Too vague, too much left to rule-making, too wide in terms of exemptions for government agencies. These are some of the criticisms that experts have voiced against the Digital Personal Data Protection Bill, 2022.
The bill mentions the phrase “as may be prescribed” 18 times. This is symbolic of the vague and unchecked powers that the government has retained for itself to frame rules at a later stage in the absence of legislative guidance, the Internet Freedom Foundation.
The devil lies in its silence, Vidhi Legal’s Alok Prasanna Kumar, arguing that while the Bill provides for the creation of a Data Protection Board of India, it is shorn of details on what such a board will look like and what it will do.
But not everyone is seeing the Digital Personal Data Protection Bill, 2022 in this light.
Rahul Matthan, partner at Trilegal, who has been closely associated with India’s data protection journey, told BQ Prime that the proposed bill is good law.
According to him, when the Justice Srikrishna Committee floated its draft, the first thought was, ”Why are you giving us something so complex? We are just starting out into this data protection journey in this country, and you’re giving us a GDPR style law and then every successive draft has become more and more complex”.
The second thing is that we tend to forget that when you regulate technology, more detail is worse because technology, as we have seen in so many instances, far outstrips the ability of lawmakers to legislate on, he said.
“For a while, I have been talking about principle-based legislation; that we have got to legislate principles and then have agile governance in order to deal with evolving technologies, and so, for a principle-based framework, you need to have simple laws that can then be acted upon in response to the changing directions in which technology moves.”
But what about the fears that the government has given itself too much power to exempt its agencies from the rigors of the law?
Matthan says that nothing this law does or does not do is going to erode the rights that individuals have under the Constitution.
He highlighted that the government has to follow the oversight mechanism and guidelines that the Supreme Court has laid down in the , which interpreted the fundamental rights.
There is nothing that will be harmed by the fact that the word reasonable (in the way the government applies the exemptions) is not in this legislation, he said.
“You may say that it points to intent. Okay. But then, don’t catch them on this imagination that they have this intent. The first time the government does something wrong, go after them, go to court.”
That said, from a data principal or user’s perspective, there are two rights which the government should consider adding—the right to data portability and right to compensation for any harm that’s caused by a data fiduciary, Matthan suggested.
This right to data portability exists in Europe’s General Data Protection Regulation. Even before that, this concept existed and, as a strategy, Europe is doubling down on the right to data portability. California, too, has got a strong data portability provision. The OECD has got working groups on data portability, he said.
Two, right to compensation should be there, not just for data breach, but compensation also for any harm that’s caused. ”I think when we have a good definition of harm, it will be nice to see some consequences. Right now, there are just penalties but the people who are harmed don’t really get anything out of it,” he said.