In an interview to The Hindu, Justice (retired) B. N. Srikrishna of the Supreme Court, who had proposed the first draft of the Personal Data Protection Bill in 2018, says the Bill is fundamentally flawed as it would permit, and may encourage, the executive to act capriciously and infringe on the fundamental right of privacy of personal data. The so-called regulator will be a puppet of the government and will have no independence. Excerpts:
What do you make of the new draft of the Data Protection Bill, the Digital Personal Data Protection Bill?
It has picked up some good points from the previous drafts but has worsened on some issues.
Can you please elaborate on what are the good points from the previous drafts and how is it worse on some issues.
The simplicity of language and reduction in size are good points but one cannot forsake clarity of legislation for simplicity. Many of the concepts are left vague and undefined. Consent managers is a good idea and helpful to data principals. The Data Board is a creation of the executive with no guidelines on its composition, establishment, qualifications of its chair and members etc, and therefore it will be a captive of the government with little independence, if it is a regulator; if not, there is no regulator at all. The Bill is loaded in favour of the government. All vital issues have been relegated to delegated legislation that can be constitutionally valid only if there are legislative guidelines within which the executive may frame subordinate legislation, or else, such a law will be invalid as permitting the executive to act arbitrarily will become unconstitutional and void. That is a danger very much lurking in the background of the Bill.
What would you say is needed in the current avatar?
The robust and independent regulator like the Data Protection Authority envisaged in the 2018 draft is needed. The Board contemplated under the present Bill will be a captive of the government. The qualifications, tenure, procedure of appointment have all been relegated to delegated legislation. It is worse than the previous 2019 Bill. There is complete failure to address the issue if the blanket exemptions are granted. The so-called regulator will be a puppet of the government and will have no independence.
Does the draft express any concern on protection of the fundamental right of data privacy?
There is power to exempt all government departments and government institutions from any or all provisions of the law. That is a dangerous situation and clear invitation to the executive to act arbitrarily. There is over-reliance on the rules to be framed by the government, without legislative guidance in the law. It gives scope to arbitrariness and makes for constitutional invalidity of the law. The Bill is replete with such instances. Eighteen out of 30 clauses leave the issue to the government “as may be prescribed”. Further, the triple test laid down by the Puttaswamy judgment (Supreme Court upheld right to informational privacy as a fundamental right) has been totally abandoned. The requirement of curtailing the privacy right of individual (a fundamental right as declared by the Supreme Court) only for ‘necessity’, ‘reasonably’ and ‘proportionately’, has been completely ignored. That drives a coach and horses through the privacy right of individuals. That is clearly contrary to the Supreme Court’s declaration of the law in Puttaswamy. Therefore, the Bill is fundamentally flawed as it would permit, nay encourage, the executive to act capriciously and infringe on the fundamental right of privacy of personal data.
Published - November 25, 2022 09:30 pm IST
