India’s Digital Personal Data Protection Rules prioritise accountability to the government and end up undermining user privacy rights, policy experts told businessline.

Looking at specific provisions relating to State powers, data breaches and Data Protection Board, experts said the draft rules fail to put users at the centre of the legislation.

Internet Freedom Foundation (IFF), a digital rights advocacy group, said that several provisions of the Rules fail to meet the constitutional requirements mentioned in the K S Puttaswamy judgment.

This landmark judgement by the Supreme Court of India in 2017 upheld citizens’ right to privacy and specified a test to ensure that the government did not violate this right. As an example on how the Rules fail this test, Apart Gupta, Founder-Director of the IFF, spoke about the central government power to call for information from data fiduciaries (companies/ entities).

“The power is without any kind of limitation or safeguards, which are there for say interception orders. So, there’s no requirement for a Cabinet Secretary to record in writing reasons for any of the information that may be requested from an entity. The ambit is very broad,” he said, stating that this violates the necessity and proportionality test under the Puttaswamy judgement.

Similarly, the Rules also exempt the government from seeking user consent to process their personal data in case of subsidies, licenses etc.

Here too, Gupta said that the Rules do not limit the action to a specified purpose as is required under the Puttaswamy test or even the data protection Act. As such, he said that the government and public authorities do not come under a regulation that will exist for the private sector.

Akshaya Suresh, Partner, JSA Advocates & Solicitors, too said that the theme of the Rules has been in ensuring accountability to the government and ease of doing business, rather than user rights.

“The Puttaswamy judgment essentially put an individual’s fundamental right to privacy centre stage. Now this part, I feel, has not been addressed well within the Act and the Rules. There’s no clear timeline prescribed for notifying an affected individual of data breach, no maximum timeline prescribed for responding to their requests for exercising their rights or for grievance redressal by the data fiduciary,” said Suresh.

While the draft Rules do include provisions directing companies to inform the Board about data breaches within 72 hours, this time limit does not apply for users. In case of the individual, the Rules only ask companies to inform them about the breach “to the best of your knowledge, without delay.” Adding to this, Gupta pointed out that the provision also lacks further remedial measures like audit reports specifically regarding the technical or operational gaps that led to that data breach.

Need for an autonomous Data Protection Board

Gupta called for greater autonomy of the Board from the government. Currently, the Board Chairperson and members are to be appointed by a Search-cum-Selection Committee headed by the Cabinet Secretary. The conditions of their service will also determined by the central government. Gupta said this hinders the independence of the Board.

“If the Ministry of Home Affairs gathers user information without compliance with the law and a complaint is filed to the Board, will the Chairperson, who for his leave and entitlements needs to write to the government, be able to take the investigation on board without any apprehension of bias? If you go through the annexures and compensation of the Board, it is strikingly obvious that the digital data protection will not apply to the public sector and state instrumentalities,” he said.

He also called for further clarity on how the entire administration will function considering the Board has no regulatory powers.

“The law requires to a very high extent a reguatory body. It is not as if the Board can issue guidance, circulars or advisories. Its ambit is limited to adjudicate breaches, complaints made to it. So one does not know how will it function,” said Gupta.