This article was originally published in The Indian Express on December 28, 2022
The Indian government has clarified that its latest attempt at drafting a robust data protection law is predicated on it being a plain, simple statute to read and comprehend. Although the simplicity of law is a laudable goal, the proverbial devil is in the details — or in this case, the lack thereof. The bill, which is in its fourth life, creates significant obstructions in the path of grievance redressal for a data principal (the user) to remedy privacy harms, and request adequate compensation. It further cements the power imbalances in the data economy between users and data- processing entities. I explain below.
First, the Bill introduces the concept of “duties of data principals”. It lays down various responsibilities placed on users — to obey all applicable laws of the land, not register false or frivolous complaints, and to not furnish false information. An explanatory note released alongside the Bill explains that these duties have been inserted to ensure that there is no ‘misuse of rights’. It is pertinent to understand that the goal of a data protection law is to protect the privacy rights of citizens against data-processing entities and to lay down remedies for privacy harms. It should acknowledge the existing power imbalances between users, and those who process/use their data — heightening the risk of privacy loss. Users should not bear any responsibility in a law that primarily recognises the propensity of privacy harm towards them. To enforce such duties, the Bill empowers a Data Protection Board (DPB) (a quasi-adjudicatory authority) to “take action” against users and impose penalties up to Rs 10,000.
Second, a striking aspect of the Bill is how burdensome it is for users to file a complaint to the DPB. Once a complaint is filed, the DPB has the power to “close” proceedings on insufficient grounds at the preliminary stage. The Bill does not define what it envisions as insufficient grounds, or for that matter any bases on which complaints could be filed or rejected. It simply states that the function of the DPB would be to determine non-compliance with the Bill’s provisions and impose requisite penalties. Even if the inquiry proceeds, the DPB can, at any stage, conclude that a complaint is devoid of merits, and issue a warning or impose costs on the complainant. The Bill fails to lay down any guidelines for the DPB to assess such cases and doesn’t make it clear whether these costs will be capped at Rs 10,000. Finally, what happens in cases wherein the DPB concludes that there has been a transgression by a processing entity resulting in privacy harm to a user? The Bill states that it can only impose penalties where it has found such a transgression to be “significant” in nature. Predictably, the Bill does not provide guidance on how the “significance” of non-compliance is judged by the DPB. This is critical, as a plain reading of the bill makes it clear that the power of the DPB to impose penalties even where non-compliance is positively determined (although “non-significant”) is zero.
These powers would give the DPB, which is wholly controlled by the central government, substantial discretion in closing and concluding complaints against data-processing entities. Considering that users would be disproportionately burdened, both financially and logistically, in filing complaints against data-processing entities, these new conditions that the Bill proposes will only add to their woes. The Bill, by design, disincentivises users from filing complaints to remedy privacy harm. Users will be at a critical disadvantage in proceedings before the DPB, as they have to adhere to vague duties, meet multiple unclear and uncertain conditions to obtain a positive determination, and even then may not receive suitable redressal. Considering that there is no provision for awarding compensation to users in the Bill, it may be impractical for users to file complaints against data-processing entities, seriously limiting their right to seek redressal under the Bill.
Larger questions of the DPB’s independence aside, the Bill does little to provide it with the tools to impose requisite penalties and provide meaningful compensation. A law is only as strong as its enforcement. This strikes at the heart of the right to privacy of individuals and their realising informational autonomy and self-determination. There are certain pointed changes that the Bill could incorporate to address these challenges.
One, remove duties, since the primary goal of a data protection Bill is to protect the privacy of individuals. Second, empower the DPB to compensate users in cases of non-compliance; this will incentivise them to file complaints and provide meaningful redressal. Third, “Significance” should not be a pre-condition for the imposition of penalties. The DPB must, on the merits of the complaint, be able to determine penalties without a requirement to determine significance. And fourth, as a corollary to the previous point, the DPB should not be able to impose costs, sanctions, or obligations on users in any situation.
Until such challenges are addressed, and the practical circumstances of users are accounted for, meaningful data protection for Indian citizens cannot be a reality.