List of Contents
|For 7PM Editorial Archives click HERE →|
The Government has released the draft of the proposed Digital Personal Data Protection Bill, 2022 (DPDP Bill) for public comments. The Bill is expected to be introduced in the Parliament in the Budget Session 2023. The Bill has undergone multiple iterations. The first draft, the Personal Data Protection Bill, 2018 was proposed by the Justice Srikrishna Committee. The Committee was set up by the Ministry of Electronics and Information Technology (MeitY) with the mandate of setting out a data protection law for India. The Government revised this draft and introduced the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. The Bill was referred to a Joint Parliamentary Committee (JPC). The JPC Report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC. However the Bill was withdrawn in August 2022. Now, the Government has introduced the new Digital Personal Data Protection Bill, 2022.
Why was the Personal Data Protection Bill, 2019 withdrawn?
The Government said that the 2019 Bill was deliberated in a great detail by the JCP, which proposed 81 amendments and 12 recommendations for a comprehensive legal framework for the digital ecosystem. The Government took the decision to work on a comprehensive legal framework and withdrew the Bill.
What are the benefits/positive aspects of the Digital Personal Data Protection Bill, 2022?
Data Protection Board of India: The Board would be empowered to direct Data Fiduciaries to adopt urgent measures to respond to Personal Data breaches. It will be have the same rank as a civil court and its decisions will be appealable to a High Court. Data Fiduciary is/are person(s) who determine(s) the purpose and means of processing of Personal Data (e.g., Social media platforms can be data fiduciaries).
Simplified Notice and Consent Requirements: The DPDP Bill contains significantly less onerous notice requirements as compared to the 2021 Bill. The DPD Bill requires Data Fiduciaries to obtain consent from Data Principals prior to processing of their Personal Data. The consent is sought through an itemised notice containing a description of the Personal Data being collected and purpose of processing. The request for consent must be in clear and plain language and available in the 22 (twenty two) languages listed in the Eighth Schedule of the Constitution of India. Data Principal is the individual to whom the personal data relates to (e.g., Social media users can be Data Principals).
Introduction of ‘Deemed Consent’: The DPDP Bill has introduced the concept of ‘deemed consent’. It intends to enable processing of Personal Data without explicit consent where it is “reasonably expected that the Data Principal would provide such Personal Data”. Other conditions under deemed consent include purposes related to employment (including biometric information) and public interest such as debt recovery and prevention of fraud. This also simplifies consent consent requirement.
Rights of Data Principals: The DPDP Bill continues to grant Data Principals rights in relation to their Personal Data, such as the right of correction, right of erasure and right to be forgotten. The DPDP Bill provides the right to nominate any other individual to exercise the rights of the Data Principal in the event of their death or incapacity.
Clarity on Consent Managers: The Bill clarifies that Consent Managers will be interoperable platforms registered with the Board. These platforms will enable individuals to manage, review and withdraw consent provided across Data Fiduciaries and platforms.
Duties of Data Principals: The DPDP Bill also imposes certain duties on Data Principals, including the duty to comply with the provisions of “all applicable laws”, and a duty to furnish only such information as is verifiably authentic while exercising the right to correction or erasure of Personal Data.
Significant Data Fiduciaries (SDF): The DPDP Bill retains the concept of a ‘Significant Data Fiduciaries’ (SDFs) and allows the Government to notify an SDF based on, among other things, the volume and sensitivity of Personal Data processed by it, risk of harm to Data Principals, potential national impact and impact on public order.
Compliances for SDFs: The requirement to appoint (a) A data protection officer based in India, as the representative/point of contact for grievance redressal; (b) An independent data auditor to evaluate compliance; (c) The obligation to undertake data protection impact assessment (DPIA) and periodic audits.
|Read More: Data Protection Framework in India – Explained, pointwise|
What are the concerns associated with the Digital Personal Data Protection Bill, 2022?
Missing Rights for Data Principals: The Bill misses out on two main rights for Data Principals:
(a) Right of data portability: It would have allowed the data principal to receive their personal data (that they had provided to the data fiduciary and the data generated by the fiduciary through processing) in a structured format. This would have allowed them to choose between different platforms and enhanced competition between data fiduciaries to increase consumer welfare. This would have eliminated the need to provide all their personal data again while switching the platforms.
(b) Right Foregone: It is the right to be forgotten. It would have allowed the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data. The DPDP Bill, 2022 subsumes this right under the right to erasure. This conflation between the general right to erasure with the right to be forgotten which is specific to disclosure of personal data compromises on the right to freedom of speech and expression of other individuals.
Narrow Focus: (a) It is focussed on personal data and excludes non-personal data, which was a demand by the industry and civil society alike; (b) It eliminates the categorisation of personal data into sensitive and critical.
Government Control: The regulator is now a Data Protection Board, with its role limited to enforcement and penalties. The other aspects of implementing the law are left entirely up to the Union government (which it will do through rules) and not the specialised regulator. While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a Board set-up by the Union Government. The Government will have a say in the composition of the board, terms of service, etc.
Data Localisation: The draft law does not require local storage of data. Unlike previous versions, it does not ask businesses to store certain sensitive and critical data exclusively in India or to mirror a copy of such data on Indian servers. But it does not allow free flows of data across borders either. Businesses can only transfer data to countries that are notified by the Government of India. The whitelisting of regions (where data flow will be allowed) is not clear.
Data Localization has been a contentious issue including in the ongoing FTA negotiations with the UK. Without the assessment criteria being defined in the law though, this could mean that whitelisting depends more on geopolitics than appropriate privacy safeguards.
No Criminal Liability: The Bill only prescribes monetary penalties (under Schedule 1 of the DPDP Bill) for breaches and non-compliances and limits such penalties to breaches/non-compliances that the Data Protection Board determines to be ‘significant’. The DPD Bill has done away with criminal liabilities, as well as penalties that are directly linked to the turn-over or revenue of an erring Data Fiduciary. Penalties vary from INR 50 crore to INR 250 crore. Section 25 stipulates maximum penalty to be limited to INR 500 crore.
Data of Children: The Bill requires parental consent for age less than 18 years. Parental consent would be required every time they want to access the internet. Some experts have criticized this: (a) The Bill fails to recognize that consent of a toddler is different from that of a adolescent. It limits their evolving capacity; (b) It might hamper their access to the internet; (c) Requiring consent from parents would hamper autonomous development of children since parents may not want them to be exposed to viewpoints contradictory to their own. Such restrictions are in violation of India’s obligations under the Convention on Rights of the Child.
Data Collection: The Draft removes explicit reference to certain data protection principles such as collection limitation. Data fiduciary can collect any personal data consented to by the data principal. Data principals often do not have the requisite awareness about the kind of personal data that is relevant for a particular purpose (e.g., Photo Filter App has no requirement for device location or contacts yet many apps seek such details).
Government Exemptions: Government bodies can be exempted from the application of the law in the interests of India’s sovereignty and integrity, security, foreign relations, public order and others. There is no bar on how long government agencies can retain data. The earlier version of the Bill subjected government exemptions to a “just, fair, reasonable and proportionate” procedure, which is missing from the latest draft.
Reduced Information Requirement: The previous versions required considerable information in terms of the rights of the data principals, grievance redressal mechanism, retention period of information, source of information collected etc. to be provided for the data principal. The current Draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data.
What steps can be taken going ahead?
First, The Government should consider providing statutory status to the Data Protection Board.
Second, More provisions should be covered through the Legislation rather than leaving it to the rule-making by the Government (Executive).
Third, A plan should be put in place to compensate individuals in the event of a data breach.
Fourth, The right to privacy must be respected which, critics argue, seems to be lacking in this case. Rights such as data portability and the right to opt out of data collection must be included.
Fifth, The principles of the General Data Protection Regulation (GDPR) of the EU can be incorporated in the Draft Bill.
Several experts have lauded the improvements in the Draft Digital Personal Data Protection Bill, 2022 over the earlier versions. Yet several concerns remain. The Government should try to incorporate the comments of the civil society/public on the Bill before it is introduced in the Parliament.
Syllabus: GS II, Government policies and interventions for development in various sectors and issues arising out of their design and implementation; GS III, Awareness in the field of IT.