A Defective Data Protection Board

Why in news?

The Digital Personal Data Protection Bill, 2022 is notably silent on the Data Protection Board which is the sole mechanism for the enforcement of rights and liabilities under the bill.

What has the bill provided on the Data Protection Board?

• Clause 19 of the Digital Personal Data Protection Bill, 2022 provides for the creation of the Data Protection Board.
• However, it is not created as a permanent body by the bill and is left to the government to issue a notification to create it.
• It also lacks details on its composition, qualifications of the chairperson, members and chief executive, the tenure and terms of conditions and even the appointment process.

What are the constitutional infirmities with the bill regarding the board?

• The bill excludes the jurisdiction of the civil courts in relation to the enforcement of rights provided under the bill.
• It makes the Data Protection Board the sole forum to address the violations.
• With the jurisdiction of a civil court being taken away, there has to be an efficacious alternate remedy without which the law will be struck down as being unconstitutional.
• This was the fate of the National Tax Tribunal Act, 2005, which was struck down in Madras Bar Association v Union of India and Anr (2014).
• Any violation of privacy or terms of contract relating to data protection can be addressed in the nearest court of law.
• However, the bill seeks to vest jurisdiction in this matter only with the board, thus reducing the access to effective remedies to the citizens.

What are the difficulties in implementing the Bill?

• Exemptions – Sub clause (2) of Clause 18 allows the union government to exempt certain entities and certain kinds of processing from the provisions of the bill.
• In exempting certain kinds of processing, it states that such a processing need to be carried out in accordance with the standards laid down by the board.
• However, the bill contains no provision that gives the board the power to prescribe and enforce standards.
• Exercising the functions - As per Clause 20, the functions of the board are not just to adjudicate non-compliance with the provisions of the act but also to carry out such functions as the government may assign to the board.
• It is not clear whether the board will actually be able to exercise these functions as it lacks the legal powers to exercise these functions.
• Directing the data fiduciaries - The board has been given a function to direct a data fiduciary to take measures to prevent or mitigate harm to them as a result of a personal data breach.
• However, there is no provision regarding the power of the board to direct data fiduciaries or what happens if it fails to comply with the directions of the board.
• A power to direct a data fiduciary also brings the issue of whether the board is a purely adjudicatory body or if it has been delegated legislative and executive power as well.

What does this imply?

• Independence and impartiality - The provisions give little certainty on the independence and impartiality of the board in respect of resolving disputes.
• Right to privacy - The lack of clarity in respect of the board has serious implications for the right to privacy itself.
• Burden on the data principal - By providing for a stripped-down board, the bill effectively places the burden on enforcing the provisions of the bill on the data principal.