DRAFT DIGITAL PERSONAL DATA PROTECTION BILL - POLITY

DRAFT DIGITAL PERSONAL DATA PROTECTION BILL - POLITY 

News: The problems with the Data Protection Bill

 

What's in the news?

       The Ministry of Electronics and Information Technology has drafted a Digital Personal Data Protection (DPDP) Bill with the stated purpose of providing “for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.”

 

Key takeaways:

       A data protection law must safeguard and balance people's right to privacy and their right to information, which are fundamental rights flowing from the Constitution.

 

Need for the Data Protection law:

  1. Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals). When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
  2. The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court (K.S. Puttaswamy vs Union of India [2017]).
    1. First, the extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to processing of personal data by the government.
    2. It has a limited understanding of the kinds of data to be protected.
    3. It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract.
    4. There are only minimal consequences for the data fiduciaries for the breach of these obligations.
  3. While protecting the rights of the data principal, data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical.

 

  1. The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned.
  2. Given the rate at which technology evolves, an optimum data protection law design needs to be future proof - it should not be unduly detailed and centered on providing solutions to contemporary concerns while ignoring problems that may emerge going forward.
  3. The law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power with respect to data fiduciaries.

 

Features of the draft Digital Personal Data Protection Bill, 2022:

 

1. Data Bill based on seven principles:

  1. Usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
  2. Personal data must only be used for the purposes for which it was collected. (Process limitation).
  3. Data minimization (Collection limitation).
  4. Data accuracy when it comes to collection.
  5. Personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration. (Storage illimitation).
  6. There should be reasonable safeguards to ensure there is “no unauthorized collection or processing of personal data.
  7. The person who decides the purpose and means of the processing of personal data should be accountable for such processing.

2. Data Principal and Data Fiduciary:

       The bill uses the term “Data Principal” to denote the individual whose data is being collected.

       The term “Data Fiduciary” is the entity (can be an individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data.

       The law also makes a recognition that in the case of children - defined as all users under the age of 18 - their parents or lawful guardians will be considered their ‘Data Principals.’

3. Definition of Data:

       Under the law, personal data is “any data by which or in relation to which an individual can be identified.”

       Processing means “the entire cycle of operations that can be carried out in respect of personal data.”

       So right from collection to storage of data would come under processing of data as per the bill.

4. Right to consent:

       The bill also makes it clear that individuals need to give consent before their data is processed and that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.”

       Further, the notice of data collection needs to be in clear and easy-to-understand language.

       Individuals also have the right to withdraw consent from a Data Fiduciary.

5. Significant Data Fiduciaries and it's responsibilities:

       The bill also talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data.

       The Central government will define who is designated under this category based on a number of factors ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.

       “This category needs to fulfill certain additional obligations to enable greater scrutiny of its practices,” according to the bill’s explanatory note.

       Such entities will have to appoint a ‘Data protection officer’ who will represent them. They will be the point of contact for grievance redressal. They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.

6. Right to erase data, right to nominate:

       Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.

       They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.

       The bill also gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.

7. Cross-border data transfer:

       The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”

       However, “an assessment of relevant factors by the Central Government would precede such a notification,” adds the note.

8. Financial penalties:

       The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.

       Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore.

9. Exemptions to certain entities:

       The Government could also exempt certain businesses from adhering to provisions of the Bill on the basis of the number of users and the volume of personal data processed by the entity.

       This has been done keeping in mind startups of the country who had complained that the previous version of the Bill was too “compliance intensive”.

 

Concerns raised by experts regard the bill:

1. No provision for classification of data:

       This Bill is less explicit in the harms caused by data privacy breaches and does not distinguish between personal data and sensitive personal data.

2. Blanket exemptions to government agencies and some private entities:

       The draft Bill does not consider surveillance as harmful.

       However, The 2019 Bill explicitly defined surveillance as a harm under Section 3(20). Clause 18(2)(a) of the DPDPB, 2022 allows the Union Government to exempt any “instrumentality” of the State from the application of DPDPB, 2022 in the interests of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these''.

       This would result in grave violations of a citizen’s privacy, while also extending immunity to government arms from the application of the law.

3. Diluting RTI Act:

       The RTI Act includes a provision to protect privacy through Section 8(1)(j). In order to invoke this Section to deny personal information, at least one of the following grounds has to be proven - the information sought has no relationship to any public activity or public interest or is such that it would cause unwarranted invasion of privacy and the Public Information Officer is satisfied that there is no larger public interest that justifies disclosure.

       The proposed Bill seeks to amend this Section to expand its purview and exempt all personal information from the ambit of the RTI Act.

4. Lack of independence to the Data Protection Board:

       This draft Bill replaces the Data Protection Authority with the Data Protection Board of India, but it is still not an independent body.

       The Union Government will prescribe the strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members.

       Given that the Government is the biggest data repository, it was imperative that the oversight body set up under the law be adequately independent to act on violations of the law by government entities.

5. Issues in data localization:

       The draft Bill removes the requirement of data localization (which the 2019 Bill, and the subsequent report of the Joint Parliamentary Committee, released in December 2021, required).

       Section 17 of the draft Bill mentions that it will release a list of countries and territories to which personal data might be transferred, after an assessment of certain factors.

       However, no criteria have been stated on how the government will define which countries to allow data transfers to.

       “This is in contrast with Articles 44 to 50 of the General Data Protection Regime which permits transfer of personal data of Europeans only to such countries which provide a minimum level of protection to such data.

6. Unscrupulous fine on data principle:

       If a user submits false documents while signing up for an online service, or files frivolous grievance complaints, the user could be fined up to Rs 10,000.

       The creation of a totally government-controlled Data Protection Board, vested with the powers of a civil court and empowered to impose fines up to ₹500 crore, is bound to raise serious apprehensions of its misuse by the executive.