DPDP Rules fail to uphold user privacy against Centre: Experts

India’s Digital Personal Data Protection Rules prioritise accountability to the government and end up undermining user privacy rights, policy experts told businessline. Moreover, the entire consultation process to finalise the Rules is exclusionary in nature; not inclusive of those who are not proficient in Hindi or English given that explanatory notes are not available in regional languages.

Looking at specific provisions relating to State powers, data breaches and the Data Protection Board, experts said the draft rules fail to put users at the centre of the legislation.

Internet Freedom Foundation (IFF), a digital rights advocacy group, said that several provisions of the Rules fail to meet the constitutional requirements mentioned in the K S Puttaswamy judgment which had upheld citizens’ right to privacy and specified a test to ensure that the government did not violate this right.

As an example on how the Rules fail this test, Apar Gupta, Founder-Director of the IFF, spoke about the Centre’s power to call for information from data fiduciaries (companies/ entities).

“The power is without any kind of limitation or safeguards, which are there for interception orders. So, there’s no requirement for a Cabinet Secretary to record in writing reasons for any of the information that may be requested from an entity. The ambit is very broad,” he said, stating that this violates the necessity and proportionality test under the Puttaswamy judgement.

Similarly, the Rules also exempt the government from seeking user consent to process their personal data in case of subsidies, licenses etc.

Here too, Gupta said that the Rules do not limit the action to a specified purpose as is required under the Puttaswamy test or even the data protection Act. As such, he said that the government and public authorities do not come under a regulation that will exist for the private sector.

The consultation process is marred by a checkbox approach in which public comments to the legal rules have been invited in Hindi and English which is also without an explanatory note translated into regional languages, the experts said. In effect, this restricts public comments to the most privileged — technical experts, lawyers, trade associations and companies — rather than the public, they said.

IFF said that an approach note must be published in multiple languages inviting broad, diverse comments from communities and movements such as those who work on the right to transparency and entitlements. This would encourage citizens, industry, and civil society participation in the rules, it said.

Akshaya Suresh, Partner, JSA Advocates & Solicitors, too said that the theme of the Rules has been in ensuring accountability to the government and ease of doing business, rather than user rights.

“The Puttaswamy judgment essentially put an individual’s fundamental right to privacy centre stage. Now this part, I feel, has not been addressed well within the Act and the Rules. There’s no clear timeline prescribed for notifying an affected individual of data breach, no maximum timeline prescribed for responding to their requests for exercising their rights or for grievance redressal by the data fiduciary,” said Suresh.

While the draft Rules do include provisions directing companies to inform the Board about data breaches within 72 hours, this time limit does not apply for users. In case of the individual, the Rules only ask companies to inform them about the breach “to the best of your knowledge, without delay.” Adding to this, Gupta pointed out that the provision also lacks further remedial measures like audit reports specifically regarding the technical or operational gaps that led to that data breach.

Autonomous Data Protection Board

Gupta called for greater autonomy of the Board from the government. Currently, the Board Chairperson and members are to be appointed by a Search-cum-Selection Committee headed by the Cabinet Secretary. The conditions of their service will also determined by the Centre. Gupta said this hinders the independence of the Board.

“For instance, if the urge comes of the selection committee that comprises of a Cabinet Secretary, then the Data Protection Board essentially becomes an extension of the Central government…one very well knows that even recommendations by these kind of committees have been refused in the past by the Central government,” Gupta told businessline.

“If the Ministry of Home Affairs gathers user information without compliance with the law and a complaint is filed to the Board, will the Chairperson, who for his leave and entitlements needs to write to the government, be able to take the investigation on board without any apprehension of bias? If you go through the annexures and compensation of the Board, it is strikingly obvious that the digital data protection will not apply to the public sector and state instrumentalities,” he said.

He also called for further clarity on how the entire administration will function considering the Board has no regulatory powers.

“The law requires to a very high extent a regulatory body. It is not as if the Board can issue guidance, circulars or advisories. Its ambit is limited to adjudicate breaches, complaints made to it. So one does not know how will it function,” said Gupta.

Related Content

Stage set for businessline Agri & Commodity Summit on January 10

Nasscom calls for ₹10,000 crore funding for Deep Tech Fund start-ups

India fixing record trade deficit after overstating gold imports

Leave a Comment

Stay updated with Win99Update for the latest in tech, online earning, and digital trends. Explore practical tips and insights to thrive in the digital world.

Categories

Tech Trends

Science & Space

Finance Tips

Cryptocurrency

Online Earning

Health & Fitness

Quakes Links

About Us

Contact Us

Piracy Policy

Terms and Conditions

Contact Us

Phone: +91 9090909099

Email: info@example.com

© Win99update.com • All rights reserved