Home Technology How different is the new data protection Bill?

How different is the new data protection Bill?


The story so far: The latest draft of the data protection law — the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — has now been made open for public comments. This article deals with various themes within the Bill including data localisation requirements, whether children are considered as data principals, the regulatory framework of the Bill and the penalties it imposes.

What are some of the data protection rights that the Bill is missing?

The DPDP Bill, 2022 misses out on two main rights for data principals. The first is the right of data portability. The right to data portability allowed the data principal to receive in a structured format all the personal data they had provided to the data fiduciary and data that the data fiduciary generated on the data principal while processing for provisioning of its services. This empowered data principals by allowing them to choose between different platforms and enhanced competition between data fiduciaries to increase consumer welfare. For example, if the data principal was not satisfied with the social media platform they were currently using, they could request for porting of their data to another social media platform and avail of its services without having to provide all their personal data again. The DPDP Bill, 2022 does not provide for this right.

The second right foregone is the right to be forgotten. While not a right per se, the right to be forgotten allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data. This has to be balanced with the right to freedom of speech and expression and the right to information for all other individuals. The DPDP Bill, 2022 subsumes this right under the right to erasure. This conflation between the general right to erasure with the right to be forgotten which is specific to disclosure of personal data compromises on the right to freedom of speech and expression of other individuals.

How does the draft Bill treat the personal data processing of children?

With regard to the personal data processing of children, the DPDP Bill, 2022 carries forward the approach of its previous iterations. A major issue that remains is that the age of digital consent, which is the age at which an individual can consent to their personal data being processed, continues to be 18. This means that parental/guardian consent would be required to process the personal data of children and adolescents below the age of 18 years. In effect, this would mean parental consent would be required every time they want to access the internet. This becomes an issue for three reasons. First, the high threshold of 18 years negates evolving capacity as it does not recognise that the consent of a toddler is different from that of a teenager. Second, it would result in unequal access to the internet and, finally, requiring consent from parents would hamper autonomous development of children since parents may not want them to be exposed to viewpoints contradictory to their own. Such restrictions are in violation of India’s obligations under the Convention on Rights of the Child.

What changes have been made to data localisation requirements?

One of the most emphatic departures of the DPDP Bill, 2022 from the Personal Data Protection (PDP) Bill 2019, has been in the context of cross border data flows. The PDP Bill, 2019 provided for a three-tiered categorisation based on which personal data could be moved across borders. While the government was interested in restricting cross border data flows of sensitive personal data and critical personal data to allow for ease of lawful access and to maintain “digital sovereignty”, these data localisation requirements were severely contested by the industry as they would lead to significant increase in compliance and operational costs in terms of higher data storage charges and security risks.

The DPDP Bill, 2022 aims to strike a balance between these concerns by allowing for cross border data flow to “countries and territories” notified by the Central government. However, the draft legislation fails to provide any guidance or criteria for the consideration of the Union government while making this notification. The criteria is left to the Central government itself to be specified under its rule making power.

What is the design of the regulatory framework proposed under the Bill?

In comparison to the regulatory framework conceptualised under the previous iterations of the draft law, where the proposed regulator, the Data Protection Authority, was enshrined with significant powers of regulation making, enforcement and adjudication, the current draft considerably reduces the scope of the proposed Data Protection Board of India (DPB). Out of the 22 clauses in the DPDP Bill, the Central government has been provided with rule making power in around 14 clauses.

This becomes problematic for several reasons. First, the government forms one of the largest data fiduciaries in the country. It processes personal data of millions of Indians for provisioning of services and benefits, issuance of permits, licences and official IDs and for law enforcement generally. As such, it becomes important the agency making the rules should be at an arm’s length from the government so as to ensure impartial protection of the interests of data principals. Vesting these powers with the Union government which would itself be subject to these rules creates conflict of interest. For example, the government has the power to specify “fair and reasonable” purposes for which it can process personal data without consent.

Similarly, it can make rules on data protection obligations of data breach, data protection impact assessments, data audits, information that can be requested from a data fiduciary which the government will itself be subject to in its capacity as a data fiduciary. Moreover, the DPDP Bill, 2022 fails to provide adequate legislative guidance for framing these rules. This leads to the concern of excessive delegation of legislation.

Lastly, the Central government exercises greater control over the proposed DPB because it will appoint members of the DPB, set out the terms and conditions of appointment and lay out the functions that the DPB will perform.

What is the framework for state based processing of personal data?

Carrying forward the approach from the PDP Bill, 2019, the current Bill also provides considerable exemptions to the state’s processing of personal data. First, as stated above, the Union government has the power to specify “fair and reasonable” purposes for which it can process personal data without consent. Second, an exemption from most data protection obligations is provided if the processing is undertaken “in the interests of prevention, detection, investigation of any offence or any other contravention of any law” This may be in violation of the “necessity and proportionality” test laid down by the Supreme Court in Puttaswamy vs Union of India. A complete exemption can be provided for when personal data is being processed “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”. Lastly, and this is an addition to the PDP Bill, 2019, the Union government can now notify exemption to certain data fiduciaries based on just the “volume and nature of personal data” processed, irrespective of the purpose for which it is being processed.

Moreover, storage limitation does not apply to government agencies which means they can continue to retain personal data for an unlimited period of time even when the purpose of processing ceases to exist and there is no legal requirement to store the data.

What is the nature of penalties provided for in the Bill?

The DPDP Bill, 2022 marks a number of departures from the PDP Bill, 2019 in the way it conceptualises penalties. First, the quantum of penalties that can be imposed, with the cap being placed at ₹500 crore, are of a much higher magnitude than provided for under the PDP Bill, 2019. Second, unlike the PDP Bill, 2019 the DPDP Bill, 2022 creates no offences. Third, in a move that can be seen as disempowering the data principals, the DPDP Bill, 2022 does not allow them to seek compensation from data fiduciaries for harms they have suffered due to unlawful processing. Fourth, in a very unusual move and perhaps the only one of its kind among data protection legislations, the DPDP Bill, 2022 places duties on data principals. If they are non-compliant, it could lead to penalties upto ₹10,000. Some of these duties include being in compliance with the “provision of all applicable laws” when exercising rights and not registering “false or frivolous” complaints with the data fiduciary or the DPB. Such provisions may hinder data principles from exercising their rights for fear of penalties.

The writer is a research fellow at the Centre for Applied Law and Technology Research, Vidhi Centre for legal policy

(This is the second of a two-part series on the draft Digital Personal Data Protection Bill, 2022)



Source link

RELATED ARTICLES

Apple and Amazon resume advertising on Twitter

A file photo of Elon Musk | Photo Credit: REUTERS Amazon.com Inc. and Apple Inc. are planning to resume advertising on Twitter, according to media...

Powering homes with solar when the electricity grid goes out

In areas where storms or extreme heat and cold have knocked out the power for days at a time, people are starting to...

‘Wordle’ today, December 5: Answer, hints, help for Wordle #534 | Digital Trends

Trying to solve Wordle #534 for December 5, 2022, and need some help? We have today’s Wordle answer right here. But before rushing...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Indonesian volcano erupts, releasing river of lava

Indonesia’s tallest volcano erupted on Sunday, sending a river of lava across the terrain of the country’s most populated island, and clouds of...

Ripple files final submission against SEC as landmark case nears end

The most talked about crypto lawsuit involving the United States Securities and Exchange Commission (SEC) and Ripple is approaching its conclusion after a...

Apple and Amazon resume advertising on Twitter

A file photo of Elon Musk | Photo Credit: REUTERS Amazon.com Inc. and Apple Inc. are planning to resume advertising on Twitter, according to media...

Oil prices rise after OPEC+ keeps output cut targets, China eases COVID curbs By Reuters

© Reuters. FILE PHOTO: Oil tankers sail along Nakhodka Bay near the port city of Nakhodka, Russia August 12, 2022. REUTERS/Tatiana Meel By Sonali...

Recent Comments