DIGITAL PERSONAL DATA PROTECTION BILL, 2023
Data Protection Principles
- As found in the previous iteration of the Digital Personal Data Protection Bill, 2022, observance of Data Protection Principles, i.e., Data Minimization, Lawfulness and Transparency, Purpose Limitation, Storage Limitation, Accuracy, Integrity, and Accountability were stated to be introduced in the DPDP Bill, 2023. However, the actual inculcating of the Principles within the text of the current Digital Personal Data Protection Bill, 2023 with specific reference to Data Minimization, Storage Limitation, and Purpose Limitation has been found to be lacking.
- Article 5 of GDPR clearly sets out the 7 data protection principles which find sufficient treatment and usage within the text of the Regulation.
- The Bill does not include a definitive or detailed timeline for the implementation of its provisions and the compliance mechanisms thereunder. It simply prescribes a phased approach, which will be executed through a notification on different provisions of the Bill at different timelines.
- Under the GDPR, a specified period of two years was provided for member states to bring the regulation into effect. A specified and guided implementation timeline eases the implementation and compliance process for the stakeholders
- Definitions of key terms such as Harm, Biometric Data, Health Data, Financial Data, Sensitive Personal Data, Public Interest are missing from the scope of the Bill.
- Terms including Digital Office, Appellate Tribunal, Consent Manager, Specified Purpose has been added, while the definition for ‘Consent Manager’ has been expanded.
- ‘Profiling’ has been removed. The definition of ‘Processing’ has included partly automated operations as well.
- Article 4 of GDPR defines terms such as profiling, pseudonymisation, biometric data, data concerning health which ensures that GDPR covers a broader range of concerns with respect to data.
Surveillance and Harm
Surveillance finds no mention in the Bill. While this might seem innocuous, the JPC Report on The PDP Bill, 2019 also specified that the Government’s surveillance on data stored in India must be strictly based on necessity as laid down in the legislation, and that the same must be incorporated into the text of the Bill. ‘Harm’ is not defined in the Bill either, which strips Data Principals of the right to redressal in various situations. Mentioning surveillance as a harm, and assuring that governmental surveillance would be at a minimum with appropriate procedural checks, is important to ensure the trust and faith of citizens in the security of their personal data.
· Clause 3(1)(c)(ii)(a) provides that the Bill will not apply to personal data that is made publically available by the Data Principal to whom the data relates. This clause is vague and overbroad, and needs to be clarified further. The term ‘made publically available’ can be construed to mean making available to any number of people by the Data Principal. This could also mean making available to one person. For eg. If a Data Principal posts something to a private social media account, the same can be said to be made publically available by her. This data then being circulated online, causing harm to the Data Principal can still be construed to be data made publically available by the Data Principal herself. This could potentially result in personal data being scraped and used for profiling. This broad clause, coupled with the fact that there is no definition or mention of ‘harm’ in the Bill can lead to problematic situations arising for Data Principals. Article 2 of the GDPR, which defines the Material Scope of the Regulation, doesn’t carve out an exception for data that is made publically available, unlike the Bill.
- If a Data Principal’s consent is requested for processing of their personal data, they must be accompanied with or preceded by a notice given to them by the Data Fiduciary, consisting of:
- the purpose for which the data will be processed;
- how they can exercise their consent rights and the right to redress their grievances; and
- how they may make a complaint to the DPB, which will be prescribed in subsequent rules.
- If a Data Principal has already given consent prior to this Bill being enacted, then the Data Fiduciary must send them a notice providing details of purpose, rights and redressal mechanism as soon as the Data Fiduciary can reasonably do so.
- Data Fiduciaries can process this personal data until and unless the Data Principal withdraws their consent to it. While this may be burdensome, it is mitigated to an extent with the Data Fiduciary being obligated to stop processing personal data if the Data Principal has not reached out to them to fulfil the purpose of their service, or if they have not exercised their rights with respect to the processing.
- While the notice requirement has been expanded to personal data and not just sensitive personal data (as under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, they do not include Rules 5(3)(c) and (d), which require notification to include information about the recipients of personal data, and the contact information of the agency which collects and retains the information.
- Article 13 of the GDPR requires more detailed notices to be provided as well, including without limitation, information on the recipients of the personal data, legitimate interests pursued by third parties, transfers to a third country/international organisation (if done), the existence of automated data profiling, and the period for and criteria under which data will be stored, all of which are not mentioned in the Bill. Further details may be provided under subsequent rules, however, at the moment, the Bill does not consider these factors in the notice format.
- Under Clause 5(3) of the Bill, Data Principals must be given the option to access the contents of these notices in English or any other regional language as listed in the Eighth Schedule of the Constitution of India. This provision ensures that notices are accessible to a larger population of the country, and will allow Data Principals to make more informed choices about the processing of their data.
In the absence of the category of sensitive personal data, the notice requirements apply more broadly to personal data. While the Bill requires notices to be sent to Data Principals with details of purpose, rights that can be exercised, and redressal mechanism, the format is not as detailed as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, nor Article 13 of the GDPR. Further details on the format of notice have been delegated to subsequent rules.
- The consent mechanism is divided into two parts: General Consent under Clause 6 and Consent for General Legitimate Uses under Clause 7 (formerly known as deemed consent)
- Consent must be collected from Data Principals for the processing of their personal data, in a free, specific, informed, and revocable manner, and must be specifically limited to the purpose for which it has been collected.
- Once consent has been revoked by the Data Principal, the processing of their data may continue if such processing without their consent is:
- Required or authorized under the provisions of the Bill (or the rules thereunder); or
- Any other law in India
- The consent granted by a data principal can be received, managed, and reviewed through a Consent Manager.
Deemed Consent or Processing Consent for ‘Processing for Certain Legitimate Uses’
- Processing of personal data can be done on the basis of consent this is deemed to be given under Clause 7, on the following grounds:
- For purposes that are related or incidental to the primary purpose (to which the data principal has expressly consented);
- Where it may be reasonably expected for the data principal to consent;
- The scope of deemed consent has been significantly downsized as compared to the Bill of 2022, as it excludes the processing of personal data based on deemed consent for matters of public interest or any fair and reasonable purpose as may be prescribed.
Obligations of Data Fiduciaries:
- Data may be processed by Data Fiduciaries for a lawful purpose pursuant to Data Principals’ consent, and for certain legitimate uses.
- The principles of purpose limitation and storage limitation have been incorporated in the Bill:
- Data Fiduciaries cannot retain personal data of Data Principals once the specific purpose for which processing has been done is achieved. If the latter are found not to be approaching the Data Fiduciaries for any activity that would mean performance of this purpose, or is not exercising their rights in relation to such processing, Data Fiduciaries must erase that data in a manner as will be prescribed by subsequent rules.
- As compared to the Draft Digital Personal Data Protection Bill of 2022, the grounds for legitimate processing are far more specific and limited.
- Key among these uses is that they may be processed for “taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order.” The provision has been drafted broadly, and raises concerns of misuse and misinterpretation.
- The principles of purpose limitation and storage limitation are broadly in line with Article 5 of the GDPR’s interpretation of the same.
Data Fiduciaries must ensure that reasonable safeguards are implemented to protect personal data, irrespective of whether the processing has been undertaken by itself, or by a Data Processor.
- Significant Data Fiduciaries: A category of Data Fiduciaries, as notified by the Central Government, must appoint Data Protection Officers, independent data auditors, and undertake period Data Protection Impact Assessment (DPIA), and periodic audits, amongst other measures as may be prescribed. In comparison with the Digital Personal Data Protection Bill of 2022, management of harms has not been included in the meaning of DPIA, and may be left to be included in subsequent rules. It remains to be seen, therefore, whether the DPIA mechanism will be similar to the DPIA under Article 35 of the GDPR.
- Under Clause 8(6), Data Fiduciaries are required to intimate Data Principals and the Data Protection Board of India (DPB) in the event of a personal data breach. The DPB on being so intimated must direct urgent remedial/mitigation measures, undertake an inquiry, and impose penalties.
- Details of the form of intimation have not been provided, and as per the Bill, will be included in subsequent rules. Article 33 of the GDPR is more detailed in this context, imposing a 72 hour timeline for notification, and with details of notification being set out in the provision itself. It remains to be seen whether a timeline for notifying the DPB and Data Principals will be imposed in subsequent rules. As of now, we have a separate 6 hour timeline of reporting to CERT-In in the event of data breaches.
Data Fiduciaries have to obtain verifiable parental consent before processing any personal data belonging to a child. A significant improvement lies in the mandate to not undertake tracking or behavioural monitoring of children or targeted advertising of children.
Article 8 of the GDPR provides that the Regulation provides for more transparency by mandating that where data is being taken directly from children, the notice must be worded in a way which is comprehensible to the child.
Rights of the Data Principal:
Right to Access
A Data Fiduciary is mandated to provide a summary, description and recipients with whom personal data shall be shared.
However, the Bill is silent on timelines, without mention of the right to object or restrict processing personal data, right to lodge appeal with Board, and source of collecting personal data (consent or legitimate use
The right to access is not fully-fledged or effective in practice lacking additional grounds.
GDPR [Art.15]: Exhaustively provides for categories of personal data and information that a data subject has the right to seek access to from the Data Fiduciary.
Right to correction
A Data Principal can ask for correction, completion, updation or erasure of personal data, collected through consent or legitimate use by the Data Fiduciary. The manner of such correction is yet to be prescribed.
However, personal data shall be retained if ‘necessary’ for the specific purpose or compliance under any law. Notably, this leaves wide discretion with the Data Fiduciary to deem retention of data ‘necessary’ in the absence of any further guidelines or criteria.
GDPR [Art.16]: Grounds for retention are clearer and based on established guidelines, such as public health and archiving purposes.
Right to Grievance Redressal
- Data Principals can raise grievances relating to the performance of obligations by
- Data Fiduciaries, with timelines and manner of redressal yet to be specified.
- Further, grievances must be raised before the Data Fiduciary before approaching the Board.
- Article 77 of the GDPR provides that Data subjects can file a complaint with the competent authority (Supervisory Authority) if considered to be an infringement under the Regulation. This is followed by an investigation, subject to judicial review.
Right to Nominate
- Data Principals can now nominate another individual to exercise their rights in case of death or incapacity (death/ unsoundness of mind / physical infirmity).
- This is a welcome addition to the Bill. Nominees will be able to ensure that any gains, losses, duties and liabilities accruing to Data Principals can be settled by exercising their rights under the Bill.
- There is no equivalent provision that exists under the GDPR for the right to nominate.
Duties of the Data Principal:
The Bill imposes onerous duties upon the Data Principal with fines imposable for violating such duties. Such provisions are unique to India and find little to no mention in any global data protection regulation.
Cross border data flow and Data Localization
- The Bill removes the requirement of data localization which the 2019 Bill, and the subsequent report of the Joint Parliamentary Committee required. This is a welcome step, as it ensures parity between players in the market, and significantly reduces compliance costs for companies, as opposed to a data localization regime. Clause 16 of the Bill states that the Central Government may restrict the transfer of personal data by a Data Fiduciary for processing to countries outside India by notification. This ensures that a free flow of data to all countries, except the ones that have been blacklisted, can occur.
- Clause 16(2) however, carves out an exemption and states that a law that provides for a higher degree of protection, or restriction on the transfer of data outside India would not be restricted. This addresses the issue of sectoral regulation, as the RBI has mandated that payments data should be stored only in India.
- This clause is similar to Article 45 of the GDPR, which lays down the procedure Transfers on the basis of an adequacy decision. Article 45 also sets out the elements for transfer within the Regulation itself. The current Bill does not specify such elements, and it must be made clear what the conditions and factors for blacklisting countries are.
Exemptions under the Bill are wider in scope. Wide discretion has been granted to the Government to notify any Data Fiduciary to be exempt from multiple obligations. Obligations of data retention, and right to erasure do not apply to the Central Government. Further, the Central Government has the authority to exempt any Data Fiduciary for 5 years from the commencement of the Act.
- Clause 17 (2b) is an issue. It mentions purposes such as research, statistical purposes which can be prone to misuse. It does not mention anonymizing data or any standards that can be used to ensure that data is not misused.
- Clause 17(3) mentions that any Data Fiduciary can be classified by the Government including startups to be exempt from:
- Clause 5 which deals with Notice and its manner
- Sub clause (3) and (7) of Clause 8 which deal with obligations related to making a decision regarding a data fiduciary as well as conditions for disclosing the data to another data fiduciary.
- Clause 10 which deals with additional obligations of data fiduciary
- Clause 11 which deals with Rights to access information about personal data.
- Under Clause 17(4) the State is exempt from provisions of data retention, erasure of personal data. Unless that data can make a difference in making a decision about a data principal, right to correction, completion and updation is also not available.
- For the beginning 5 years from the notification of this act, it may not apply to any data fiduciary or any classes of data fiduciary as per the notification of the Central Governmemt. (Clause 17(5))
Article 23 of GDPR mentions Derogations in which EU countries can come up with laws that restrict certain rights and responsibilities in GDPR for Security, Defence and Law Enforcement. These restrictions need to be limited by being specific.
Individual EU countries can make their own laws to balance the restrictions of the GDPR with the rights to freedom of expression and information. This can include making exceptions for processing made for journalistic, academic, artistic and literary purposes according to Article 85
Acoording to Article 86 A public authority (or a private body acting in the public interest) can disclose personal data to comply with a country’s laws on public access to official documents.
Data Protection Board of India
The Bill establishes a Data Protection Board of India. Its Chairpersons and Members shall be appointed for 2 years by the Central Government with stated practical experience in the relevant fields of data governance. The Board shall discharge functions related to data breaches and facilitate complaints on behalf of Data Principals.
Despite containing details for composition, functioning, qualifications, the Central Government shall still exercise significant control over the functioning of the Board.
Under Articles 51-59 of the GDPR, Supervisory Authorities are the competent bodies responsible for enforcing rights and duties under the Regulation. The provisions mandate for independence in functioning, composition and financial controls from any external influences.
- Criminal penalties are still excluded, with the present Bill focusing solely on financial/monetary penalties. Similar to the previous iteration, the present Bill is also in favor of imposing heightened costs on defaulting Data Fiduciaries, with penalties extending up to two hundred and fifty crore rupees.
- This Bill has continued to penalize Data Principals for non-compliance with their duties and obligations under the Bill, such as complying with its provisions, not impersonating another person, not suppressing any material information, etc., with a penalty of ten thousand rupees.
Intersection with other laws
Impact on the IT Act, 2000
Sensitive Personal Data
- The changes made by the present Bill to the Information Technology Act, 2000 now mean that the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shall stand overridden by the Bill. The definition of ‘Sensitive Personal Data’ which was present under Section 43A and the Rules, therefore, is no longer in effect. Given that the Bill does not define ‘sensitive personal data’ either, an important class of data which deserves the highest level of protection is undefined, unrecognized, and vulnerable. Treating all data in a similar manner as merely ‘personal data’ is detrimental to financial, health, and biometric data which deserves to be afforded a higher level of protection.
- Further, Section 43A of the IT Act provided grounds for compensation to be provided to persons affected by wrongful loss or wrongful gain in cases of negligence by private entities. With Section 43A however getting repealed by the Bill, there is no avenue for Data Principals to receive compensation for loss or harm that they have suffered. Imposing stiff penalties on Data Fiduciaries is a deterrent, but it does not provide succor or relief to the affected persons.. The measure to do away with compensation is therefore detrimental to the interests of data principals. Article 82 of the GDPR provides for the Right to Compensation for persons who have suffered damage as a result of the infringement of the Regulation. The current Bill should provide for a similar provision in order to ensure that Data Principals are adequately compensated for harms caused to them
Reasonable Security Practices
- Furthermore, the draft Bill requires the Government to introduce Rules to define and prescribe ‘reasonable security practices’. This was a requirement under Section 87(2)(ob), which has now been omitted. While the Government can definitely notify such practices in the future, at present, the onus is thrown on data fiduciaries.
Impact on the RTI Act
- The current Bill amends Section 8 of the RTI Act, 2005 to bar the disclosure of personal information. Section 8 provides for exemptions from disclosure. At present Section 8(1)(j) states that information relating to personal information which does not relate to a public activity or interest cannot be disclosed unless there is a larger public interest which justifies the same. Further, a proviso states that information which cannot be denied to the Parliament cannot be denied to any person.
- The Bill replaces the entire clause with the words ‘information which relates to personal information’ and deletes the proviso as well. The 2018 Bill amended the RTI Act to exempt any information from disclosure which would be likely to cause harm to Data Principals. The Bill completely bars the disclosure of personal information, and takes away limitations on the restrictions to disclose personal information. It removes the powers of the Public Information Officers to allow disclosure in the public interest as well. This is a serious dilution of the RTI Act, and can lead to situations where information is denied on shaky grounds, and makes the RTI process less accountable than before.
Power of the Central Government w.r.t. the Bill
- Clause 37 grants power to the Central Government to block access by the public to any information generated, transmitted, received, stored or hosted in any computer resource by a Data Fiduciary. This creates a content blocking and takedown procedure parallel to the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, where the Board has been granted similar authority to the Nodal Officer under these rules.
- For the Central Government to carry out the purposes of this Bill, Clause 40 authorizes them to pass rules on a plethora of matters. This can be in relation to the accountability and obligations of a Consent Manager, the grounds on which deemed consent may be collected under Clause 7, the classes of Data Fiduciaries, etc.