The story so far: The latest draft of the data protection law — the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — has now been made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023.
Is this the first draft?
This is the fourth iteration of a data protection law in India. The first draft of the law — the Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee set up by the Ministry of Electronics and Information Technology (MeitY) with the mandate of setting out a data protection law for India. The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. On the same day, the Lok Sabha passed a motion to refer the PDP Bill, 2019 to a joint committee of both the Houses of Parliament. Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December, 2021. The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC. However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
Why have there been so many revisions and changes?
Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals). When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court ( K.S. Puttaswamy vs Union of India ). It is inadequate on four levels; first, the extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to processing of personal data by the government; second, it has a limited understanding of the kinds of data to be protected; third, it places scant obligations on the data fiduciaries which, moreover, can be overridden by contract and fourth, there are only minimal consequences for the data fiduciaries for the breach of these obligations.
While the need to have an effective personal data protection regime is undisputed, India like other jurisdictions has struggled to come up with an optimum formulation for several reasons. First, while protecting the rights of the data principal, data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical. Second, the challenge lies in finding an adequate balance between the right to privacy of data principals and reasonable exceptions, especially where government processing of personal data is concerned. Third, given the rate at which technology evolves, an optimum data protection law design needs to be future proof — it should not be unduly detailed and centred on providing solutions to contemporary concerns while ignoring problems that may emerge going forward. Fourth, the law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power with respect to data fiduciaries.
What is the scope of the present formulation of the Bill?
The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally. This would include both personal data collected online and personal data collected offline but is digitised for processing. In effect, by being completely inapplicable to data processed manually, this provides for a somewhat lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
Furthermore, as far as the territorial application of the law is concerned, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India. The current phrasing, inadvertently, seems to exclude data processing by Indian data fiduciaries that collect and process personal data outside India, of data principals who are not located in India. This would impact statutory protections available for clients of Indian start-ups operating overseas, thereby impacting their competitiveness. This position further seems to be emphasised with the DPDP Bill, 2022 exempting application of most of its protections to personal data processing of non-residents of India by data fiduciaries in India.
How well does the DPDP Bill, 2022 protect data principals?
The bulwark of most data protection legislations consists of allowing maximum control to the data principal over their personal data. This happens by mandating a comprehensive notice to the data principal on different aspects of data processing based on which the data principal can provide explicit consent to such processing. While limited circumstances for non-consent based processing of personal data exists, it still gives the data principal the right to access, correct, delete etc their data. Concomitantly, the data fiduciary is placed, inter alia, with the obligation of data minimisation, which is to collect only such personal data as is required to fulfil the purpose of processing (collection limitation); process it only for the purposes stated and no more (purpose limitation) and to retain it in its servers only for so long as is required to fulfil the stated purpose (storage limitation).
The current draft removes explicit reference to certain data protection principles such as collection limitation. This would allow a data fiduciary to collect any personal data consented to by the data principal. Making collection solely contingent on consent, ignores the fact that data principals often do not have the requisite know-how of what kind of personal data is relevant for a particular purpose. For example, a photo filter app may process data related to your location or information on your contacts even though it may not require such information to carry on its primary task of applying the filter. It also does away with the concept of “sensitive personal data”. Depending on the increased potential of harm that can result from unlawful processing of certain categories of personal data, most data protection legislations classify these categories as “sensitive personal data”. Illustratively, this includes biometric data, health data, genetic data etc. This personal data is afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments. By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.
Additionally, the Bill also reduces the information that a data fiduciary is required to provide to the data principal. While the previous iterations required considerable information in terms of the rights of the data principals, grievance redressal mechanism, retention period of information, source of information collected etc to be provided for the data principal, the current draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data. While this may have been done in an attempt to simplify the notice and avoid information overload, there are other ways such as infographics, just-in-time notices etc that are being recommended by data protection authorities to ensure a comprehensive yet comprehensible notice.
Moreover, the DPDP Bill, 2022 seems to suppose that a notice is only to be provided to take consent of the data principal. This is a limited understanding of the purpose of notice. A notice is also important for the data principal to exercise data protection rights such as the right to know what personal data is being processed by whom, whether that data needs correction or updation and also to request deletion of data that may not be relevant for the purpose of processing. These rights exist even in cases of non-consent based processing of data. As such, limiting notice to only consent based personal data processing would limit the scope for the exercise of these rights.
The DPDP Bill, 2022 also introduces the concept of “deemed consent”. In effect, it bundles purposes of processing which were either exempt from consent based processing or were considered “reasonable purposes” for which personal data processing could be undertaken under the ground of “deemed consent”. However, there exist some concerns around this due to the vaguely worded grounds for processing such as “public interest” and the removal of additional safeguards for protection of data principals’ interests.
An important addition to the right of data principals is that it recognises the right to post mortem privacy which was missing from the PDP Bill, 2019 but had been recommended by the JPC. The right to post mortem privacy would allow the data principal to nominate another individual in case of death or incapacity.
The writer is a research fellow at the Centre for Applied Law and Technology Research, Vidhi Centre for legal policy
(This is the first of a two-part series on the draft Digital Personal Data Protection Bill, 2022)