IFF's first read of the draft Digital Personal Data Protection Bill, 2022
The Ministry of Electronics & Information Technology has released the draft Digital Personal Data Protection Bill, 2022 [DPDPB, 2022] for public consultation. The feedback on the DPDPB, 2022 may be submitted on MyGov website in a chapter wise manner by December 17, 2022. The link for submission of comments will be provided by the Ministry at a later date. While we appreciate that a draft bill has been put out for public consultation, we would have preferred if the Ministry had made available, through a white paper, the issues it considered while developing the “comprehensive legal framework”, of which the DPDPB, 2022 will be a crucial part. The DPDPB, 2022 contains around 30 clauses, shrunk considerably from previous drafts of data protection proposals which contained 90+ clauses. As per the explanatory memorandum this is to achieve simplicity in drafting, however has made the present version bereft of first principles at several places. Further, we are concerned that the notice of public consultation accompanying the DPDPB, 2022 states that “no public disclosure of the submissions will be made”. This will weaken public trust in the development of the DPDPB, 2022 as it hampers the principles of transparency and accountability in the consultation process. Below, we lay down some of our initial concerns after a preliminary reading of the draft.
Exemptions continue to facilitate state surveillance
Clause 18 of the DPDPB, 2022 carries forward the wide and vague exemptions that were provided to the Union Government in clauses 35, 36, 37, 38, & 39 of the Data Protection Bill, 2021 [DPB, 2021]. Specifically, Clause 18(2)(a) of the DPDPB, 2022 replicates Clause 35 of the DPB, 2021 and allows the Union Government to exempt any “instrumentality” of the State from the application of DPDPB, 2022 in the interests of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”. This would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy. This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse. If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance. Any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse of use.
Further, Clauses 8(6), (7), & (8) state that consent of a Data Principal for data processing will be deemed in certain situations including for the maintenance of public order, purposes related to employment, and in public interest respectively. These categories allow for wide and vague interpretations of when a Data Principal has been deemed to have consented thereby allowing for excessive processing of personal data collected in the absence of specific and informed consent.
Data Protection Board still not independent
Chapter 5 of the DPDPB, 2022 lays down the compliance framework for its provisions. Under Clause 19(2), the strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members shall be such as may be prescribed by the Union Government at a later stage. Further Clause 19(3), the Chief Executive of the Board will be appointed by the Union Government. These provisions continue the disappointments of previous iterations as the Data Protection Board (DPB) still does not have the independence needed to sufficiently protect the interests of Data Principals.
As a result, the board may perpetuate the hierarchies of the government set-up. Since the DPB will oversee compliance to the provisions of the legislation by the private sector as well as government agencies, it is pertinent that the board be fundamentally independent from the executive's control.
Reduced obligations under notice
Data fiduciaries inform / seek consent from data principals regarding the processing of their data through privacy policies which are referred to as ‘notices’ in data protection laws. Currently, privacy policies are cumbersome, filled with legalese and lack important information. As a result, data principals consent to policies they do not fully understand. Data protection laws ought to address this issue by mandating fiduciaries to include information in their policies, which would assist data principals.
However, Clause 6 of DPDPB, 2022 requires data fiduciaries to merely notify the data principal, the nature of the data they will be collecting and the purpose for which such data may be processed. Unlike previous iterations of the bill, it does not require data fiduciaries to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries. Thus, data fiduciaries can continue to obtain consent of principals by providing limited information and then using their personal data in a manner principals might not have anticipated.
Duties and Penalties imposed on Data Principals
The DPDPB, 2022 provides the right to information about personal data [Clause 12], the right to correction and erasure [Clause 13], the right of grievance redressal [Clause 14], and the right to nominate [Clause 15] to Data Principals. However, it also imposes certain duties and penalties on them. Under Clause 16, duties imposed on the Data Principal include complying with the provisions of all applicable laws, not registering a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board, not furnishing any false particulars or suppress any material information or impersonate another person, and furnishing only such information as is verifiably authentic. Non-compliance with this Clause carries a penalty of upto 10,000 INR which may be imposed on the Data Principal. These are worrying developments since a legislation that is supposed to protect the rights of individuals is now imposing penalties on them.
As may be prescribed…
The DPDPB, 2022 mentions the phrase “as may be prescribed” 18 times. This is symbolic of the vague and unchecked powers that the Union Government has retained for itself to frame rules at a later stage in the absence of legislative guidance. Instances where such gaps exist include:
- the technical, operational, financial and other conditions for the registration of consent managers [Clause 7(7)];
- any fair and reasonable purposes for which a Data Principal will be deemed to have given consent to the processing of her personal data [Clause 8(9)]
- processing of personal data that is likely to cause harm to a child [Clause 10(2)];
- the strength and composition of the Data Protection Board and the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members [Clause 19(2)]; and
- The terms and conditions of appointment and service of other officers and employees of the Data Protection Board [Clause 19(4)].
Additionally, Clause 18(3) may allow the Union Government to arbitrarily exempt certain Data Fiduciaries from the application of Clause 6 [notice], sub-clauses (2) [obligations of Data Fiduciary to keep data collected accurate and complete] and (6) [obligations of Data Fiduciary to cease retention of collected data] of Clause 9, Clauses 10 [Additional obligations in relation to processing of personal data of children], 11 [Additional obligations of Significant Data Fiduciary] and 12 [Right to information about personal data].
Data localisation done away with
Clause 17 of the DPDPB, 2022 removes the requirement of data localisation and appears to replace it with an ‘allowlist approach’ as data fiduciaries can only transfer personal data to such countries as the Union Government may prescribe, implying that transfer of data to any other country is prohibited. Clause 17 does not prescribe any standards / criteria based on which the Union Government should decide which countries to allow data transfers to. This enables arbitrary exercise of power where countries may be selected or not selected based on considerations other than protection of personal data of Indians. This is in contrast with Articles 44 to 50 of the General Data Protection Regime which permits transfer of personal data of Europeans only to such countries which provide a minimum level of protection to such data.
A significant issue with previous iterations of the bill was that they did not require data fiduciaries to notify data principals in the event of a breach. Thus, users whose data has been breached, would not have even known that their data has been compromised. Clause 9(3) of DPDPB, 2022 addresses this concern by mandating fiduciaries to notify the Board and Data Principals whenever there is a breach, irrespective of its nature. Clause 20(3) then empowers the Board to issue directions to Data Fiduciary to adopt urgent measures to remedy personal data breach or mitigate any harm caused to Data Principals. While this is welcome, there would be an overlap between the role of the Board and the Computer Emergency Response Team, which is supposed to respond to data breaches currently.
Another positive in the bill is that significant hurdles have been imposed in the processing of childrens’ personal data. Clause 10(3) prohibits them from undertaking tracking or behavioural monitoring of children or targeted advertising directed at children. This provision is welcome but the Union Government has been permitted to exempt data fiduciaries from both these requirements. Again, the bill does not mention the criteria or the standard based on which the Union Government would grant such an exemption.
Miles to go…
The existing legal vacuum on data protection portends an Orwellian state and is clearly an infringement of the fundamental right to privacy. The shortcomings of the DPDPB, 2022 are an opportunity for stakeholders participating in the public consultation process to push for the foundational principles that were laid down by the Supreme Court in the Right to Privacy decision in 2017. We resolve to continue fighting for your privacy and other digital rights.
- The draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)
- Explanatory note accompanying the draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022(link)
- Notice of public consultation for the draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)