The draft Digital Personal Data Protection bill has skipped "Right to Privacy" in the preamble and provides unrestrained powers to the government, advocacy group CUTS International has claimed.
CUTS said that the draft weakens the regulatory, supervisory, and enforcement architecture by replacing the previously proposed data protection regulator with a board that will be directly in control of the government.
"Moving away from its previous version, the bill skips mention of the fundamental right to privacy in its preamble and narrows the scope of the law from data protection to digital personal data protection excluding non-personal data, which is rather desirable. In doing so, the bill takes away the categorisation of personal data, especially sensitive personal data, thereby painting all personal data with the same regulatory brush," CUTS said in a statement.
The preamble of the draft Personal Data Protection Act 2018 mentioned of "right to privacy" as "a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy".
“The bill provides a broad scope and unrestrained powers to the government to prescribe on critical issues at a later date. Such powers, if not carefully and judicially used, can do more harm than good," CUTS International, Secretary General, Pradeep S Mehta said.
CUTS said that allowing the transfer of personal data outside India appears to be a step forward but the bill provides significant unreasonable discretion to the central government to notify trusted countries for such transfer, without necessary principles or procedural safeguards.
"It also empowers the central government to exempt instrumentalities of state from its provisions without adequate checks and balances, ignoring principles of legality, necessity, and proportionality, as laid down in the Puttaswamy judgement," CUTS said.
The government had opposed declaring the "Right to Privacy" as a fundamental right while the judgement in the Puttaswamy case has pronounced "The right of privacy is a fundamental right" which "protects the inner sphere of the individual from interference from both State, and non-State actors and allows the individuals to make autonomous life choices."
CUTS appreciated the evolution of significant data fiduciaries from only the number of registered users as in intermediary rules to include factors such as volume and sensitivity of personal data processed, risk of harm to data principal, risk to electoral democracy and public order among others.
Internet Freedom Foundation said there has been a considerable dilution of the regulatory body, now a proposed Data Protection Board.
"It lacks autonomy and independence, and will be created and appointed on conditions, 'as may be prescribed'. Can such a board reasonably enforce compliance from public authorities," IFF said.
Cyril Amarchand Mangaldas, TMT Partner and Head, Arun Prabhu said that the latest version of the Personal Data Protection Bill seems to be designed to be a shorter and simpler document, which may help with alignment and rapid adoption.
"That being said, while this simplification may have benefits, several concepts that the current Bill proposes, and some of the open-ended language, may need refining before the Bill is adopted," Prabhu said.
He said that an exception for journalistic purposes under the previous draft, which was Draft PDP 2018, has not found its way into the deemed consent provisions.
While the draft DPDP has exempted government-notified data fiduciary -- an entity that will collect and handle personal data, from several compliance burdens but like draft PDP 2018 it has not exempted collection of data and its processing for journalistic purposes with some restraints such as maintaining the privacy of the data owner, prevent misuse and unauthorised access or disclosure of data owner.
J Sagar Associates Partner Rupinder Malik said that the 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions.
"Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill. The legislative intent appears to be tech and IT business-friendly, focused on facilitating cross-border data flows. Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights," Malik said.