Experts flag multiple issues with draft Digital Personal Data Protection Bill, 2022

Three months after the Union government withdrew the Personal Data Protection Bill, 2019 from Parliament, a significantly revised and shortened draft Digital Personal Data Protection Bill, 2022 was released on Friday. This 24-page concise version focuses only on digital personal data, removes non-personal data and continues to give the government sweeping powers. 

Several experts said the draft Bill remained problematic in terms of safeguarding personal privacy and in some ways, it is worse than the rescinded Bill.

The draft Bill contains around 30 clauses, as compared to the 90 plus clauses in the previous drafts of data protection proposals.

This Bill is less explicit in the harms caused by data privacy breaches and does not distinguish between personal data and sensitive personal data. It does away with data localisation, which was opposed by many tech companies.

The fourth version of the data protection Bill is open to public feedback until December 17.

A positive aspect of the draft Bill is that unlike the earlier version, service providers have to notify users in the event of a breach and then the Data Protection Board will issue directions to mitigate any harm caused.

Data privacy and protection

Though the Supreme Court recognised privacy as a fundamental right in 2017, the Bill watered down data privacy and the required protection framework.

Legal director of Software Freedom Law Centre (SFLC) Prasanth Sugathan pointed out that any data, which is not in digital form, is not covered by this draft Bill. “So, even if someone collects personal data from an individual, this Bill will not cover that. Earlier draft bills covered personal data as such. Even the Sri Krishna Committee report addresses it,” he said.

He highlighted that the draft Bill proposes to remove Section 43 of the IT Act, which talks about misuse of data. “In earlier versions of the Bill, there were no such provisions to remove a Section,” he said. 

In case of data breaches, the proposed mechanism for notifying a personal data breach does not steer from the mechanism outlined in the 2019 Bill, stated SFLC in a detailed note. What is of concern about the draft Bill is that the victim of a data breach cannot seek monetary compensation. Earlier, users could claim damages or compensation if their data was misused.

“There is a provision for penalising the company, but the individual will not get any compensation even though the person’s data has been misused. So, even if I have legal recourse, processes can be resource-intensive,” explained Namrata Maheshwari of Access Now, an organisation which works to defend digital civil rights.

State surveillance

The draft Bill does not consider surveillance as harmful. The 2019 Bill explicitly defined surveillance as a harm under Section 3(20): “(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; (x) any observation or surveillance that is not reasonably expected by the data principal.”

Clause 18 of the DPDPB, 2022 carries forward the wide and vague exemptions that were provided to the Union government in clauses 35, 36, 37, 38, & 39 of the Data Protection Bill, 2021, stated the Internet Freedom Foundation (IFF), a digital liberties organisation.

Clause 18(2)(a) of the DPDPB, 2022 replicates Clause 35 of the DPB, 2021 and allows the Union government to exempt any “instrumentality” of the State from the application of DPDPB, 2022 in the interests of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”.

This would result in grave violations of a citizen’s privacy, while also extending immunity to government arms from the application of the law.

“If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance,” said IFF.

What is concerning, underscrored IFF’s Prateek Waghre, is the idea of deemed consent. “There is potential for the government to assume consent for a large number of issues. Clauses 8(6), (7), & (8) state that consent of a Data Principal for data processing will be deemed in certain situations including for the maintenance of public order, purposes related to employment, and in public interest respectively. These categories allow for wide and vague interpretations, while allowing excessive collection of personal data in the absence of specific and informed consent,” he said.

“Earlier, the government could exempt any state agency from having to comply with the Act, but now they can exempt any entity, any data fiduciary. Not just a state agency,” added Maheshwari. This could imply any private company or service provider.

Data Protection Board

This draft Bill replaces the Data Protection Authority with the Data Protection Board of India, but it is still not an independent body. Chapter 5 of the draft Bill states that at a later stage, the Union government will prescribe the strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members.

“This brings into question the independence of the Board. The ability to appoint the chief of the board is a power that the Indian government has given itself,” said Waghre.

Calling attention to this anomaly, Maheshwari said that one of the cornerstones of a data protection regime globally is that they need to be independent. And one obvious reason is that as a data collector, the government is a party to it. 

Another issue is that if there is a dispute before the Data Protection Board, and there’s a private company before it for a data breach, they can submit a voluntary undertaking before the board stating what they could do. “If the Data Protection Board agrees, then that effectively lets them get away without any kind of consequences for breaching fundamental rights. They can negotiate the outcome of a dispute. The user stands to lose,” said Maheshwari.

Duties of the user

For the first time, the draft Bill has included the duties of the user or data principal and service provider or data fiduciary. It states that the data fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete.

It also states that “a Data Principal shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address, furnish any false particulars or suppress any material information or impersonate another person. Non-compliance with this clause carries a penalty of upto Rs 10,000 which may be imposed on the Data Principal.”

Waghre questioned if this implied that a user cannot use a pseudonym at all. “This is confusing and concerning. Unless it is a financial transaction, should you be precluded from providing a pseudonym in case you feel like doing so? People may want to maintain their privacy and not give their details to all service providers they interact with,” he said.

As part of duties of the user, the draft Bill states that “a data principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board”. This will serve as a deterrent to those wanting to file complaints because one doesn’t know if the outcome of the complaint is going to be deemed frivolous. There is provision of a penalty if the complaint is found to be false or frivolous.

Data localisation

The draft Bill, SFLC noted, removes the requirement of data localisation which the 2019 Bill, and the subsequent report of the Joint Parliamentary Committee, released in December 2021, required.

Section 17 of the draft Bill mentions that it will release a list of countries and territories to which personal data might be transferred, after an assessment of certain factors.

However, no criteria have been stated on how the government will define which countries to allow data transfers to. “This is in contrast with Articles 44 to 50 of the General Data Protection Regime which permits transfer of personal data of Europeans only to such countries which provide a minimum level of protection to such data,” stated IFF.

Penalties

The draft Bill has imposed a penalty amount to up to Rs 500 crore, from the earlier proposed Rs 15 crore. It also proposes a penalty of up to Rs 250 crore if the service fails to protect data from breaches. There is no minimum floor on penalties.

“With the focus on high penalties, it makes it seem that the government is pushing for accountability, which it is, but it is mostly tailored for the private sector than the government and public sector,” said Maheshwari.

Other issues

Clause 30(2) of the draft Bill proposes to amend Section 8(j) of the Right to Information Act 2005. This translates into exempting disclosure of personal information.

Section 8(j) of the RTI Act states that information which relates to personal information will be exempted from RTI Act, if its disclosure has no relationship to any public activity or interest or if it would cause unwarranted invasion of the privacy of the individual.

The current version of the Bill does not give the user the option of data portability. If a person was using a particular email provider, the user had a right to tell the service provider to give all the data required to move to another provider. The provision existed in the Personal Data Protection Bill, 2019.

Maheshwari emphasised that most of the substantive parts of the draft Bill have been left for rule-making and delegated legislation, which means the government will issue rules later. The language used in several provisions is ‘as maybe prescribed’.  This doesn’t help users or businesses.

A lot of good recommendations from the JPC have not been considered. JPC had language like ‘fair, just and reasonable’ to limit the chances in which data is collected. Though it was not perfect and language such as data should be collected only when it is necessary and proportionate, it was still better than what we have now.

The draft Bill says a person has the right to approach a data fiduciary to ask for the “summary” of the personal data they have on them. However, that is not enough. The company should be obligated to give the user the full scope of the data with them, not just the summary. The summary can just be a few lines. This doesn’t help.

The draft also backtracks on many of the JPC’s recommendations including those on increased need for algorithmic transparency, increasing platform accountability.