Table of Contents
Context: The article is discussing the challenges and considerations surrounding the drafting and conceptualizing of a data protection law for India, specifically referring to the Digital Personal Data Protection Bill, 2022. It highlights the comparison between India and Europe, particularly the European Union’s General Data Protection Regulation (GDPR), which is considered one of the most comprehensive data privacy laws in the world. The article emphasizes the importance of avoiding a toothless data protection law for India, where the legislation may exist on paper but lacks effective implementation and enforcement. The main concerns raised in the article are about making the Digital Personal Data Protection Bill, 2022 “future-proof” by addressing the shortcomings of the GDPR and ensuring a better mechanism for handling complaints related to data protection in India. The task of creating such a law for a country with a population of over 1.4 billion people poses significant challenges, and the article urges for careful consideration to avoid potential issues in the future.
Background
Understanding the Data Protection Bill:
Objective of the Bill:
- The Bill seeks to establish a comprehensive legal framework governing digital personal data protection in India.
- It aims to provide for processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process it for lawful purposes.
Highlights of the Bill:
- The Bill will apply to the processing of digital personal data in India, whether it is collected online or offline and then digitized. It will also apply to the processing of digital personal data outside of India if it involves offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
- The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
Features and Analysis
- Notice and Consent: It contemplates seeking prior consent of the data principal (individual whose data is being collected) which should disclose description of personal data sought and purpose of processing it.
- The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
- Obligations of the data fiduciary: To ensure that personal data is processed, stored or erased in a safe and proper manner, bill imposes some responsibilities like:
- If there is a breach, the data fiduciary (Entity- individual, company, firm or state which decides purpose and means of processing of an individual’s personal data) must inform the Board and the data principal.
- Deletion of personal data once proposed for collection is no longer served, or the retention is no longer necessary.
- Every data fiduciary must appoint a Data Protection Officer (DPO) to address the data principal’s queries and concerns.
- Additional obligations while processing personal data of children, which includes seeking consent from parents/ guardians.
- Significant Data fiduciary: Central government can identify a data fiduciary as a significant data fiduciary if it handles high volume of sensitive personal data, involves a risk of harm to data principal and impact on sovereignty and integrity of India, security of state, public order, etc.
- They must appoint an Independent Data Auditor (to ensure compliance with proposed Bill) and conduct a Data Protection Impact Assessment and periodic audit to ensure compliance.
- Duties and Rights of the data principal: Bill stipulates duties of the data principal, to the extent ensuring that it is not registering a false grievance/complaint, not providing false or misleading information, or suppressing information.
- Rights of data principal include: Right to information, right to correction or erasure and grievance redressal.
- Establishment of Data Protection Board: It also provides for setting up of a Data Protection Board, which will oversee compliance by data fiduciaries and data principals.
- Penalties imposed by Board: Bill proposes 6 types of penalties which extend to a maximum penalty of ₹500 crore.
- Transfer of data outside India: It suggests that it will notify a list of countries to whom a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Significance of the Bill:
- Plugs Loopholes in the current framework: The current legal framework for data protection in India, the Information Technology Rules, 2011, is inadequate to protect the privacy of individuals.
- The existing framework is based on privacy being a statutory right rather than a fundamental right.
- It does not apply to the processing of personal data by the government.
- It has a limited understanding of the kinds of data to be protected.
- It places scant obligations on the data fiduciaries which can be overridden by contract.
- There are only minimal consequences for data fiduciaries for breach of these obligations. The DPDP Bill, 2022 aims to address these inadequacies.
- Easier to Comprehend: While previous versions of proposed legislations were dense and voluminous, the new bill is easier to comprehend and understand.
- Ensures a Transparent regime: The Bill seeks to introduce transparency to the current system. Usage of personal data by organizations must be done in a manner that is lawful, fair, and transparent to individuals concerned.
- Empowers individuals: The Bill recognizes the linguistic diversity of India and enables individuals to access basic information in 8th schedule languages.
- It also empowers individuals by recognizing their right to post mortem privacy, which was missing from the earlier regulations.
- The bill allows data principals to nominate another individual in case of death or incapacity.
- For the first time in India’s legislative history, “her” and “she” have been used to refer to individuals irrespective of gender.
- Smooth compliance regime: The Bill proposes a forgiving framework for compliance and suggests several welcome improvements. It deletes non-personal data and does away with the onerous data localization mandate imposed by the PDP Bill, 2019. Relaxing rules on cross-border data flows could bring relief to big tech companies.
Limitations of the Bill:
- No defined timelines: The Bill imposes certain obligations on data fiduciaries, but without providing a timeframe. There is:
- Lack of deadline for deleting personal data (in case of withdrawal of consent),
- Lack of timeline for Board to adjudicate on a complaint,
- No deadline for data fiduciary to erase personal data once the intended purpose is served, etc.
- Powers of the Board: The Bill does not specify the actual composition/strength of the Board, which has been raised about the reduced independence of the proposed Board.
- Limiting penalties: Bill seems to focus on the severity of the non-compliance, and not the non-compliance itself. It states that if non-compliance is not significant, the Board may choose to close the enquiry. And remedial measures will be taken only in case non-compliance is significant.
- Large number of exceptions: It allows the Central government to exempt any data fiduciary from the provisions of the draft Bill. Also, the government can have an exemption from most data protection obligations if the processing is undertaken “in the interests of prevention, detection, investigation of any offence or any other contravention of any law.”
- Missed crucial rights for Data Principal: The Right of Data Portability and Right to be Forgotten are not part of the draft bill.
- The right to data portability allowed the data principal to receive in a structured format all the personal data they had provided to the data fiduciary.
- It also has data that the data fiduciary generated on the data principal while processing for provisioning of its services.
- The right to be forgotten allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data.
Decoding the Editorial
The article is discussing the challenges and considerations surrounding the Digital Personal Data Protection Bill, 2022.
Issues around Data Use:
- Upcoming Data Protection Law in India: The Indian government is preparing to present a new data protection law, the Digital Personal Data Protection (DPDP) Bill, 2022, during the ongoing monsoon session of Parliament, which takes place between July 20 and August 11.
- Previous Attempts at Drafting a Data Protection Law: The government has made two previous attempts to draft a data protection law, one in 2018 and another in 2019. However, the current DPDP Bill, 2022, is the third and latest attempt.
- Scope of DPDP Bill: The DPDP Bill, 2022, focuses on protecting personal data, which includes any data that can directly or indirectly identify an individual. However, there are concerns about the exclusion of non-personal data from the bill’s scope.
- Importance of Non-Personal Data Protection: In the modern data economy, entities use both personal and non-personal data to target, profile, predict, and monitor users. Non-personal data is usually anonymous, but when combined with other datasets, it can potentially identify individuals, impacting user privacy.
- Risks of Re-identification: The article provides an example of how seemingly anonymous data, like individual Uber rides, when combined with other information like prayer timings, can lead to the re-identification of individuals and pose significant risks to privacy.
- Omissions in the DPDP Bill: The DPDP Bill, 2022, is criticised for not accounting for the risks associated with re-identification of non-personal data, unlike the previous versions of the data protection bill from 2018 and 2019.
- Suggested Solution: The article suggests that the DPDP Bill, 2022, could be strengthened by including a penal provision that imposes financial penalties on data-processing entities for the re-identification of non-personal data into personal data. This would help to address the privacy concerns related to non-personal data usage effectively.
Limited reach of data protection board:
- Limitations of Data Protection Board:
- The proposed data protection board, which is responsible for enforcing the data protection law, faces limitations in initiating proceedings on its own.
- It can only start proceedings for adjudication when someone affected makes a complaint to it, or when the government or a court directs it to do so.
- The board can take action on its own only to enforce certain duties listed in the Bill for users but not in disputes between users and data-processing entities.
- Lack of User Control and Knowledge:
- Users in the data economy often have limited control and knowledge over how their data is transferred and used.
- Due to the complex and ever-changing nature of data processing, users are often at a disadvantage compared to the entities that utilize their data.
- This lack of control and knowledge can hinder individual users from approaching the data protection board with complaints.
- Importance of Board Initiative:
- Allowing the data protection board to initiate complaints on its own behalf is seen as a necessary step to address the limitations of user complaints and to protect the interests of affected users effectively.
- This means that the board, based on its own investigations and findings, can take action against data-processing entities that violate data protection laws, even if individual users may not have the resources or incentives to do so.
- Comparison to the Competition Commission:
- The article draws a parallel with the Competition Commission of India, which enforces antitrust laws and has the power to initiate inquiries on its own.
- The suggestion is that the data protection board should have similar authority to take independent action when necessary.
- Importance of Addressing Gaps:
- The article notes that the lack of authority for the data protection board to initiate complaints on its own is just one of the gaps in the DPDP Bill.
- However, it highlights that addressing these gaps would significantly improve the implementation of the data protection law and make it more “future-proof,” considering the challenges posed by the data economy.
Beyond the Editorial
Global Data Protection Models:
An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, according to the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat.
- Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
- EU model: The GDPR focuses on a comprehensive data protection law for processing of personal data.
- It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is still the template for most of the legislation drafted around the world.
- US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.
- China model: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
India’s Strengthened Data Protection Regime:
- Justice K. S. Puttaswamy (Retd) vs Union of India 2017: In August 2017, a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy Vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21 of the Constitution.
- B.N. Srikrishna Committee 2017: Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, that submitted its report with recommendations to strengthen privacy law in India including restrictions on processing and collection of data, Data Protection Authority, right to be forgotten, data localisation etc.
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: IT Rules 2021 mandate social media platforms to exercise greater diligence with respect to the content on their platforms.