An Analysis Of The Digital Personal Data Protection Bill, 2022

This draft has been released by the Ministry of Electronics and Information Technology (MeitY), which is aimed at “framing out the rights and duties of the citizen (Digital Nagrik) on the one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.” The Bill solely applies to 'digitized' personal data and makes no mention of non-personal data or anonymized datasets that shield the identity of an individual. This will become the fourth attempt at a data protection law in India, as the first draft of this law was proposed by the Justice Sri Krishna Committee set up by the MeitY in 2018 as the Personal Data Protection Bill, 2018. Further, the government made some revisions to this proposed draft and proposed it as the Personal Data Protection Bill, 2019 in the Lok Sabha in 2019. On the same working day, this proposed bill was referred to a joint committee of both the Houses of Parliament chaired by P.P. Chaudhary, former Minister of State for Ministry of Law and Justice, Electronics and Information Technology. Finally, due to delays caused by the pandemic, the Joint committee released its report in December 2021. This report was accompanied by a new draft bill, the Data Protection Bill, 2021 which incorporated the recommendations made by the Joint Committee. Despite this, the government was dissatisfied with the "extensive changes" made to the 2019 Bill, which included 81 amendments and 12 recommendations that expanded the scope of the proposed personal data protection law towards a much broader holistic data protection bill, and thus withdrew the Personal Data Protection Bill in August 2022.

Presented below is a chronologically sequenced compilation of pivotal events that delineate the trajectory of Digital Data Protection:

A. The proposed regulatory framework (Data Protection Board of India):

The latest draft proposes a new regulatory framework that was present in previous versions, which now significantly limits the scope of the envisioned Data Protection Board of India (DPB) vested with significant regulatory-making, enforcement, and adjudication powers under the Data Protection Authority, the proposed regulator under the initially conceived regulatory framework proposed in the previous draft law. Since the Central Government has rule-making authority in about 14 of the 30 clauses of the DPDP Bill, it proves to be problematic for several reasons. To begin with, the government creates one of the country's major data fiduciaries. It processes the personal data of millions of people for the services and benefits, granting of permits, licenses, and official IDs (Voter IDs, PAN Cards, etc.), and general law enforcement. As a result, the regulatory body must develop the rules and regulations to be independent of the government’s influence in order to ensure fair protection of data principals' interests. The government also has vested powers in the appointments of officials in the regulatory body.

Furthermore, the DPB's functions are characterized as, First, enforcing compliance with the aforementioned law on individuals and entities. Second, imposing penalties or taking actions under Section 16 of this act for non-compliance, and third, issuing directives to data fiduciaries for taking urgent measures to remedy the breach of personal data. Fourth, the board has been given the authority to conduct inquiries in accordance with natural justice principles if there are adequate grounds to do so. Finally, the Bill conforms that the board's directives must be followed by everyone and should be in accordance with the said order of the authority.

B. Government’s procession of personal data and exemptions allocated:

Following the approach of the Personal Data Protection Bill, 2019, the present Bill also includes significant exemptions to the state's handling of personal data. First, as previously indicated, the Union government has the authority to establish "fair and reasonable" reasons for which personal data can be used without the consent of a data principal. Second, most data protection standards are waived off if the processing is done "in the interests of preventing, detecting, or investigating any offense or other violation of any law." An outright exemption can be provided for the procession of personal data if it is necessary for research or “in the interests of India's sovereignty and integrity, security, friendly relations with foreign states, public order maintenance, or avoiding incitement to any cognizable offense relating to any of these.” However, this provides the government an unsolicited and disproportionate influence that may be utilized for their own benefit, and it places citizens' personal data under the hands of the government without the permission of the data principal.

C. Significant Data Fiduciaries:

The central government depending on “the amount and sensitivity of the personal data processed, the potential influence on the sovereignty and integrity of the country, the risk of harm to the data principal, a threat to the country’s democracy, and other concerns” can now notify about the designation of ‘Significant Data Fiduciaries’ (SDFs). Therefore, SDFs need to fulfill certain additional obligations for greater scrutiny by the government. These entities are required to appoint an ‘independent data auditor’ to check their compliance with the 2022 Bill, as well as complete data protection impact assessments. Such entities will also be required to appoint a ‘data protection officer’ to represent them, they will be based in India and serve as the point of contact for grievance redressal. It is important to note that the DPDP Bill as compared to the earlier legislations, does not deem social media platforms that reach a certain user threshold to be SDFs automatically. This approach appears to be based on the same principles as the government's recent legislations, which requires corporations to take accountability for any grievances or wrongs perpetrated on their platforms.

D. Penalties:

The proposed DPDP Bill, 2022 establishes severe penalties for violations of any of the legislation's provisions, which will be determined by the Data Protection Board of India. It provides financial penalties with a cap of ₹500 crores, which proves to be of much higher quantity as compared to the PDP Bill, 2019. The bill does not allow data principals to seek compensation from data fiduciaries for damages incurred because of unlawful processing. In addition, the legislation imposes obligations on data principals, and if they fail to comply with the regulations, fines of up to ₹10,000 can be levied. Some of these obligations include exercising rights in accordance with "the provisions of all applicable laws" and not filing "false or frivolous" complaints with the data fiduciary or the DPB, these are discussed more clearly here. It is important to note that these provisions may prove to be a hindrance for data principals from exercising their rights for the fear of facing penalties. However, this effort appears to be aimed at establishing a hassle-free and quick justice delivery system.

E. Constitutional Analysis:

The said bill, while having important iterations of data privacy, also has its own flaws. According to the case of Maneka Gandhi v. Union of India, an approach that is 'fair, equitable, and reasonable' must be followed if there shall be a violation of article 21. Similarly, Justice K. S. Puttaswamy & Anr. V. Union of India & Ors talked about the criteria of proportionality and added that establishing a delicate line between the state’s interest and individual privacy is important, which can be made possible by a data regime. This test of proportionality, prominently used in Anuradha Bhasin vs Union of India has been enshrined under a four-prong approach: (a) The law intruding on privacy must have a legitimate objective, (b) it must have a rational nexus to that goal, (c) there must be no less restrictive but equally effective alternative, and (d) it must not have a disproportionate impact on the right-holder. Thus, if we apply the test of proportionality with regard to the violation of article 21 on the proposed draft, several provisions like Section 18 fail the test of (b), (c), and (d) of the proportionality test. Section 18(2)(a) grants the Union government the authority to exempt state instrumentalities from the application of the provisions of the Bill. It is important to highlight that this is a blanket exception with no procedural protections, when Section 8 already exists which permits the state to process personal data without the express consent of the data principal in furtherance of public interest, therefore, these exemptions provided in Section 18 come out as too excessive. In addition, Section 18(4) exempts state instrumentalities from destroying personal data after its purpose has been met as per sub-section (6) of section 9 of this Act. This, too, lacks any procedural protections and permits the government to hold data indiscriminately for an indefinite amount of time. This proves to be an infringement of the data principal's right to be forgotten, held in Vasunathan vs Registrar General and affirmed in K. S. Puttaswamy. Thus, it infringes an individual’s right to control the use of their data to protect their dignity and autonomy. In furtherance, Justice B.N. Sri Krishna, head of the Justice Sri Krishna Committee which proposed the first draft of the data protection bill, had also commented on this latest draft and said that there is much over-reliance on rules to be framed by the executive, without proper guidelines by the legislature, and added that there is a ‘need for a robust and independent Data Protection Authority’ as envisaged under the 2018 version of the draft. Therefore, If the Bill after being passed is brought before the court, it may be held inconsistent with the Supreme Court's observations in the case of Puttaswamy, which held that a law must be necessary, proportionate, and reasonable, and may be struck down as it gives an excessive delegation of power to the government without proper guidelines by the legislature.

F. Shortcomings:

The proposed bill, while addressing the relevant concerns has left out on certain required conditions or has some shortcomings as well. First, the delegation of power of the DPB to the union government proves to be questionable as the DPB hasn’t been provided a proper legislative direction for making guidelines for the country, also raising a concern about the independency of the said body. Second, Storage limitations or time duration of the stored personal data does not apply to the government agencies, this proves to be arbitrary as they can keep personal data for an indefinite amount of time even if the purpose of processing no longer exists and there is no legal necessity to keep the data. Third, the Bill proposes some severe penalties; however, the severity of the noncompliance appears to be highly subjective according to it being decided as “significant” or not, as stated in the bill "if the noncompliance is not significant, the Board may choose to close the enquiry, and will only take remedial measures if the noncompliance is significant." This can be resolved by specifying what the legislature means by "significant," or by the DPB issuing orders depending on specific situations.

G. Key observations:

1. The age of digital consent continues to be the same, implying that parental permission would be necessary every time children wanted to use the internet. This is problematic for three reasons, First, the high threshold of 18 years ignores growing ability since it fails to recognize that a toddler's consent differs from that of a teenager. Second, it would result in uneven access to the internet, and lastly, needing parental agreement would impede children's independent growth since parents may not want their children exposed to opposing perspectives. These limitations violate India's commitments under the Convention on the Rights of the Child.
2. In a significant step, in contrast to the contentious necessity of local storage of data inside India's geography in the previous bill, the new bill allows major allowances for cross-border data transfers. It takes a rather accommodative stance on the need for data localization and allows data flow to a few worldwide locations, which is expected to encourage trade agreements between countries. In addition, the bill recognizes the data principal's right to postmortem privacy (Withdraw Consent), which was not recognized in the PDP Bill, 2019, but was suggested by the Joint Parliamentary Committee (JPC).
3. The delegation of regulatory powers of the Data Protection Board of India (DPB) to the Union government presents a conflict of interest. For instance, the government has the authority to designate "fair and reasonable" objectives for which personal data can be used without consent. Similarly, it can adopt regulations on data breach requirements, data protection impact assessments, data audits, and information that can be sought from a data fiduciary, all of which the government will be obliged to do in its capacity as a data fiduciary. Furthermore, the DPDP Bill, 2022 lacks proper legislative direction for developing these guidelines. This raises the issue of excessive legislative delegation and the excessive government influence on the regulatory framework, which proves to be indifferent concerning the independence of the regulatory body. Finally, the Central Government has greater authority over the proposed DPB since it would appoint members, determine the terms and circumstances of appointment, and define the responsibilities that the DPB will execute.
4. Finally, the DPDP Bill, 2022 misses out on two central rights for data principals, namely, the right to data portability and the right to be forgotten. The right to data portability allowed the data principals an option to port their personal data from one digital platform to the other if they did not like the former. On the other hand, the right to be forgotten allows the data principal to ask the data fiduciary to stop the disclosure of their personal data as it may affect their right to privacy as per the ruling of the Hon’ble Supreme court in Justice K. S. Puttaswamy & Anr. V. Union of India & Ors.

The DPDP Bill, 2022 is intended to outline the rights and obligations of 'digital nagriks' or citizens, as well as to lay out the methods and standards for data collecting when it comes to entities. It indeed has covered some of the industry’s needs like cross-border data transfers and has left out on some of the needs such as mandating stakeholder consultation for rules framed by the government. While the bill introduces some significant changes, it also has some shortcomings, and among the main concerns are broad exemptions for the Centre and its agencies with little to no safeguards, as well as the proposed Data Protection Board's diminished autonomy. Finally, the Bill was open for public discussions and consultations till December 17, 2022, and it is expected that the government will listen to the reviews and incorporate the recommendations and suggestions accordingly so that a comprehensive data protection legislation is enacted in our country.

Views are personal.