SFLC.IN welcomes the Government’s move to introduce a Bill which seeks to protect the data rights of individuals in the digital space. We are highlighting the major concerns with the bill with this preliminary blog post. The draft bill is open for consultations till December 17th, 2022. We will be publishing a clause by clause analysis of the Bill soon. Please stay tuned.
The Bill narrows the scope of data which it covers, and the harms which it protects individual rights from, when compared with the Personal Data Protection Bill, 2019. The Bill does not distinguish between personal data, and sensitive personal data, which is a crucial distinction recognising that some types of data require stricter and stronger protection than others. The present Bill, when compared with its predecessor, is significantly less explicit in the harms which are recognised under it. For example, the Bill does not mention unreasonable surveillance as a harm, a definition which was available in the previous Bill. Furthermore, the 2019 Bill recognised unambiguously that some harms require greater measures of protection and redressal mechanisms in place than others, which has been excluded from the present Bill. This was done by differentiating between data fiduciaries from significant data fiduciaries, and clearly stating the grounds of distinction between the two. While the present Bill does recognise ‘significant data fiduciaries’, it defers to the Government to lay out the grounds for defining them through Rules which the Government can introduce at a later date. Such an omission and deference concentrates the power with the Executive, and delegates a function which belongs within the remit of the legislature. The Bill seems to have taken the ‘one-size-fits-all’ approach, which is derogatory to both the users of technology, and small and medium sized businesses on the question of compliance.
Section 18 of the Bill has widened the scope of government exemptions even further. The requirement of proportionality, reasonableness and fairness have been removed for the Central Government to exempt any department or instrumentality from the ambit of the Bill. This is in conflict with the law laid down in the K.S. Puttaswamy judgement1. The Supreme Court had explicitly held that the restriction on the right to privacy of an individual must withstand the test of proportionality. ] The exemptions extended to the Government under the Bill cannot be said to meet these requirements. Furthermore, the Bill’s express exemption to the Government from deleting the data which it has collected despite the purpose of such data collection having been met contradicts the principles of purpose limitation, and data minimisation.
Institutional Infrastructure – Data Protection Board
The present Bill creates a Data Protection Board of India (hereinafter, ‘the Board’), which has been vested with powers of a Civil Court. Its officers and employees will be deemed to be ‘public servants’. Summarily, the Board’s purpose is to penalise non-compliance of the Act, and hear representations for causes of action arising under the Act.
The Bill mandates that, in as far as possible, the Board shall “function as a digital office and employ such techno-legal measures as may be prescribed”. This is a welcome move. The capital which technology holds as a medium to remove accessibility barriers must be pressed into service, which this mandate seeks to do. Digital offices will ensure that a greater population will not be limited by barriers of geographical remoteness, costs of transportation, language barriers, and will not be restricted in the frequency of their ability to access the Board to raise their grievances and seek relief.
In its present form, the Bill is quite ambiguous in the context of the Data Protection Board of India. It does not specify the constitution (who the members will be) of the Board, the strength of the Board in numbers. More importantly, it does not require the presence of a legal expert on the Board, or of members who are experts in the field of data and technology. Although the Bill requires that the Board “shall function as an independent body”, it hinders its independence by removing any requirements to scrutinise the process of appointment of its members, or the procedures involved for the appointment process. All powers of appointment have been reserved with the Central Government, and will be clarified in the rules made by the Government in the future.
The rules which elaborate on the structure and the composition of the Board will be laid before the House and subjected to legislative scrutiny under the new Bill. However, questions of infrastructure of a public institution are directly related to the independence of such institutions. There is thus a requirement for the Bill to put in place the structure of the Board, mandate transparency and accountability of its processes, and put in place adequate procedural safeguards to ensure complete independence of the Board, in the parent statute itself, and then enable the Government to create rules to bring about the Board as per the guidelines laid down in Parliament (through this Bill). This is in keeping with the accepted conventions of delegated legislation.
As mentioned above (see ‘Definitions’), the 2019 Bill explicitly defined surveillance as a harm under Section 3(20), “(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled;
(x) any observation or surveillance that is not reasonably expected by the data principal.”
However, the present Bill does not identify surveillance as a harm. More importantly, it does not mention the question of data collection, processing, and use for the purposes of surveillance, in a manner as explicit as its predecessor, at all. While this might seem innocuous, the JPC Report on The PDP Bill, 2019 also specified that the Government’s surveillance on data stored in India must be strictly based on necessity as laid down in the legislation, and that the same must be incorporated into the text of the Bill. Mentioning surveillance as a harm, and assuring that governmental surveillance would be at a minimum, with appropriate procedural checks, is important to ensure the trust and faith of citizens in the security of their personal data.
Data Localization and Cross Border Data Flows
The draft Bill removes the requirement of data localisation which the 2019 Bill, and the subsequent report of the Joint Parliamentary Committee required. = This is a welcome step, as it ensures parity between players in the market, and significantly reduces compliance costs..
Section 17 of the draft Bill mentions that it will release a list of countries and territories to which personal data might be transferred, after an assessment of certain factors. This is a provision similar to the one under the General Data Protection Regulation2, which allows personal data to be transferred to jurisdictions which have similar levels of data protection. The factors the Government will consider, and the process of transferring data will be notified, and this will provide further clarity.
Grounds for Processing Data:
Section 5 of the Bill provides for the grounds of processing digital personal data. It prescribes consent or deemed consent as the two grounds for processing of digital personal data. The Bill complies with the omission of the purpose limitation principle as done by the Joint Parliamentary Committee in their comments, and only limits purpose as a ground for processing data. Further, the 2019 iteration of the Bill required the purpose to be specific and clear [section 4], which is missing from this Bill. The concept of Deemed Consent has been introduced replacing the grounds for processing of data without consent given under section 12 and 13 of the 2019 Bill.
Right to Data Portability:
The latest Bill completely omits the right to data portability. This right allows users (Data Principals) to request and receive their data stored with a Data Fiduciary in an easily usable and machine-readable format. Data portability gives users more control over the data shared with the Data Fiduciary.
Impact on the IT Act, 2000
The changes made by the draft Bill to the Information Technology Act, 2000 now means that compensation for failure to protect data will be covered under the ambit of the Bill. It also means that the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are now overridden by the draft Bill. The definition of ‘Sensitive Personal Data’ which was present under Section 43A and the Rules, therefore, is no longer in effect. Given that the draft Bill does not define ‘sensitive personal data’ either, an important class of data which deserve immediate and the highest level of protection are undefined, unrecognised, and vulnerable. Further, Section 43A provided grounds for compensation to be provided to persons affected by wrongful loss or wrongful gain in cases of negligence. While the Draft Bill does impose stiff penalties, it does away with the requirement of compensation, which is detrimental to the interests of data principals.
Furthermore, the draft Bill requires the Government to introduce Rules to define and prescribe ‘reasonable security practises’. This was a requirement under Section 87(2)(ob), which has now been omitted. While the Government can definitely notify such practices in the future, at present, the onus is thrown on data fiduciaries.
Notice and Consent Framework
Section 6 of the Bill provides for the “Notice” that must be given before or at the time of taking consent from the Data Principal. The information to be mandatorily contained in the Notice has been reduced substantially and now only contains two things, namely, description of data that is being collected and the purpose for which it was collected. While it is appreciated that notice for consent must be made as simple and concise as possible, it is also suggested that other requisite information such as the contact details of Data Fiduciary, Grievance Redressal Mechanism, Consent Withdrawal Mechanism is made easily accessible for the Data Principal.
Further, The notice requirement in the 2019 Bill was tied to collection of data and not to consent [Section 7]. This coupled with the deemed consent section ]means that under certain circumstances, data can be collected by Data Fiduciaries without a requirement to inform the data principals about the information which will be collected, or the purpose of such collection.
The present Bill makes the data principal responsible for the consequences of withdrawal of consent. This may act as a deterrent for data principles and deter them from withdrawing consent [section 7(4)]. The Bill has also placed the onus on the data fiduciary to prove in a proceeding that the requisite notice and consent were provided by the data principal [section 7(9)].
The section borrows most of the grounds for deeming this fiction from sections 12 and 13 of the 2019 Bill. However, the distinction between grounds for processing with consent and without consent are required to be maintained and to deem consent in the circumstances laid down in section 8 is erroneous. Consent reflects agency of a person and control of their information. To deem consent will mean giving them control over information after the stage of consent, for example withdrawal of consent.
The present Bill requires parental consent for obtaining personal data of children. It has been observed that there is a need to have a graded approach towards the consent framework of children. There is a need to provide agency to children over different types of data data at different ages to ensure their right to privacy and dignity are protected. Sub-section 10(4) does provide for exemption of parental requirement under circumstances as may be prescribed, it is hoped that the graded approach may be adopted in the Rules.
Rights of the Data Principal
Chapter 3 enshrines the rights of the Data Principal. These can be summarised as follows:
1. Right to Information about the identity of the Data Fiduciaries, type and category of personal data being processed by the Data Fiduciary.
2. Right to Correction of inaccurate and misleading personal data stored by the Data Fiduciary. Erasure of personal data will take place in a manner yet to be prescribed.
3. Right of Grievance Redressal against the Data Fiduciary within specified time frames.
4. Right to Nominate any person (kiln, relative) in the event of death, or incapacity of the Data Principal.
Worryingly, the draft Bill omits the following crucial rights from its ambit:
• Right to Access: Data principals ought to be given information about exactly how much information a data fiduciary (company, org., etc.) holds about them. They must be told specific details: Timeframe, Purposes, Categories and Recipients of their personal data.
• Right to Clear Communication: Prior to processing the personal data, Data Fiduciaries must provide information in a clear and transparent manner to the Data Principal regarding the lawful basis of processing, kind of processing and recipients with whom the data will be shared.
• Right to Object: Data Principals have not been provided a right to object to the processing of their data by a particular Data Fiduciary.
Data Protection Principles and what they mean
The Explanatory Note to the Digital Personal Data Protection Bill, 2022 crystallises seven Data Protection principles for the ‘Digital Nagriks’ (citizens). Unfortunately a lot of these principles are absent in the actual bill
1. Lawful, Transparent and Fair usage of personal data by organisations.
2. Purpose Limitation – data is utilised only for the purpose for which it was collected in the first place.
3. Data Minimization – only that data which is required is collected, and not more.
4. Accuracy of personal data – updated and accurate personal data is stored by organisations.
5. Storage limitation – personal data is not stored beyond the time period for which it is actually required.
6. Security safeguards – adequate security measures to be in-place to prevent data breaches, unauthorised access, etc.
7. Accountability measures – holding the data fiduciary accountable for the processing of the data.
The proposed mechanism for notifying a personal data breach does not steer too from the mechanism outlined in the 2019 Bill. A data fiduciary is obligated to adopt reasonable security safeguards in order to prevent or mitigate the risk of a breach. In the event of the same, the data fiduciary or data processor, as the case may be, must notify the ] Board as well as any data principal to whom any personal data which has been affected in the breach relates. A data fiduciary may be instructed by the Board, as per its discretion, to adopt any urgent measures to remedy such breach or mitigate the harm caused to the data principals.
The limit of the financial/civil penalties imposed under the Bill has been increased significantly, specifically in certain cases where the penalties have been multiplied to strengthen the enforcement of the Bill’s provisions. For example, the penalty imposed in the failure of adopting reasonable security practices in preventing or mitigating a breach of personal data has been increased fifty-fold from INR 5 crores (as proposed in the 2019 draft Bill) to INR 250 crores.
Most importantly, the present Bill has removed the penalisation of re-identification and processing of de-identified data without the data fiduciary or data principal’s consent. Processes of de-identification, pseudonymization and encryption, which formed a part of the 2019 Bill, have been removed from the Bill’s remit. As stated above, the Bill has eliminated the scope of seeking compensation by a data principal who has suffered harm as a consequence of a data fiduciary or data principal’s violations of any provisions of the Bill.
The Bill does not include a definitive or detailed timeline for the implementation of its provisions and the compliance mechanisms thereunder. It simply prescribes a phased approach, by virtue of which it has retained the power to notify different provisions of the Bill at different times. This proposition disregards the vast extent to which small and medium enterprises, start-ups and other entities ought to account for the lack of their technical know-how, access to the metadata, hardware, and other technical impediments. Such an open-ended implementation does not provide a reliable timeline based on which these enterprises can direct their efforts and resources to revise and update their policies, processes, technological infrastructure, etc. to be align them with the provisions of the Bill. Inevitably, compliance with the provisions of this Bill is unlikely to proceed in a systematic and homogeneous manner. Notably, this overlooks the recommendation as outlined by the Report of the Joint Parliamentary Committee, which extended the timeline for 2 years for the implementation of the Bill, with specific carve-outs for the constitution of the Data Protection Authority (now Board), registration of data fiduciaries and other fundamental processes integral to the effective implementation of the Bill.
2Article 45 (Transfers on the basis of an adequacy decision), GDPR