Tech
Digital Personal Data Protection Bill, 2022
In the last few years, multiple attempts have been made to bring a legislation to govern, regulate the use of and protect personal data in India.
In 2017, a Committee of Experts on a Data Protection Framework for India was constituted under the chairmanship of Justice B N Srikrishna. This Committee submitted its report and a draft Personal Data Protection Bill in 2018.
With some changes to this draft, the Government finally introduced a Personal Data Protection Bill, 2019 in the Lok Sabha in December 2019 and subsequently referred it to a Joint Parliamentary Committee (JPC) for further refinement.
The JPC submitted its report to Parliament in 2021 and suggested 81 amendments to the 2019 Bill, including extending the scope of protection to non-personal data, suggesting stricter data localisation and recommending more accountability for social media platforms which do not act as simply intermediaries.
Following industry criticism of the JPC’s Bill, especially on data localisation, the government withdrew the Personal Data Protection Bill, 2019 in August of this year and signified its intention to propose a ‘comprehensive’ framework for digital privacy.
Ministry of Electronics and Information Technology (MeitY), on 18 November released a draft of this much awaited legislation, the Digital Personal Data Protection Bill, 2022 (the “Bill”).
This Bill is a wide departure from its previous versions. The government seems to have taken industry concerns on board and simplified compliance requirements to a great extent.
From an industry perspective, this Bill has quite a few positives:
To start with, the scope of the legislation has been whittled down to only ‘automated’ processing of digital personal data. Non-personal data and non-digital data is completely excluded from regulation.
It has also added multiple scenarios where consent of an individual to process their data can be ‘deemed’.
Sensitive personal data like financial or health data, is not categorised separately in this Bill and no special provisions apply to its processing.
This Bill has kicked the can of data localisation down the road to issue of government notifications at a later point in time.
This Bill also stipulates penalties only for ‘significant’ violations and has removed any criminal penalties.
All in all, the effort of compliance will not be very high for businesses.
From the data principal’s (the individual to whom the data relates) perspective though, this Bill is a miss:
Giving consent has almost been made farcical as service can be denied if consent for data collection is not given and there are multiple instances where consent can be presumed.
It is not clear if the individual will even receive a notice of what data is collected, for what purpose, with whom will it be shared, how long it will be retained etc., where consent can be presumed.
The data principal’s rights have been diluted from the 2019 Bill. Specifically, the right to data portability and the right to be forgotten have been dropped.
There is no option for the data principal to opt-out of profiling or targeted advertising.
There are some other generally good developments in this Bill:
The Bill provides an option to the data principal to receive a request for consent in English or any one of the languages specified in the Eighth Schedule of our Constitution.
The Bill provides for a ‘consent manager’, an accessible, transparent and interoperable platform to receive and manage consent.
The Bill prohibits tracking, behavioural monitoring of or advertising targeted at children.
The Bill prescribes a mandatory requirement of appointment of a Data Protection Officer (DPO) in India and independent data audit for significant data fiduciaries. It is highly likely that Big Tech and social media companies may fall under the category of significant data fiduciaries.
To prevent trolls, the Bill imposes penalties on an individual making malicious or frivolous complaints.
There are some slippery slopes too:
This Bill purports the legislation to apply only to ‘automated’ processing of personal data. ‘Automated’ in the context of privacy usually refers to processing without human intervention.
If this is indeed the intent of the legislation, it dilutes the protection for personal data even more. What is interesting is this Bill describes certain scenarios for illustrations, which themselves address scenarios that are not ‘automated’.
This Bill has a provision to allow the (to be formed) Data Protection Board of India to push complaints to an Alternative Dispute Resolution (ADR) mechanism.
A new legislation like this requires judicial certainty and consistency in interpretation. The Board pushing a complainant and respondent to ADR will hinder this.
This Bill seeks to amend the RTI Act to allow for refusal of RTI requests on the ground of ‘unwarranted invasion of privacy’. The RTI Act has already ring-fenced the kind of information that needs to be provided and information that can be excluded under a RTI request.
Adding privacy considerations, as suggested under this Bill, will only end up diluting the RTI Act.
Keeping in line with the government’s policy of Digital India, a digital economy, and the ease of doing business, this Bill is a little skewed in favour of businesses.
There is a door open for sectoral regulations though. The approach the government seems to be taking is having a light regulation for personal data generally and more control and regulation for specific categories of data through sector specific regulations like banking, telecom, health etc.
This may work as long as there is a harmonisation of this general legislation with specific legislations. For the sake of more balance and clarity, the government may want to consider some simple changes to this Bill:
The application of protection only to ‘automated’ processing of digital personal data should be dropped.
A graded consent approach should be considered. A graded consent is where there will be a choice for an individual to separately consent to specific data to be used for specific purposes.
There must be a right added for a data principal to opt-out of profiling, marketing communication, tracking technologies and targeted advertising. These are the bulk of operations where invasion of privacy is commonly experienced.
There must be an objective criterion to justify businesses storing personal data for longer than necessary.
This Bill is open for public feedback until the 17 December 2022. It is expected to be tabled in parliament in the budget session next year.