By Ashit Srivastava and Ishita Srivastava

For the fifth year in a row, hopes of a data protection regime in India have remained unfulfilled. Interestingly, smaller neighbours of India have been efficient in this direction, with Sri Lanka enacting its Data Protection Law in 2022. 

The 2017 Puttaswamy-I judgment was a great opportunity for India to enact a sound data protection regime along with privacy rights. While India did appoint a commission under the chairmanship of BN Srikrishna, the novel and courageous Personal Data Protection draft prepared by him did not see the light of day. 

It was in 2018 that the genesis of the first draft was seen. Yet, with four drafts (2018, 2019, 2021 and 2022) put to dust till 2023, there is no sighting of a data protection law coming into existence anytime soon. This is a reflection of the de-prioritisation of citizens’ data. In a country where data drives every service industry (including political parties), there would be fewer takers for a data protection regime.

The draft Digital Personal Data Protection Bill, 2023, does not have many deviations from 2022 though it has set up few prongs of its own. So what are the pros and cons of the bill?

• Continuation of the exemption clause: The 2023 draft has not deviated from the earlier tradition of exemption clauses. Under Section 17 (2) (a) of the draft, the instrumentalities and agencies of the government are exempted from its provisions if the processing is undertaken in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence. The term “public order” can easily become an umbrella term and may lead to a blank cheque for granting exemption to any overzealous executive agency. 

Secondly, under 17 (3), the government may also exempt any data fiduciary or class of data fiduciary or any startups from compliance of certain essential provisions of the draft. This is reflective of the government’s approach towards businesses in India. The government has been pushing for the idea of an Atmanirbhar Bharat (Self-Reliant India), and surely there cannot be a conception of this without free data flow, especially for service industry-based startups who will require the bulk of data to process. This is a genuine step to bring identity to genuine entrepreneurs in India, but it seriously dents the very base of digital personality hood.

Interestingly, the Joint Parliamentary Committee report of 2021 had also commented on this provision and recommended that the procedure followed by the agencies exempted under the provision should be fair, just, reasonable and proportionate. Ironically, this recommendation did not become a part of the 2022 and 2023 draft.

• Dent on personality hood: At the core philosophy of the Personal Data Protection regime is the base of digital personality hood. It is the idea of recognising the data principal (the user) as the master of his/her data. This recognition of control or ownership of the user’s data reflects the idea of digital personality hood. This perspective is well recognised across other data protection regimes. For example, under European jurisprudence, the Charter of Fundamental Rights of the European Union under Article 8 recognises protection of personal data as a fundamental right. Additionally, cases such as Bavarian Lager and Population census have emphasised personal data protection as a separate right. Safeguarding this right requires larger control of the data principal over his personal data.

• Onus on the data principal: This is a unique feature, unseen in other jurisprudence, wherein for the second time, the draft of 2023 and 2022 had imposed a penalty (upto Rs 10,000) on the data principal (the user) for an act of impersonation or suppressing any material information when applying for documents and so on. This seems like a good step, but list of duties under Section 15 demands many duties from the data principal.

For example, Section 15 (a) imposes a duty on the user to comply with all the laws in force while exercising rights under the provision. This might turn out to be an onerous work to undertake. Additionally, the imposition of duties under the design of the Data Protection Law does not fit well with its objective—aiming to bestow on the data principal control of his personal data, so that he can bargain better against multinational corporations and even the State. The law itself is a bargaining tool against bigger entities, knowing that the user has meagre bargaining power and therefore his personal data always is in a state of vulnerability. Therefore, to impose an obligation on him will not be in sync with the objective of personal data protection.

• Data Protection Board of India: Following the path of the 2022 draft, the 2023 one changed the terminology of the Data Protection Authority of India to Data Protection Board of India. If Section 18 of the draft is read carefully, the centre will notify the appointment procedure of the Board. It shall appoint the chairperson and other members as per the prescribed rules. Though under Section 19 (3) the qualification for the members is given, with the appointing authority being the centre, questions have been raised over its independence.

Also, the role of the Data Protection Ombudsman is the backbone of a data protection regime. It is the Ombudsman who looks into the neutral application of the provisions and spreading awareness about personal data breaches. A thorough reading of Section 27 of the draft says that the role of the Ombudsman is merely of compliance. However, the position of Ombudsman is dynamic, as technology is speeding and the scope of personal data is increasing. Therefore, the Ombudsman has to be at the centre of personal data dialogue. His role cannot be merely of an assistive tool for the government. Currently, the bill has made the government the operational centre of the draft. This severely hampers its neutrality.

• Data localisation: This is a unique feature from a South Asian perspective. In early 2018 and prior to that, India seemed like a harbinger for pushing for the idea of data localisation, at least in South Asia. Be it the 2018 bill which pushed for blanket data-localisation or the 2019 draft pushing for a bifurcation between sensitive and critical personal data and denoting that critical personal data can only be processed in India, the country showed the way. 

But under the novel draft, there is no such bifurcation. Section 16 (1) of the Bill bestows the power on the government to restrict the transfer of data outside India. The Data Protection Authority originally exercised substantial power on this issue. But again, this Bill has limited the role of the Ombudsman and put the government at a higher pedestal. 

The other issue which is currently brewing in the background of the bill is that it hampers the right to information to large extent. As Section 44 (3) of the draft recommends substituting Section 8 (1) (j) of the Right to Information Act 2005 (exemption provision) with the term “Information which relates to personal information”. This widely worded exemption clause will allow the department to deny Right to Information requests on pretext of personal information. A possible solution for this could be to allow the Data Protection Ombudsman to play the role of balancing between “Personal Information” vis-à-vis “Right to Information”, as there could not be a generalized standard for compromising personal information vis-à-vis right to information. Interestingly, the Srikrishna Committee had recommended such role for an Adjudicating Officer to balance between Personal Data vis-à-vis Right to Information. But this balancing role of the ombudsman is apparently missing. 

So while the current draft will be a stepping stone towards creating India into an Atmanirbhar state, it will severely dent the digital personality hood of an individual. Also, the draft will not completely justify the Bill’s objective. The 2019 draft read with the changes suggested by the Joint Parliamentary Committee 2021 report seemed to have reached near perfection. Yet the deviation from the recommendations of the Committee and unnecessary delay in passing the Bill hint towards a de-prioritised approach towards citizens’ data. 

India’s approach to data protection needs to go into a jurisprudential inquiry as the objective is not clear. 

—Ashit Srivastava is Assistant Professor of Law at Dharmashastra National Law University, Jabalpur, while Ishita Srivastava is an Associate, Tenthpin, a global boutique consultancy

By Ibrahim H Khatri

The draft Digital Personal Data Protection (DPDP) Bill represents a simplified version compared to the previous draft of the Personal Data Protection Bill, 2019, which encompassed non-personal data and imposed criminal penalties for non-compliance. This legislation, upon receiving parliamentary clearance, will establish India’s first comprehensive framework for data privacy and protection. The DPDP Bill is designed to complement other regulatory initiatives such as the proposed Digital India Act (DIA), amendments to the Indian Penal Code for addressing cyber crimes and the National Data Governance Policy.

The primary objective of this Bill is to uphold the privacy rights and individual freedoms of people in India. It covers various aspects, including the involved parties, governance frameworks, specific requirements, penalties, and mechanisms for addressing grievances. By empowering individuals and providing them with enhanced control over their personal data, the legislation aims to enable informed choices and ensure the protection of personal information.

According to a previously published Explanatory Note on the MeitY website, the DPDP Bill aligns with the fundamental principles of personal data processing that serve as the foundation for data protection laws in many jurisdictions worldwide. These principles include:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Security
• Accountability

SCOPE OF THE BILL

The proposed DPDP Bill encompasses the processing of digital personal data within India, regardless of whether it is collected online from data principals or collected offline and later digitized. Additionally, the Bill extends its reach to the processing of personal data outside India, specifically in cases involving profiling or offering goods and services to data principals in India. By encompassing both online and offline data collection processes, the DPDP Bill aims to establish a comprehensive regulatory framework that addresses the evolving nature of data processing.

KEY TERMS IN THE BILL

• Data Principal: As per the Bill, “Data Principal” indicates an individual to whom the personal data relates. Where such an individual is a child, their parents or lawful guardians would be considered Data Principal.
• Data Fiduciary and Data Processor: “Data Fiduciary” denotes any person, either alone or in conjunction with others, who determines the purpose and means of processing personal data. On the other hand, a “Data Processor” refers to a person who processes personal data on behalf of a Data Fiduciary.
• Personal data: The term “personal data” encompasses any information relating to an identifiable individual. It includes data that directly or indirectly identifies the person.
• Significant Data Fiduciary (SDF): The central government has the authority to designate any data fiduciary or category of data fiduciaries as a “Significant Data Fiduciary”. This designation takes into consideration factors such as the volume and sensitivity of personal data processed, the potential risk of harm to the Data Principal or electoral democracy, the impact on national sovereignty and security, as well as public order.

KEY FEATURES OF THE BILL

The Bill lacks a clear distinction between personal data and sensitive personal data. It takes a comprehensive approach to safeguarding all personal data, treating them with equal levels of protection, and emphasizing the need for explicit consent when collecting personal data.

• Consent and Notice: The draft Bill introduces provisions that permit the processing of personal data for lawful purposes with the consent of the Data Principal. Notably, this notice provision has a retrospective application, meaning that Data Fiduciaries must provide an itemized notice to Data Principals who had previously given their consent before the commencement of the Bill, within a reasonable timeframe. However, this retrospective application poses challenges for Data Fiduciaries who had already processed personal data based on the consent of Data Principals, as they now have to fulfil the requirements of the notice provision.
• Deemed consent: The Bill permits the processing of personal data based on deemed consent, which encompasses various legal bases such as legal obligation, contractual obligation, vital interest, public interest, and legitimate interest. However, consolidating these different bases of processing under deemed consent raises concerns. It means that Data Principals may later withdraw their consent, potentially impacting the processing of personal data. To address this, the Bill should consider introducing additional categories of lawful bases for processing that are independent of consent, providing more clarity and stability to data processing activities.
• Consent manager: The proposed Bill introduces the concept of a “consent manager” and outlines the requirement for every consent manager to register with the Data Protection Board of India. The registration process is subject to specific conditions, including technical, operational, financial, and other requirements as prescribed. However, the exact qualifications and criteria for consent managers are yet to be determined, leaving some ambiguity in the current draft of the Bill. Defining the qualifications and criteria for consent managers in a transparent and comprehensive manner will be crucial for ensuring the effective implementation of the legislation and maintaining the trust and confidence of data principals.
• Breach notification: In the event of a data breach, the Bill mandates that both Data Fiduciaries and Processors are obligated to notify each Data Principal affected. This proactive approach ensures that Data Principals are promptly informed about any breaches, enabling them to take appropriate actions to protect their interests. However, the Bill currently lacks a specific timeframe within which Data Fiduciaries are required to notify the Data Protection Board and the affected Data Principals about a data breach.
• Right to data portability: One significant omission in the Bill is the provision for the right to data portability. In today’s landscape of extensive data silos, it is crucial to empower individuals with the ability to extract their relevant data from these silos. Granting individuals the right to data portability not only enhances their control over personal information, but also serves as a measure to mitigate the consolidation of data in the hands of a few entities.
• Right to nominate: A distinctive provision within the Bill enables Data Principals to nominate a representative in cases of their incapacity or demise. This provision plays a crucial role in ensuring the continued protection and preservation of the rights of Data Principals. It offers valuable guidance to sectors that may encounter such situations, ensuring that the personal data of individuals is processed in alignment with the specified processing activities.
• Personal data of children: The Bill explicitly prohibits the tracking or behavioural monitoring of children, as well as targeted advertising directed at children. While this is a commendable step towards safeguarding the interests of minors, it may require major edtech and gaming organizations catering to children to re-evaluate their business models and marketing strategies. The provision of the Bill mandates obtaining verifiable parental consent before processing the personal data of children. However, further clarification is needed regarding what constitutes verifiable consent.

IMPACT ON INDUSTRY

The proposed Bill signifies a significant stride towards digitization. Its liberal approach aims to enhance India’s capacity to attract foreign investments, foster the start-up ecosystem and alleviate compliance burdens for organizations of various sizes. However, the effective handling of open-ended requirements within the Bill by the central government will shape the future of data protection. The government has taken a phased approach to address the need for a robust data protection regime in India, beginning with the release of an initial Bill. This may be followed by supplementary rules and guidelines to provide further clarity and specifics. The inclusion of phrases such as “as may be prescribed” indicates that there are ongoing developments and refinements yet to come.

Large-scale consumer-centric organizations operating in sectors such as technology, telecommunications, healthcare, banking, finance, and e-commerce, which extensively process personal data, are likely to face more stringent obligations. Parameters such as the volume and sensitivity of personal data are explicitly highlighted in the Bill, resulting in heightened responsibilities for these organizations.

The Bill has introduced a more flexible approach to cross-border data transfers, allowing Data Fiduciaries to transfer personal data to countries that have been notified by the central government. Additionally, the requirement for exclusive storage of personal data within India has been eliminated. This change brings significant relief to Data Fiduciaries that maintain servers in foreign countries and provide a favourable environment for start-ups by removing the mandatory investment in local storage solutions.

In summary, the draft Bill presents a simplified and innovative approach to general data protection in India. However, it does bring certain challenges and implementation hurdles. These include the absence of sensitivity-based classification, the need for clarity on various provisions, and the extensive powers granted to the Board. Many of these aspects will be further elaborated through rules and regulations introduced by the central government, ensuring a more comprehensive and refined data protection framework.

As a way forward, organizations need to be proactive and start working towards getting compliant with the regulatory obligations highlighted by the Bill in order to ensure a smooth privacy journey. By taking early action and diligently addressing the requirements outlined in the Bill, organizations can demonstrate their commitment to data protection and privacy, mitigate potential risks, and build trust with their customers. 

—The writer is CEO and founder of Privezi Solutions. He has developed data privacy frameworks and operationalized privacy programmes for enterprises

By Sahil Agrawal

The long wait is over. The draft of the Digital Personal Data Protection Bill, 2022, was opened for public discussion on November 19, 2022. It is a much needed step from the government’s side as India has some 290 million social media users, 40 million messaging application users and about 400 million users across various search engines like Google. 

The intention of the government in putting the Bill in the public domain is to perpetuate the idea that the right to privacy, as was enunciated in the KS Puttaswamy case, is an important fundamental right. The Bill tries to resolve the issues which were discussed in the Data Protection Bill, 2019. And to some extent, it has been able to resolve them. 

The issues raised in the previous Data Protection Bill are:

• Rights of a deceased person: In the Personal Data Protection Bill, 2019, there was no mention of the rights of a deceased or about the exercise of rights of a person in case of death. Hence, a parliamentary committee recommended that clauses regarding the rights of a deceased person be added. DPDP 2022 has a clause which says a data principal must have the right to designate, in the way permitted by law, any other person who, in case of his death or incapacity, shall exercise his rights in accordance with the provisions of this Act.
• Artificial juridical person: The 2019 Bill did not have any clause about an artificial juridical person as a data fiduciary. As a result of that, NGOs were left out of the ambit of the Bill. They could process the data in any form they wanted. This has been sorted out by the Personal Data Protection Bill, 2022, as it talks about the artificial juridical person as a data fiduciary, thereby widening the scope and ambit of the Bill. As a result, NGOs will not be able to misuse the personal data of an individual.
• Data breach: There was no clause in the 2019 Bill regarding the reporting of a breach of personal data to the data principal. As a result, the data fiduciary was not held responsible for informing the data principal of a data breach. In contrast, the Personal Data Protection Bill of 2022 mandates that data fiduciaries should notify the data principal of any data breaches.
• Easy transfer of data: The 2019 Bill lacks an appropriate framework for data sharing with other nations. But the 2022 Bill allows for the cross-border transfer of data to specific nations that have been informed. After considering a number of variables, the government will notify the countries. For large IT giants, this is a win-win situation.

In addition to addressing the flaws in the 2019 Data Protection Bill, this Bill has some unique features such as:

• Women’s empowerment: One of the most striking features of the 2022 Bill is the usage of she/her for all genders. By doing this, it has become the first law in India to use she/her for all the genders. According to Union Minister of Electronics and Information Technology Ashwini Vaishnaw, the reason behind this usage is to propagate the idea of women’s empowerment. He reportedly said: “We have attempted in the philosophy of women’s empowerment that Prime Minister Narendra Modi’s government works to use the words she and her in the entire Bill, instead of he and him and his. So, this is an innovative thing which has been attempted in the Bill.”
• Easy to understand: Another unique feature of the Bill is the usage of plain and simple language. This makes it easy for the data principal to understand the directions given by the data fiduciary. The Bill provides the data principal the ability to revoke her consent at any moment. Data fiduciaries who collect personal data from people must give “itemised notice” in simple and understandable language that includes information about the personal data being sought and why it is being processed. In essence, this Bill makes information more accessible.
• Right to be forgotten: The Right to be Forgotten has been consistently emphasised as a crucial fundamental right and a component of privacy. This concept has already been adopted by the US, Argentina and Germany as part of the right to privacy. The 2022 Personal Data Protection Bill also incorporates the idea of Right to Forgotten. From time to time, courts in India have emphasised the idea of Right to Forgotten.

There is a deluge of false information about consumers of digital platforms in the internet age. When users change their email addresses, phone numbers, or any other information online, there have been occasions when the information has been altered. The Bill has given the user sufficient latitude to request that a digital platform correct any inaccurate information about them in order to address the aforementioned issue. Additionally, the measure mandates that the data fiduciary destroy user data when it is no longer necessary to retain it.

• Hefty fines: The Bill states that if a data fiduciary fails to take adequate security measures to protect users from possible data breach under sub section(4) of Section 9 of this Act, he will have to pay an amount up to Rs 250 crore as penalty. It also says that if the board fails to notify the data principal about the data breach then under sub section (5) of Section 9 of this Bill, it will have to pay an amount up to Rs 200 crore as penalty. The Bill also talks about a penalty of Rs 150 crore when a big data fiduciary breaches their additional legal responsibility under the provisions of the Act. These measures indicate that data fiduciaries must follow the law or risk paying large fines.
• Data protection officer: We occasionally see important rules for large digital intermediaries, such as those in the Information Technology Act of 2021. The Personal Data Protection Bill of 2022, which states that a major data fiduciary must fulfil additional obligations owing to data principal, carries the same tradition. These important data fiduciaries are required to establish the position of data protection officer, who will be answerable to the board of directors. The officer will be a point of contact for any complaints.

The Personal Data Protection Bill, 2022, would be complete after the flaws of the 2019 Bill are fixed and new additions made. Legislation has been long overdue, and now is the time to truly recognise the right to privacy. The Personal Data Protection Bill, 2022 is a step in the right direction towards recognition of the right to privacy as an important fundamental right.

—The writer is a student of Dharmashastra National Law University, Jabalpur