Justice B.N. Srikrishna shares his concerns around the Digital Personal Data Protection Bill, and areas that warrant greater introspection
In mid-2017, the ministry of electronics and information technology (MeitY) appointed a 10-member Srikrishna Committee, under the chairmanship of Justice B.N. Srikrishna, to submit a detailed report on privacy and draft the Personal Data Protection Bill.
Last week, after a long uncertainty, the Union government released the fourth version of the bill called as the Digital Personal Data Protection Bill (DPDP Bill), 2022, for public comments. The new bill comes in after the withdrawal of the previous draft around three months back.
The industry has welcomed the DPDP Bill that would aid them to conduct business with assurance, and help resolve disputes.
On the sidelines of the ET Edge Security Tech Summit, I caught up with retired Supreme Court judge, B.N. Srikrishna, the man who spearheaded the committee that came up with the first draft of the personal data protection bill in July 2018. In this interview, he spoke about his concerns around the bill, and areas that warrant greater introspection. Edited Excerpts:
Is the new DPDP Bill, 2022 in line with what the committee led by you had originally envisaged?
Our recommendations have been thrown away. There is no distinction between sensitive personal data and critical personal data.
Have you read the bill? Your data will be accessed without your consent. Is that ok with you? There is far too much freedom given to the government in the bill. Read the Section 18, it gives the government total exemption.
The bill states that “no public disclosure of the submissions will be made.” Rather than bringing transparency it looks to weaken public trust and hampers the principles of accountability.
The data protection law should be agnostic, and it should apply across the board, right from the government to private entities to an individual.
What according to you are the key concern areas in the new DPDP Bill, 2022 and warrant greater introspection?
The new draft proposes the establishment of a Data Protection Board of India, whose strength and composition, the process of selection, etc. will be prescribed by the Union government.
We have the Reserve Bank of India (RBI) that regulates the banks, there is the Insurance Regulatory and Development Authority (IRDA) that regulates the insurance sector, we have Telecom Regulatory Authority of India (TRAI) for the telecom sector.
Who should be qualified to be a member of the data protection board? If the appointment of the board members will be done by the government, how can it be independent. Who is the regulator here? Our IT minister stated that the ministry is not the regulator. So we have no regulator here.
Second, why data stored in physical format is not included under the bill’s purview? Why is it applicable only to a digital process?
In our initial report we had we had proposed that data, irrespective of the format it is stored, will be subject to the Act. For instance, if a company says that they will maintain their data on an offline computer or on ledger, is there a law that says that they cannot. Is there a law that states that one must only use digital tech to store data and records? No.
The easing of rules on data storage has been welcomed by corporates/ big tech solution providers.
How do you see an individual’s right to privacy through the lens of this Bill?
Imagine a pyramid, where the citizen/individual is at the top, whereas the government and the industry/corporates are at the bottom sides. With this new draft bill, the pyramid now stands inverted.
The individual is not the focus, protections of their privacy and their rights is not present.
As I said earlier, it is good for government agencies and could prove beneficial for corporates and big tech companies; however, it does little to guard the fundamental right to privacy of individual. There is lacuna in the bill and I hope the government understands this.