before either of the Houses of Parliament till date, nor was it referred to the Standing Committee by the Chairman of the Rajya Sabha or the Speaker, as the case may be, for examination.
- According to the unequivocal provisions in Rules 331E (1) (b), 331H (a) & 331H (b) of
Lok Sabha Rules and Rules 270 (b) & 273 (a) of the Rajya Sabha Rules, the Standing Committees are explicitly prohibited from examining any Bills that have not been referred to them by the Chairman or the Speaker after their introduction in either House.
- Hence, it is evident that the above mentioned draft Report of the Standing Committee on Communications and Information Technology, containing Report on the examination and Recommendations of the Committee on the ‘Digital Personal Data Protection Bill’ are void ab initio and are ultra vires of the powers of the Standing Committee conferred by the Rules. The Rules proscribe the Standing Committee from examining such yet to be introduced Bills.
Without prejudice to the above, the following Note of Dissent vis-a-vis the draft Report presented to the Committee may also be recorded.
Note of dissent on the Recommendations in the draft Report titled as “Citizens’ data security andprivacy” about the “Digital Personal Data Protection Bill”
- There is excessive delegated legislation in the proposed Digital Personal Data Protection Bill, as the draft bill does not go into the specifics of the implementation. It seems as if the Government’s favourite catchphrase “as may be prescribed” is the highlight of this draft bill. It has been mentioned 18 times in a 24 page bill with only 30 clauses.
- The proposed Bill gives Union Government unfettered power to give exemptions to government agencies [clause 18(2)] from the application of provisions of the Bill on specified grounds like sovereignty and integrity of India, friendly relations with foreign States, public order etc.
- Additionally, clause 18(3) allows the Government to exempt any Data Fiduciary or a class of Data Fiduciary from the application of this proposed Act. Such sweeping exemptions raises major concerns like-
- Whether it will meet the proportionality test set out by Supreme Court in the K.S. Puttaswamy Judgement (2017)? Will it not lead to violation of fundamental right to privacy?
- It will lead to an untoward situation where any Data Fiduciary or any class of Fiduciaries would be able to exert pressure for seeking permission for exemption from the Act.
- The proposed Data Protection Board of India is at the risk of becoming a puppet of the Centre, because everything ranging from composition, qualifications, tenure and procedure of appointment of members would be as per the whims and fancies of the Government.
- The Joint Parliamentary Committee Report on the Personal Data Protection Bill, 2019 had recommended that a Selection Committee shall nominate the Data protection Authority. Members of the Committee itself should include: (i) Attorney General of India, (i) an independent expert from fields such as data protection, information technology, or cyber laws, and (iii) Directors of an IIT and an IIM. None of this has been touched upon in the 2022 draft.
- The bill does not include non-digital personal data, anonymized personal data, and non-personal data in its ambit, thus no protection is available to these kinds of data. It goes against the recommendations of the Joint Parliamentary committee on the Personal Data Protection Bill, 2019.
- The Bill does not provide for the Right to data portability and the Right to be forgotten. The 2019 Bill on Data Protection and the Joint Parliamentary Committee, examining the 2019 Bill, recommended retaining these rights. The GDPR of EU also recognises these rights.
- The bill removes the distinction between sensitive and critical personal data. This distinction was recommended by Justice Srikrishna and was included in the Personal Data Protection Bill, 2019 and the Joint Parliamentary Committee recommendations.
- The draft bill no longer requires local storage of data. Businesses can only transfer data to countries notified by the Indian govt. During the examination of Ministry officials before the committee, it was deposed that a ‘negative list’ or a list of disapproved countries will be notified and cross-border data transfers to countries not on ‘negative list’ will be allowed on default basis. Without the assessment criteria being defined in the Digital Personal Data Protection Bill for such ‘negative list’, it could depend more on geopolitics than privacy safeguards.
- Clause 24 of the draft bill talks about ‘Voluntary Undertaking’, under which the Data Protection Board has powers to accept voluntary undertaking with respect to non-compliance with any provisions of the proposed Act. Such a provision allows those who are non-compliant to avoid penalties ranging up to rupees 500 crore by giving a mere undertaking. The bill should clearly state the mechanism which the Data Protection Board would employ to accept such an undertaking.
- While the Data Protection Board of India has the power to impose penalty on a Data Fiduciary for breach of personal data as per the Bill, it is not given the power to provide compensation to the aggrieved Data Principals. On the other hand, it is surprising to see that the Bil proposes a penalty of up to Rs 10,000 for Data Principals, in case, he/she fails to comply with section 16 of the Bill (Duties of Data Principal).
- The Bill [as per clause 30(1)(a)] amends the IT act, 2000 and proposes to omit section 43A of the IT Act. Section 43(A) of the TI Act, 2000 enables an aggrieved person to demand compensation from a body corporate due to any negligence in handling any sensitive personal data, thereby causing wrongful loss or wrongful gain to any person. This further accentuates the precarious situation of Data Principals. The GDPR of EU, on the other hand, specifically provides for Right to compensation to an aggrieved party under Article 82 for damage caused as a result of an infringement of the provisions of the regulation.
- Section 8(1)(j) of the RTI act allows personal information to be disclosed if the larger public interest justifies the disclosure of such information (subject to satisfaction of Central Public Information Officer or the State Public Information Officer or the appellate authority), or it is related to any public activity or interest; even if the disclosure causes unwarranted invasion of the privacy of the individual, or if it is such an information which cannot be denied to the Parliament or a State Legislature. These portions are proposed to be deleted vide section 30(2) of the new Digital personal Data Protection Bill making all personal information exempt from RTI Act. This would fundamentally weaken the RTI Act and adversely impact the ability of people to access information and will definitely curtail transparency in the Government.
- Notice requirements weakened: Compared to past versions, data fiduciaries do not have to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and fi their data will be transferred to other countries.
- Vague non-consensual processing of data permitted: The DPDPB, 2022 allows the Data Fiduciary to “deem” or assume consent of the Data Principal if the processing is considered necessary as per certain situations such as for the breakdown of public order, for purposes related to emplovment, and in public interest.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!