Medianama: Vallari Sanzgiri: New Delhi: Wednesday, August 02, 2023.
The latest committee meeting saw Opposition MPs walk out and issue dissent notes on account of not being made aware of the adoption of such a report by the committee in the first place.
The Parliamentary Standing Committee On Communications and Information and Technology presented its report ‘Citizens’ Data Security And Privacy’ to the Lok Sabha and Rajya Sabha on August 1. MP John Brittas’ dissent note, which he submitted on July 26th during the latest committee meeting (find details below), was also made publicly available as a part of the report. Here’s the full text of the note:
NOTE OF DISSENTIt is imperative to note that the ‘Digital Personal Data Protection Bill’ had neither been introduced before either of the Houses of Parliament till date, nor was it referred to the Standing Committee by the Chairman of the Rajya Sabha or the Speaker, as the case may be, for examination.
According to the unequivocal provisions in Rules 331E (1) (b), 331H (a) & 331H (b) of Lok Sabha Rules and Rules 270 (b) & 273 (a) of the Rajya Sabha Rules, the Standing Committees are explicitly prohibited from examining any Bills that have not been referred to them by the Chairman or the Speaker after their introduction in either House
Hence, it is evident that the above mentioned draft Report of the Standing Committee on Communications and Information Technology, containing Report on the examination and Recommendations of the Committee on the ‘Digital Personal Data Protection Bill’ are void oh initio and are ultra tires of the powers of the Standing Committee conferred by the Rules. The Rules proscribe the Standing Committee from examining such yet to be introduced Bills.
Without prejudice to the above, the following Note of Dissent vis-a-vis the draft Report presented to the Committee may also be recorded.
Note of dissent on the Recommendations in the draft Report titled as “Citizens’
data security and privacy” about the “Digital Personal Data Protection Bill”There is excessive delegated legislation in the proposed Digital Personal Data Protection Bill, as the draft bill does not go into the specifics of the implementation. It seems as if the Government’s favourite catchphrase “as may be prescribed” is the highlight of this draft bill. It has been mentioned 18 times in a 24 page bill with only 30 clauses.
The proposed Bill gives Union Government unfettered power to give exemptions to government agencies [clause 18(2)] from the application of provisions of the Bill on specified grounds like sovereignty and integrity of India, friendly relations with foreign States, public order etc.
Additionally, clause 18(3) allows the Government to exempt any Data Fiduciary or a class of Data Fiduciary from the application of this proposed Act. Such sweeping exemptions raises major concerns like-
a. Whether it will meet the proportionality test set out by Supreme Court in the K.S. Puttaswamy Judgement (2017)? Will it not lead to violation of
fundamental right to privacy?It will lead to an untoward situation where any Data Fiduciary or any class of Fiduciaries would be able to exert pressure for seeking permission for exemption from the Act.The proposed Data Protection Board of India is at the risk of becoming a puppet of the Centre, because everything ranging from composition, qualifications, tenure and procedure of appointment of members would be as per the whims and fancies of the Government.The Joint Parliamentary Committee Report on the Personal Data Protection Bill, 2019 had recommended that a Selection Committee shall nominate the Data protection Authority. Members of the Committee itself should include: (i) Attorney General of India, (ii) an independent expert from fields such as data protection, information technology, or cyber laws, and (iii) Directors of an IIT and an IIM. None of this has been touched upon in the 2022 draft.The bill does not include non-digital personal data, anonymized personal data, and non-personal data in its ambit, thus no protection is available to these kinds of data. It goes against the recommendations of the Joint Parliamentary committee on the Personal Data Protection Bill, 2019.
The Bill does not provide for the Right to data portability and the Right to be forgotten. The 2019 Bill on Data Protection and the Joint Parliamentary Committee, examining the 2019 Bill, recommended retaining these rights. The GDPR of EU also recognises these rights.
The bill removes the distinction between sensitive and critical personal data. This distinction was recommended by Justice Srikrishna and was included in the Personal Data Protection Bill, 2019 and the Joint Parliamentary Committee recommendations.
The draft bill no longer requires local storage of data. Businesses can only transfer data to countries notified by the Indian govt. During the examination of Ministry officials before the committee, it was deposed that a ‘negative list’ or a list of disapproved countries will be notified and cross-border data transfers to countries not on ‘negative list’ will be allowed on default basis. Without the assessment criteria being defined in the Digital Personal Data Protection Bill for such ‘negative list’, it could depend more on geopolitics than privacy safeguards.
Clause 24 of the draft bill talks about ‘Voluntary Undertaking’, under which the Data Protection Board has powers to accept voluntary undertaking with respect to noncompliance with any provisions of the proposed Act. Such a provision allows those who are non-compliant to avoid penalties ranging up to rupees 500 crone by giving a mere undertaking. The bill should clearly state the mechanism which the Data Protection Board would employ to accept such an undertaking.
While the Data Protection Board of India has the power to impose penalty on a Data Fiduciary for breach of personal data as per the Bill, it is not given the power to provide compensation to the aggrieved Data Principals. On the other hand, it is surprising to see that the Bill proposes a penalty of up to Rs 10,000 for Data Principals, in case, he/she fails to comply with section 16 of the Bill (Duties of Data Principal).
The Bill [as per clause 30(1)(a)] amends the IT act, 2000 and proposes to omit section 43A of the IT act. Section 43(A) of the IT Act, 2000 enables an aggrieved person to demand compensation from a body corporate due to any negligence in handling any sensitive personal data, thereby causing wrongful loss or wrongful gain to any person. This further accentuates the precarious situation of Data Principals. The GDPR of EU, on the other hand, specifically provides for Right to compensation to an aggrieved party under Article 82 for damage caused as a result of an infringement of the provisions of the regulation.
Section 8(1)(j) of the RTI act allows personal information to be disclosed if the larger public interest justifies the disclosure of such information (subject to satisfaction of Central Public Information Officer or the State Public Information Officer or the appellate authority), or it is related to any public activity or interest; even if the disclosure causes unwarranted invasion of the privacy of the individual, or if it is such an information which cannot be denied to the Parliament or a State Legislature. These portions are proposed to be deleted vide section 30(2) of the new Digital personal Data Protection Bill making all personal information exempt from RTI Act. This would fundamentally weaken the RTI Act and adversely impact the ability of people to access information and will definitely curtail transparency in the Government.
Notice requirements weakened: Compared to past versions, data fiduciaries do not have to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries.
Vague non-consensual processing of data permitted: The DPDPB, 2022 allows the Data Fiduciary to “deem” or assume consent of the Data Principal if the processing is considered necessary as per certain situations such as for the breakdown of public order, for purposes related to employment, and in public interest.
Update on Aug 1 ’23 at 3:35 PM: IT Minister Rajeev Chandrasekhar took to Twitter this morning to clarify that the DPDP bill has not been referred to the Parliamentary Standing Committee on Information Technology in the first place since “No bill including the proposed DPDP (Digital Personal Data Protection Bill) can be referred to any committee unless it is done so by Parliament.” He went on to label the news as misinformation and “completely wrong.”
Chandrasekhar’s tweet was in response to a tweet by Opposition MP John Brittas who, as per an Indian Express report, wrote a letter to the Lok Sabha speaker and Rajya Sabha chairperson urging them to refrain from tabling the Committee Report in the parliament. Sharing a picture of the news report in his tweet, Brittas wrote “The ruling party has no hesitation to trample on the rules and regulations. Adoption of a report on DDPT was another instance.”
Continuing the exchange, John Brittas responded to Chandrasekhar’s “misinformation” tweet taking a rather sarcastic tone and said “Thanks hon minister @Rajeev_GoI for responding to my tweet. You just endorsed my position.”
In his letter, Brittas wrote that “It is imperative to note that the said Digital Personal Data Protection Bill had neither been introduced before either of the Houses of Parliament till date, nor was it referred to the Standing Committee by the Chairman of the Rajya Sabha or the Speaker, as the case may be, for examination,” as per the Indian Express report.
Original story published on July 28 ’23: The Parliamentary Standing Committee on Information Technology recommended that the Draft Digital Personal Data Protection Bill, 2023 should be successfully enacted into law “without any undue delay,” as per a source-based report by Economic Times (ET). MediaNama has reached out to the Lok Sabha Secretary General for confirmation on this news.
As per the ET report, the Committee readied a 40-page report on the data protection Bill—slated to be tabled in Parliament this monsoon session—and encouraged the implementation of the provisions of the Bill. However, Opposition MPs like Congress’ Karti Chidambaram, Trinamool’s Mahua Moitra and Jawhar Sircar, CPI-M’s John Brittas and TDP’s Jayadev Galla walked out of a committee meeting held on July 26, 2023, claiming that they were not made aware of the adoption of such a report by the committee. Brittas even went so far as to give a dissent note that raised concerns about blanket exemptions for certain government agencies. ET has claimed that more such dissent notes are to follow.
Meanwhile, experts and civil society groups on Twitter questioned how the Standing Committee could endorse the passing of a Bill that hasn’t even been made available to its own members.
Earlier, in April 2023, Union IT Minister Ashwini Vaishnaw had claimed that the Standing Committee reportedly examined the 2022 version of the Bill and gave it the green light. However, replies sent to MediaNama by MPs failed to confirm this.
The 2023 Bill will be the fifth iteration of the data protection Bill starting from the original document first presented in 2018. Already a Joint Parliamentary Committee had given copious suggestions and improvements to this Bill in the 2021 version. However, the 2022 version completely revamped the provisions of the Bill and included new concepts like deemed consent (consent that is deemed to have been given by a user). Other concerns raised regarding the 2022 version of the Bill were: the “as may be prescribed” clauses that gave too much power to the government, a weakened Data Protection Board, wide government exemptions that can take any of its entities outside the purview of the Bill, and a high age of consent at 18 years.
.JPG)
.JPG)
