Last Friday, the Union government released a new draft digital data protection bill, the latest installation of what has, for the past few years, begun to feel like a never ending saga. As someone working on a data protection law for the country for over a decade, it sometimes feels like I have been running on a hamster wheel for a really long time. But as I read through the recent draft, I felt, for the first time, that there might finally be some light at the end of the tunnel.
The new draft is simple. The drafters clearly intended for it to be understandable by the widest possible audience. I loved the liberal use of illustrations to explain how clauses should be interpreted – a drafting technique that has, sadly, fallen out of favor among modern practitioners of legislative drafting. For a law that is looking to introduce a powerful new regulatory regime with implications for the citizen, the relatability of such an approach will stand us in good stead.
That said, the simplicity I admired has caused consternation among some of my brethren in the legal fraternity. Lawyers love their laws to be dripping with detail. But, as I have said many times in the past, this is not how technology should be regulated. The more detail we stuff into the law, the greater is the likelihood that it will be rendered unworkable by new evolutions in technology. We need, instead, to enact agile, principles-based laws that allow regulators to respond most effectively to the moving targets that technology presents.
Concern has also been expressed about other aspects of the law, including the fact that the government has exempted itself from the application of many of the substantive provisions of the law. In the first place, exemptions of this kind are present in almost every data protection law in the world. Europe’s General Data Protection Regulation (GDPR) — widely recognized as the gold standard for data protection regulation — expressly exempts portions of the law for the enforcement of civil law claims; on the grounds of national security, defence, public security; and for the prevention, investigation, detection or prosecution of criminal offences. These are almost exactly the grounds under which the exemptions have been granted in Section 18(1) of the new draft.
The mere fact that the government is exempt from the applicability of some of the provisions of this law does not mean that the government is no longer subject to its constitutional obligations, or the responsibilities imposed on it by the 2017 Puttaswamy judgment. Those obligations hang, like the Sword of Damocles, over every action the government takes, regardless of what the specific text of the bill may say.
When compared with the versions that came before it, the exemptions set out in the latest draft law are relatively benign. The last two drafts of the law contained provisions that sought to exempt agencies of the government from the application of the Act as a whole, but this draft is comparatively more measured, stipulating that it will apply broadly to all of the government, except for a few globally recognized exemptions.
This is not to say that the draft is not without its shortcomings. There are some key data protection concepts that are missing from the draft that the government would do well to consider including. Foremost among these is, in my view, the right to data portability. In this era of population-scale silos data, individuals should be able to extract data that pertains to them from data silos in which they have been stored. A right to data portability will not only give individuals more meaningful control over their data, it will also serve as an effective measure to prevent the consolidation of data in the hands of a few.
Regulators around the world are struggling to make the right to data portability more effective and meaningful. India, with its powerful techno-legal digital public infrastructure, has the ability to show the world how data portability should be done. But first, the right needs to be clearly defined in the law.
If I had one more wish, I would use it to change some of the terms used in the bill to align more closely with global practices. Ever since justice BN Srikrishna rechristened data subjects as data principals and data controllers as data fiduciaries, successive drafts have attempted to introduce non-standard terms into jurisprudence. This draft is no exception. What the rest of the world calls the data protection authority is referred to here as the data protection board. Legitimate interest and reasonable purpose, and alternative grounds of processing that are included in most privacy laws, have, rather unfortunately, been called “deemed consent”, giving rise to a wholly unnecessary discussion around how this will further erode individual autonomy.
What’s in a name you might ask? Nothing, I’d reply, so long as the provision substantially achieves the desired ends. But loosely worded headings can, as we have seen, unleash a firestorm of protest that we could well avoid.
Rahul Matthan is a partner at Trilegal
The views expressed are personal