Comments on the Draft Digital Personal Data Protection Bill, 2022

The Indian government tabled another version of a data protection bill and sought public comments on the proposed legislation in December 2022. The Digital Personal Data Protection, 2022 (hence referred to as ‘The 2022 Bill’) is the fourth instance of the Central government proposing a personal data protection law following the Supreme Court judgement which upheld that the right to privacy is a fundamental right. The Personal Data Protection Bill, 2019 was introduced in Parliament but was referred to the Joint Parliamentary Committee (JPC) on the Bill. The JPC submitted its version of the legislation with the Draft Data Protection Bill, 2021. The 2021 bill was scrapped by the government saying that the extensive changes to the Bill were not acceptable.

As more Indians obtain access to the Internet and the Indian government continues to push for digitalisation, it becomes important to ensure that the legislation for existing users - and the next billion - upholds their interests and rights. The authors of the submission felt that the legislation fell short on several fronts. At the very outset, the Bill gives an inclination of what kind of legislation it would be. The current Bill seeks to focus on the right of individuals to protect themselves rather than an institutional-level approach to privacy. This was evident with the omission of the preamble of the Personal Data Protection Bill, 2019 (PDP, 2019) which stated that its objective was to protect the privacy of individuals. This change of tone is concerning since it disregards the principles identified in India in the field of privacy rights.

A severe dilution and lack of clarity of definitions:

• The 2022 Bill excludes the concept of “sensitive personal data '' and instead uses the broader term “personal data'' where an individual is identified by with. The term “sensitive” connotes a higher duty of care. By removing the higher standard of care, data fiduciaries would not treat sensitive personal data, something like biometric information, with stricter standards of security from less-valuable personal data. The misuse of sensitive personal data has the potential for more harmful consequences for the data principal than non-sensitive personal data.
• The 2022 Bill defines only four types of harm - bodily harm, distortion/theft of identity, harassment, and prevention of gain/ causation of loss. Other harms such as the harm caused by loss of confidentiality, psychological manipulation, unlawful surveillance, restrictions on speech and the loss of goodwill/reputation etc have been excluded. Some harms affect citizens more acutely than others, hence it would be useful to draw a distinction between reversible and irreversible harms.
• The application for the definition of a “child” in the 2022 Bill, defined as individuals below the age of 18, will create hurdles and exclude children trying to access information on the Internet for their own development. It would be better to apply the UN Convention on the Rights of the Child which requires parties to provide appropriate guidance for parental consent in a manner consistent with the evolving capacities of the child. A graded list of age-appropriate content could be created with carve-outs allowed for specific purposes.

A hugely problematic framework of consent:

• The Deemed Consent clauses expand the scope for data collection which is not proportional and necessary and will appropriate citizens’ personal data. The larger concern for data collected through the Deemed Consent clauses is that data principals will not have a clear way of recourse as data fiduciaries are not required to give notice to them.
• Exemptions from consent have been defined clearly in previous iterations of data privacy bills which have been significantly pared down through the Deemed Consent clauses in the 2022 Bill. The clause does not have safeguards nor does not carry the qualifiers of necessity and proportionality.

An imbalance between the rights of data principals and the obligations of data fiduciaries:

• The obligations of Data fiduciaries in the 2022 Bill are vague and unclear and lack a principles-based approach. The concept of “privacy-by-design” has been omitted in the text. Privacy-by-design should have been hardcoded into the legislation.
• The clauses on data retention have been expanded allowing for data fiduciaries to hold on to them longer. The 2022 Bill says that data fiduciaries can hold onto a data principal's data longer than the intended purpose provided that there is a necessary legal or business purpose. Legal obligations to hold on to data can be easily defined, but it is harder to define what is a “necessary business interest”.
• There is an inconsistency and need for clarity on the appointment of data protection officers. The text says that significant data fiduciaries must appoint a data protection officer. However, companies below the threshold of significant data fiduciary may appoint an officer “where applicable”.
• Language of transparency and accountability for data fiduciaries is missing from the 2022 Bill. The text doesn’t prescribe periodic assessments, audits and privacy scores for fiduciaries. There aren’t requirements for disclosure of the data fiduciary’s privacy policies or the quality of safeguards that the data fiduciary should adopt proportional to the risk involved in the data being processed.
• For data principals, the 2022 Bill makes two major omissions - the right to be forgotten and the right to data portability. Data principals’ right to be forgotten may be restricted by adding the exception “legal purpose” which is ill-defined. The removal of the right to data portability reduces the choice for data principals to move to providers who provide better services and respect privacy.
• The 2022 Bill has included provisions for a fine of up to Rs 10,000 on data principals for submitting false information. The Bill doesn’t account for the majority of cases where incorrect information is entered by mistake by staff on official documents.
• The text of the 2022 Bill says that data principals have “the right to obtain data” of the identities of all the fiduciaries whom personal data has been shared with. This framing leaves the data principal unaware of which entities have access to their data. The 2022 Bill should include a clause maintaining that data principals be made aware of the data processors with whom their data is shared.

The biased composition and functioning of India’s Data Protection Board:

• The proposed Data Protection Board of India (DPBI) lacks oversight and compliance mechanisms over data fiduciaries. The DPBI only has powers of adjudication and cannot issue its own regulations or conduct its own investigations. At the moment, the DPBI can only receive complaints, conduct hearings and pronounce decisions.
• The composition of DPBI’s members consists entirely of members appointed by the Union Government and do not have any judicial members. This raises questions on the separation of powers between an adjudicatory body like DPBI and the Union government which, as the executive, makes decisions on all facets of the DPBI.
• The ability of the board to dismiss those instances wherein non-compliance is “not significant.” This framing creates a situation where it is no longer sufficient that there has been a violation. But rather it is now required that this violation be significant for the board to take action. It is unclear how this determination of significance will be made by the board.