As we deliberate on the new draft version of the Digital Personal Data Protection Bill 2022, earlier introduced as the Personal Data Protection Bill, 2019, we have to look beyond the debate on data collection, storage, and data flow to examine if the proposed regulatory framework is appropriate and commensurate with the federal structure of India.
As opposed to the over 90 clauses in the previous version of the bill, this version has only 30 clauses. It means that large and crucial components of the bill have been left to subsequent rule-making by the Centre, as evidenced by use of the phrase “as may be prescribed” (by the Central government) at 18 places in the draft bill. This raises concerns about excessive delegation. At the same time, the regulatory powers have not been delegated to the state governments, where also a huge amount of personal data of citizens is generated, stored and processed.
In this context, it is important to recognise that the protection of citizens’ right to personal data privacy now forms a part of the Constitution as a fundamental right, having been read into Articles 19 and 21 by the Supreme Court in the Puttaswamy judgment. It is, therefore, not being bestowed on the citizens by the Central government or Parliament through its law/rule-making powers. It is not just a statutory right like the Right to Information under the Right to Information Act, but a constitutional right. So, it is by corollary that governments (both Central and states) will also have to subject themselves to equal rigour of the legislation as the private sector.
The draft version of the bill envisages setting up a Data Protection Board (DPB) to regulate the entire regime of digital personal data protection in the country. The Board will be entrusted with handling vast amounts of data collected not just by the Central government but also a wide variety of data sets originating out of state government functions under List II (the State List) of the Seventh Schedule of the Constitution such as health, education, agriculture, law and order, public order, etc.
Besides, it will have jurisdiction over data collected, stored and processed during the implementation of state schemes such as Konnect and KALIA for farmers in Odisha, Antyodaya Saral for public service delivery in Haryana, a scheme for human resources in healthcare in Uttar Pradesh, etc. Given that the Central government will exercise greater control over the functioning of the DPB, this control will obviously extend to state government authorities whenever issues of data breach and harm arise. This will inherently raise issues of federal override.
It is vital for India to build a resilient data protection framework with a ground-up approach much like Germany or Australia which are similarly geographically spread-out like India. Even the European Data Protection Board coordinates with the national data protection authorities under the EU GDPR for protecting the privacy of citizens.
Thus, having a regional presence of data protection authorities at the state levels will not only generate greater awareness about the fundamental right to privacy and provide an effective mechanism to data principals (citizens) to exercise it, but will also engender trust in the ecosystem and the Board by various stakeholders including the state governments. I had stated this in my Dissent Note to the draft bill in 2019. Devolution of enforcement and grievance redressal to regional levels will only increase efficiency and reduce possible operational bottlenecks, as the newly established Board will be expected to regulate approximately 600 million entities.
The Central government seems to have followed central acts like the Income Tax Act, the Customs Act and the TRAI Act in designing a central adjudication body along with satellite adjudication authorities at the state level, but this analogy cannot be applied to the DPB because the former legislations deal with subjects mentioned in the Union list of the Seventh Schedule unlike the DPB which will be asked to decide upon data captured, stored and processed at the state level under the State List subjects too.
In case of a data breach at the state level by a state government department/agency, the adjudication process may not lend itself to credibility and trust by the state government if the DPB is controlled by the Central government. In contrast to the DPB model, the structures of the Central Information Commission and State Information Commissions under the Right to Information Act, 2005, and the Central Consumer Protection Commission and State Consumer Protection Commissions under both the old (the Consumer Protection Act, 1986) and the new Consumer Protection Act, 2020, which have decentralised structures, appear more apt for adoption.
If Right to Information can have a decentralised structure at the state level, then why not have a similar system for the DPB ecosystem? What is the inherent distinction between “information” and “data” to be treated differently when they are not placed in two different lists in the Seventh Schedule of the Constitution?
However, the Consumer Protection model will be the most ideal to replicate because, in a broader understanding of the term, a data principal, most often, is a consumer and vice-versa. All goods and services providers are data fiduciaries. The people as consumers will also realise the significance of their personal data rights.
In my Dissent Note, I had also raised apprehension about the independence of this Board (earlier Data Protection Authority) and had argued for establishing a constitutional Data Protection Commission. Since the envisaged Board would be regulating and adjudicating on potential data breaches in various state government apparatuses as well as other constitutional authorities such as the Supreme Court and the high courts, the Central Election Commission, the Comptroller and Auditor General of India, and the Union Public Service Commission, constitutional entrenchment will ensure functional and structural autonomy. It will also obviate criticisms of federal override.
Dr Amar Patnaik
Rajya Sabha MP, advocate and former CAG bureaucrat
(Views are personal)