Abstract

Information is power and in this digital age whoever has control over data has a great advantage. Preserving personal privacy is essential in safeguarding individuals’ security, self-respect, and ability to freely express themselves and their opinions. The utilization of personal information through digital means can bring about numerous advantages to society and the economy, however, it can also pose a major risk to privacy. Governments and other organizations must be aware of the danger in collecting vast amounts of personal data, both domestically and internationally, and handle this information with care and in accordance with ethical standards. The Digital Personal Data Protection Bill, 2022, is the fourth iteration of India’s attempt to come up with a comprehensive legislation to protect and regulate the storage, transfer, collection and processing of personal data. The legislation puts the onus on the data fiduciaries to protect the data principals’ rights. The legislation lays out guidelines for how personal data can be processed, stored, and transferred within the country. It requires organisations to obtain consent from individuals before collecting, using, or transferring their personal data. It also mandates organisations to take adequate measures to ensure the security of personal data and to inform individuals in case of any data breaches. However, the provisions concerning the government show favouritism towards State intervention and lax regulations and rules when it comes to data collected by the Central government. So, the legislation still has certain drawbacks and issues that need to be addressed.

A Subpar effort: Digital Personal Data Protection Bill, 2022

Personal information, including sensitive details such as names, addresses, and financial information, is considered a valuable asset that must be properly safeguarded against any unauthorized access, manipulation, or misuse. Unfortunately, many individuals tend to equate the protection of personal information solely with data security measures. This limited understanding overlooks the broader goals of a comprehensive data protection regime, which encompasses not only the integrity and safety of the data, but also ensures its privacy, confidentiality, and protection against any potential harm.

Moreover, data protection regimes should aim to prevent unauthorized access and modification of personal information, as well as prevent any flaws or vulnerabilities that could allow for its unrestrained use. This requires a multi-faceted approach that considers technical, legal, and organizational measures to ensure that personal information is handled in a secure and responsible manner. This is why a robust data protection regime is critical in today’s digital age, where personal information is increasingly collected, stored, and shared online.

The Digital Personal Data Protection Bill, 2022 [hereinafter referred to as “DPDP Bill”] is much more concise and leaner as compared to the previous iteration of the Data Protection Bill. The DPDP Bill will largely impact the social media sector, technological industries, marketing sectors and banking sectors in terms of compliance, as they collect and store a lot of personal data ranging from date of birth to information for tailoring personalised ads curated through monitored online activity. Although the DPDP Bill follows the basic principals given in the OECD Guidelines,[1] there are certain areas that need to be debated before the DPDP Bill is enacted.

Strategic Disinvestment: A new facet of the Indian Economy

Changes Post-Amendment

Weakening of the RTI Act

The DPDP Bill proposes to amend section 8(j) of the Right to Information Act, 2005 which would effectively exempt personal information from being divulged through an RTI application including in instances where it is in the larger interest of the public. The proviso to the section which states that – what can be shared with the State or Central Legislature cannot be denied to a RTI applicant has also been proposed to be removed. This effectively denies activists and the general public the right to access information, as most RTIs relate to details pertaining to individuals.

The same objection was raised by a RTI activist and former Central Information Commissioner Shailesh Gandhi, “This will make RTI Right to Denial of Information. Most information relates to a person and thus could be denied. Even now many PIOs, Commissions and Courts deny personal information. What has been de facto is being converted into de jure.”[2]

Although the purpose of the DPDP Bill is to protect personal data and the processing of personal data, it cannot supersede the right to information. The subsequent amendment would be contrary to the object of the RTI Act. There needs to be a balance between right to privacy and the right to information. The public should not be kept in the dark and the proviso to the said section should be retained to grant information to the public which the Parliament or the State Legislatures have access to.

Age of Consent for Children

The age of consent remains to be 18 years which means, those below 18 years would require permission from their parents or guardian for certain websites. However, age at which individuals use the internet is decreasing and the internet has become a part and parcel of children’s education and life. The DPDP Bill fails to understand that the consent of a toddler is different from the consent by a teenager. Keeping the age of consent at 18 years is akin to turning a blind eye to reality. Further, in many Indian households, the adults do not have as much digital literacy as their children and rather rely on their children to assist them. The DPDP Bill is shifting the onus on the parents instead of focusing and incentivising online platforms to make safer environments for children.

Many companies had hoped for the age of consent to be reduced to 13 years, which would make it in line with the GDPR[3] and other data protection legislations. The DPDP Bill also imposes a bar on tracking and targeted advertisements towards children. Nevertheless, some companies have implemented tracking and safety mechanisms to protect children while they navigate the internet. Removing these features would leave children vulnerable to online dangers and allow them to access such websites.

Data Portability

The present DPDP Bill has removed the right to data portability. Through data portability, a person could shift their personal data, for example, from one social media platform to another without needing to give all the data once again on the other platform. Whereas data localisation which necessitated data fiduciaries to have their data servers in the county and limited the scope of transferring data out of the country has been eased.

Exemptions granted

The government has been given the authority to make rules as needed, which includes the power to exempt certain government bodies from the provisions of the Act. There is no guideline provided to assist the government while they are making these rules. It can lead to excessive delegated legislation. The government also argued that “national and public interest is at times greater than the interest of an individual”[4] in the explanatory note given separately along with the draft, which shows that the government may in the name of ‘public interest’ give itself overreaching powers over its citizens personal information.

State surveillance, the monitoring of citizens by the government, has been a part of human history for centuries. The increasing advancement of technology has made it easier for governments to keep track of their citizens. However, while state surveillance can be necessary for protecting national security and maintaining public order, it must be limited and subject to proper oversight to ensure that it doesn’t infringe upon individual privacy rights. The delicate balance between security and privacy is crucial, and it’s important to ensure that state surveillance is carried out within the bounds of the law and with respect for civil liberties.

The DPDP Bill retains the Central Government’s powers to exempt any organ/department of the State from application of the Act in relation to processing of Personal Data but does away with the provisions from the 2019 Bill where such exemption is subject to safeguards and an oversight mechanism.[5] Further, the DPDP Bill now allows for the Central Government to notify non-governmental organisations such as certain Data Fiduciaries or class of Data Fiduciaries based on the volume and nature of personal data processed, to whom certain provisions of the Bill will not apply.[6] The State or any organ of the State is exempt from removing retained data that is no longer necessary for legal and business purpose or has served its purpose and is no longer needed.[7] The members of the Data Protection Board are to be appointed by the Central government[8], instead of it being a statutory body under the 2019 Bill which dilutes the independence of the Board.  

As a result of these provisions, the government has a lot of leeway under the DPDP Bill despite being the largest data fiduciary in the country. The DPDP Bill is not preventing unregulated state surveillance. Although the aim of data privacy was to limit the power imbalance between the people and companies, the power imbalance between the government and the people still remains. There is no materiality or threshold for notifying personal data breaches to Data Protection Board of India and data principals.

Adequate Notice

The data fiduciaries have to provide a notice to the data principals pointing out the list of data collected and the purpose for which they are collected. It may be included in a separate document, in a digital form or within the same document.[9] Apart from giving notice to the data principals in the languages mentioned in 8^th Schedule of the Constitution, they should rather attempt to provide palatable infographics which are easier to understand and digest. This is because many people consent to the notice without reading, if it is long and verbose, as digital literacy in the country is not that high. The DPDP Bill acknowledges that data principals also have a right to know what data collected and what is being processed. If the data principals do not get a reply or are not satisfied with the information provided, they can then approach the Board for redressal.[10] The efficiency of the redressal mechanism can only be judged with time and manner of implementation.

Genetic Data

There is a separate bill called the DNA Technology (Use and Application) Regulation Bill that is being discussed in the Parliament. This bill talks about the confidentiality and ethical issues of genetic testing and the responsibilities of organizations and people who have access to genetic information. The law says that a national DNA database must remove information about someone if they request it and keep the information secure and confidential. The bill also says that genetic information can only be used for specific reasons and punishes anyone who shares or uses the information without permission. There may be some overlap between this bill and the DPDP Bill, so it is important to clarify how they will work together considering the sensitive nature of genetic information.

Doctrine of Election in India: A Legal Analysis

Comparison with Data Privacy Legislations in E.U and Singapore

The government reviewed the best global practices followed in other countries like EU, Australia, USA, and Singapore, while framing the DPDP Bill.[11]

Singapore

The Personal Data Protection Act (“PDPA”) is the legislation that governs the data protection rights in Singapore. The legislation does not apply to personal data that has been in the record for the past 100 years, which is also included in the DPDP Bill.[12] When it comes to transferring data outside of a country, it is important to ensure that the level of protection for the data is comparable to what it would have under the PDPA. The transferring organization has a responsibility to make sure that the data remains compliant with the provisions of the PDPA even when it is under their control or possession. If the data is no longer under their control or possession, then the transferring organization must take necessary steps to ensure that the recipient of the data is legally obliged to provide a level of protection that is comparable to the PDPA. The protection of the personal data being subject to comparable safeguards under the DPDP Bill when the data is transferred outside the country should also be added in the DPDP Bill.

European Union: The General Data Protection Regulation (“GDPR”) is the legislation governing data privacy in the EU. Certain principles of GDPR such as data minimization, storage limitation and purpose limitation have been inculcated in the DPDP Bill. Data minimization means that the collection of information is limited to that which is necessary, Storage limitation means that the information will only be stored for the period till which the purpose for which it was collected is satisfied, while Purpose limitation means the data collected is utilised for that specific purpose and not for anything else which was not consented to by the data principals. Other aspects that have also been included in the DPDP Bill include the right to know what is being done with one’s personal information and the right to withdraw consent at any point of time, after which the processing, storing or the use of the individual’s information will be stopped.

However, despite being a legislation that many countries look to for guidance, the GDPR lacks in implementation. Only 20% of the companies till now are compliant with the legislation.[13] But on the other hand, its Redressal Board is free from state intervention which shows that the same can be achieved in India and should be amended to regulate state intervention.

Potential Impact on Corporations

The latest version of the DPDP Bill provides beneficial policy for businesses and futuristic personal data protection regulation than its prior verbose and restrictive iterations. It attempts to find a balance between upholding people’s rights to their personal data and supporting commercial operations.

The measure seems to have a big impact on Indian enterprises, including technology firms. Some of the more divisive provisions of the measure have been diluted through subsequent amendments, as they were opposed by the business community. The DPDP Bill is expected to be welcomed by businesses in the tech and IT sectors, despite the possibility that some of these amendments may have an adverse effect on the overall security of individual information privacy. As set out in the explanatory note, many of the changes to the DPDP Bill will ease and facilitate both domestic and cross-border domestic flows.[14]

Cross Border Transfer

The 2021 Data Protection Bill had proposed to impose partial and total data localisation obligations with respect to certain categories of Personal Data, i.e., Sensitive Personal Data and Critical Personal Data. This proposed system is entirely upended by Section 17 of the DPDP Bill,[15] which also makes it easier for data to transit freely to ‘trusted geographies.’ Data localization forbade the transfer or export of data outside of the nation, which caused some controversy among Indian start-ups and major tech firms.[16] This is due to the fact that startups and small enterprises frequently use services provided by organisations which are situated overseas.

Cross border data transfer will be allowed in countries and territories as mentioned and notified by the Central government.[17] However, what aspects will be taken into consideration by the Government in allowing or disallowing a country has not been mentioned. For example, there are no standard contractual clauses, or any prior Government approval required mentioned in the legislation as of yet. The DPDP Bill’s explanatory statement acknowledges the significance of cross-border data transfers for a globalised economy. This justification implies that the government won’t be very picky about the regions it considers trustworthy.

However, this raises an issue of national security. The DPDP Bill is jeopardizing security for the sake of ease in doing business. In addition, mirror copies of such critical and sensitive data’s to be present in the country has also been erased. Further, as per section 4, Indian law will be applicable in case of a data breach of Indian data abroad. This might deny data principals from availing the benefit of a more favourable law. So, there should be a change allowing application of the law which is more favourable to the Data Principal.

Non-personal Data and Categories of Personal Data

The term which was present in the 2019 and 2021 Bill has been removed from the current draft. Anonymised personal data has also been excluded in the current draft. The regulation of non-personal data has been excluded from the current DPDP Bill. So, the applicability of the DPDP Bill in terms of non-personal data is unclear.

The previous draft of the bill on personal data protection had specified three categories of personal data – personal data, sensitive personal data, and critical data. However, the current version of the bill no longer includes these subdivisions. This unified approach to personal data protection makes the legislation more simplified and straightforward.

While this “one solution fits all” approach might seem convenient, it may not be the most effective method for handling personal data. Personal information such as an individual’s name and email address can be considered less sensitive compared to more sensitive data such as their biometrics, health information, religious beliefs, and financial details. These sensitive and critical data types require more stringent standards for their processing and protection.

Therefore, a one size fits all approach may not provide the level of protection needed for highly sensitive personal data. The lack of differentiation between types of personal data may result in inadequate measures being taken to protect an individual’s privacy. It is important to consider the different types of personal data and their relative levels of sensitivity when drafting legislation to ensure proper protection of individuals’ personal information.

Territorial Exemption

With the eased data localisation norms, tech companies can transfer data to other countries where their servers may be located. The Bill will not apply to personal data belonging to foreign entities (data principals) who are contracting with an Indian entity pursuant to a contract between the two.[18] This will help BPO (Business Process Outsourcing)/outsourcing businesses that regularly process their clients’ data to keep that information private and secure. If the data principals are not located inside the boundaries of India, BPO businesses will not be required to abide by the DPDP Bill’s stipulations.

No penal liability

The Bill has removed any criminal liability for violating the provisions. It is only imposing monetary liability on the violating Data fiduciary which the Data Protection Board considers ‘significant’. However, the Draft Bill is not taking into account the annual turnover of the company to determine the amount of penalty. The Singapore PDPA legislation has specific limits for penalty based on the company’s annual turnover. There should be similar limits introduced in the DPDP Bill. Further, there is no demarcation or threshold defined for penalties applicable for the type of personal information breached.

Deemed Consent

It simplifies the process for collecting consent from data principals. In this term, data which is reasonably expected to be provided would be deemed to be given with consent. For example, a person providing photographs and identification documents for opening a bank account would be deemed to have given consent to submitting those documents without explicitly consenting to do so.

Information related to employment, maintenance of confidentiality regarding trade secrets, intellectual property, availing any employment benefit or service by the employee and so on would have deemed consent as they are reasonably required by the company or organisation.[19] Other categories can also include M&As or corporate restructuring transactions.[20] The Act has also introduced dispute resolution mechanisms which is a positive.

Responsibilities of Data Fiduciaries

Companies will have to be responsible on behalf of other data fiduciaries that they are employing and ensure that they are complying to the rules as well. There needs to be an effective security and technical system to ensure that privacy is protected and stored. Companies now also need to have a mechanism and procedure for grievance redressals for data principals. Simple mechanisms like “I accept” and “I decline” should be used, different mechanisms if authorisation and consent is required from parents/guardians and translators will need to be engaged as the notice for collecting private information needs to be available in all 22 languages under the 8^th Schedule of the Constitution. It is advisable to transfer data to another data fiduciary only under a valid contract and ensure that any further transfer is done with prior consent and under a contract.

In case of a significant data fiduciary, the contact information of the Data Protection Officer or any other person needs to be published on the company’s site to answer and take into account the data principals query’s regarding their data. Further, companies need to ensure that personal data that is no longer required is removed. It will be beneficial to store the consent obtained for evidence in case any issue arises.

Addressing Sexual Offenses: Promoting Justice and Equality

Conclusion

The DPDP Bill by substituting a board that will be directly under the direction of the government for the previously proposed data protection body, weakens the regulatory, supervisory, and enforcement architecture. Without procedural safeguards, it is weaking the objective of privacy and data protection. In accordance with the Puttaswamy ruling, there must be sufficient checks and balances that do not disregarded the legality, necessity, and proportionality considerations. Further, companies and business will need to be at the top of their game when it comes to compliance with the data protection provisions of the DPDP Bill.

On the other hand, a simpler and concise document will assist in quicker implementation. But the timelines for the adoption have not been clarified yet. The provisions proposed strike a mix between safeguarding the rights of the data principals and providing room for technological start-ups to develop and innovate. A lot of the Joint Parliamentary Committee’s recommendations were excluded in this leaner draft. The legislation is too vague and incomplete. There should be specific details included, rather than leaving certain aspects to future rules that may not be as comprehensive. However, it can be a wise decision to keep the body of the draft less detailed, as technology is constantly advancing and new laws need to be able to adapt to these changes.

In order to address these technological advancements and the social consequences that come with them, an approach of making regulations when required may be more suitable. This means that the main law can remain general, and the specific details can be addressed through subordinate legislation. However, it is important to note that this subordinate legislation cannot go beyond what is allowed by the main law, as these rules could be deemed invalid.

---

This article is authored by Ms. Divya Telang, 4th year B.A. LL.B (IPR Hons.) student at NLUJ.

---

[1] OECD, OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (July 11, 2013).

[2] Manu Sebastian, Digital Personal Data Protection Bill Proposes To Amend RTI Act To Completely Bar Disclosure Of Personal Information, LIVELAW (November 20, 2022) https://www.livelaw.in/news-updates/digital-personal-data-protection-bill-proposes-to-amend-rti-act-to-completely-bar-disclosure-of-personal-information-214573.

[3] European Commission, Are there any specific safeguards for data about children? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/are-there-any-specific-safeguards-data-about-children_en.

[4] GOI, MeitY, Explanatory Note to Digital Personal Data Protection Bill, 2022. https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022_0_0.pdf.

[5] Digital Personal Data Protection Bill, 2022, § 18(2)(a).

[6] Digital Personal Data Protection Bill, 2022, § 18(3).

[7] Digital Personal Data Protection Bill, 2022, § 18(4).

[8] Digital Personal Data Protection Bill, 2022, § 19(3).

[9] Digital Personal Data Protection Bill, 2022, § 6.

[10] Digital Personal Data Protection Bill, 2022, § 14(2).

[11] supra note 3.  

[12] Digital Personal Data Protection Bill, 2022, § 4(3)(d).

[13] What is GDPR and how does it impact your business? (August 15, 2022), https://www.superoffice.com/blog/gdpr/.

[14] supra note 2, at 7.

[15] Digital Personal Data Protection Bill, 2022, § 17.

[16] Astha Oriel, Why Indian Start-Ups Are Happy About Personal Data Protection Bill Being Scrapped, OUTLOOK (August 7, 2022) https://www.outlookindia.com/business/data-protection-bill-withdrawn-why-indian-start-ups-are-happy-about-personal-data-protection-bill-being-scrapped-news-214620?utm_source=related_story.

[17] supra note at 15.

[18] Digital Personal Data Protection Bill, 2022, § 18(d).

[19] Digital Personal Data Protection Bill, 2022, § 8(7).

[20] Digital Personal Data Protection Bill, 2022, § 8(8)(b).