ARCHIVES
Syllabus
- GS-2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.
- GS-3: Digital Economy
Context: The latest draft of the data protection law — the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — has now been made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023.
Is this the first draft?
- This is the fourth iteration of a data protection law in India.
- The first draft of the law — the Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee set up by the Ministry of Electronics and Information Technology (MeitY) with the mandate of setting out a data protection law for India.
- The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. On the same day, the Lok Sabha referred it to a joint committee of both the Houses of Parliament.
- Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December, 2021. The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC.
- However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
Why have there been so many revisions and changes?
- Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals).
- When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
- The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court ( S. Puttaswamy vs Union of India [2017]).
- It is inadequate on four levels;
- First, the extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to processing of personal data by the government;
- Second, it has a limited understanding of the kinds of data to be protected;
- Third, it places few obligations on the data fiduciaries which, moreover, can be overridden by contract
- Fourth, there are only minimal consequences for the data fiduciaries for the breach of these obligations.
- While the need to have an effective personal data protection regime is undisputed, India like other jurisdictions has struggled to come up with an optimum formulation for several reasons.
- First, while protecting the rights of the citizens, data protection laws need to ensure that the compliances for firms (data fiduciaries) are not so burdensome as to make even legitimate processing impractical.
- Second, the challenge lies in finding an adequate balance between the right to privacy and reasonable exceptions, especially where government processing of personal data is concerned.
- Third, given the rate at which technology evolves, an optimum data protection law design needs to be future proof — it should not be unduly focused on contemporary concerns while ignoring problems that may emerge going forward.
- Fourth, the law must also address the unequal bargaining power of data principals with respect to data fiduciaries.
What is the scope of the present formulation of the Bill?
- The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally. This would include both personal data collected online and personal data collected offline but is digitised for processing.
- In effect, by being completely inapplicable to data processed manually, this provides for a somewhat lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
- Furthermore, as far as the territorial application of the law is concerned, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
- The current provision seems to exclude data processing by Indian data fiduciaries that collect and process personal data outside India, of data principals who are not located in India.
- This would impact statutory protections available for clients of Indian start-ups operating overseas, thereby impacting their competitiveness.
- This position further seems to be emphasised with the DPDP Bill, 2022 exempting application of most of its protections to personal data processing of non-residents of India by data fiduciaries in India.
How well does the DPDP Bill, 2022 protect data principals?
- The bulwark of most data protection legislations consists of allowing maximum control to the data principal over their personal data.
- This happens by mandating a comprehensive notice to the data principal (users) on different aspects of data processing based on which the users can provide explicit consent to such processing.
- Also, the data fiduciary is placed with the obligation of data minimisation, which is to collect only such personal data as is required to fulfil the purpose of processing (collection limitation); process it only for the purposes stated and no more (purpose limitation) and to retain it in its servers only for so long as is required to fulfil the stated purpose (storage limitation).
- The current draft removes collection limitation. This would allow a data fiduciary to collect any personal data consented to by the data principal.
- Making collection solely contingent on consent, ignores the fact that data principals often do not have the requisite know-how of what kind of personal data is relevant for a particular purpose.
- It also does away with the concept of “sensitive personal data”. Depending on the increased potential of harm that can result from unlawful processing of certain categories of personal data, most data protection legislations classify these categories as “sensitive personal data”.
- Illustratively, this includes biometric data, health data, genetic data etc.
- This personal data is afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments.
- By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.
- Additionally, the Bill also reduces the information that a data fiduciary is required to provide to the data principal.
- While the previous iterations required considerable information in terms of the rights of the data principals, grievance redressal mechanism, retention period of information, source of information collected etc to be provided for the data principal, the current draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data.
- Moreover, the DPDP Bill, 2022 seems to have a limited understanding of the purpose of notice. It says that notice is only to be provided to take consent of the data principal. This
- A notice is also important for the data principal to exercise data protection rights such as the right to know what personal data is being processed by whom, whether that data needs correction or updation or not.
- The DPDP Bill, 2022 also introduces the concept of “deemed consent”. In effect, it provides for “reasonable purposes” for which personal data processing could be undertaken under the ground of “deemed consent”.
- However, there exist some concerns around this due to the vaguely worded grounds for processing such as “public interest” and the removal of additional safeguards for protection of data principals’ interests.
- An important addition to the right of data principals is that it recognises the right to post mortem privacy which was missing from the PDP Bill, 2019 but had been recommended by the JPC. The right to post mortem privacy would allow the data principal (user) to nominate another individual in case of death or incapacity.
Main Practice Question: Previous data protection bill was inadequate that necessitated new draft legislation. Elucidate.
Note: Write answer his question in the comment section.
