What Next on Data Protection? : Daily Current Affairs

Date: 23/08/2022

Relevance: GS-2: Government Policies and Interventions for Development in various sectors and Issues arising out of their Design and Implementation.

Key Phrases: Personal Data Protection Bill, right to privacy, Justice K.S. Puttaswamy (Retd) vs Union of India case, omnibus Bill, Justice B.N. Srikrishna, digital economy, Risk-based approach, Co-regulation, and self-regulation, Build administrative capacity.

Why in News?

  • The government has withdrawn the Personal Data Protection Bill from Parliament as it considers a “comprehensive legal framework” to regulate the online space, including bringing separate laws on data privacy, the overall Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country.

Background:

  • In the seminal Justice K.S. Puttaswamy (Retd) vs Union Of India case, the Supreme Court of India ordered in 2017 that the right to privacy is an intrinsic part of the right to life and personal freedom guaranteed by the Indian constitution.
  • In the light of this judgment the Centre 2017 set up an expert committee chaired by retired Supreme Court Justice B.N. Srikrishna to formulate a regulatory framework for data protection.
  • The Srikrishna committee submitted its report and a draft for the Data Protection Bill to the Ministry of Electronics and Information Technology on July 27, 2018.
  • The Bill was then revised by the government, approved by the Cabinet, and tabled in Parliament in December 2019.
  • Subsequently, a joint parliamentary committee, or JPC reviewed the bill and submitted its report in December 2021.

The scope of the law:

  • The growing importance of the digital economy and the broad scope of the proposed law also contributed to contestations between stakeholders as the law was being deliberated.
  • Shaped by different interests and incentives, the state, industry, and advocacy groups all have very different expectations of what a data protection law should look like.
    • For instance, for the domestic industry such a law represents a compliance hurdle that could put it at a disadvantage.
  • A law can also promote regulatory certainty, thereby opening up the possibility of increased data flows and the growth of the data processing business.
  • For the state, a law could limit intrusive data processing by state agencies, but it could also promote geopolitical, strategic, or regulatory interests.
  • Individuals could benefit from the restrictions on harmful data processing, but on the other hand, a poorly drafted law could legitimize certain intrusive practices.

Shortcomings of the bill:

  • Criticism of each version:
    • Each version of the law - the 2018 Bill of the Srikrishna Committee, the 2019 Bill introduced in Parliament, and the version of the JPC in 2021 - faced different types of critique from different stakeholders.
    • For instance, law enforcement interests were seen as obstructed by the 2018 draft, leading to broad exemptions in the 2019 Bill.
  • Dilution of focus on data privacy:
    • What appears striking is the consistent dilution of the focus on data privacy from the 2018 version onwards.
    • From being the centrepiece of the legislation, privacy protection was increasingly being seen as one of several objectives being pursued.
    • This was seen most clearly in the JPC’s recommendations, which sought to significantly revise the scope of the law.
  • Attempt to make omnibus Bill:
    • The JPC recommended moving away from a personal data protection law toward a law to govern the entire data ecosystem.
    • It further suggested putting in place several broader restrictions on social media and other entities.
    • This attempt to solve multiple problems in the digital ecosystem saw an already broad law being turned into an omnibus Bill. This made one question the ability to properly implement it.
  • Lack of details:
    • The provisions relating to many issues were lacking in detail.
    • For example, the provisions related to the processing of data by the state, governance of non-personal data, and the regulation of social media could all have been fleshed out with greater substantive and procedural detail, which is required to balance the complex competing interests at hand.

The way forward:

  • The form that a new law will take:
    • On this issue, the government has suggested that it will introduce multiple legislation comprising a new comprehensive legal framework.
    • This is the right approach, as trying to fit all objectives related to the digital ecosystem or even data governance into one Bill would be a mistake.
    • It is healthy to maintain some polycentricity in the governance of a complex digital economy, and different laws and agencies should co-exist.
    • It would be ideal if each bill addressed a single coherent set of objectives: For instance, one personal data protection bill should not be burdened with other objectives.
    • Separate laws could deal with issues concerning state surveillance, or issues in the data economy such as dealing with competition-related concerns arising out of the monopolization of data by certain entities. Over time, such a system may lead to more balanced and beneficial results.
    • In the short term the government would do well to put a specific personal data protection law in place – given the effort already dedicated to this (and the significant areas of agreement amongst stakeholders).
  • The nature of protections it will offer:
    • The 2018 law borrowed heavily from the rights-based European General Data Protection Regulation on which future drafts were based. This framework was however criticized by some due to its perceived unviability in the Indian context.
    • For instance, creating a cross-sectoral data protection entity with the power to take significant coercive action is seen as problematic given the rule of law, capacity, and regulatory constraints in India.
  • Issues that need to be addressed by a new law:
    • Risk-based approach:
      • It should build in a risk-based approach to data protection so that the regulatory focus is directed toward addressing sources of potential harm.
    • Co-regulation and self-regulation:
      • Based on risk assessments, the law could enable co-regulation and self-regulation (with the regulator acting as a backstop). These could reduce compliance burdens on entities without significantly affecting rights protection.
    • Accountability:
      • The current version of the law was weak on accountability measures for the data protection regulator. The new Bill should include more provisions to ensure that the regulator uses its powers well. These include provisions relating to appointments, consultations, reporting, and so on.
    • Build administrative capacity:
      • Even while the law is being drafted, the government should invest in building some administrative capacity to implement it, so that when the law is eventually passed, implementation can begin soon after. This has been previously done with SEBI and PFRDA.
    • Consultation with stakeholders:
      • Any new law must be framed based on transparent and meaningful consultations with all stakeholders.

Source: The Hindu

Mains Question:

Q. What is the scope of the Personal Data Protection Bill? What were the shortcomings of the earlier Data Protection Bill and what issues should a new data privacy law address? Discuss.