On November 18, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Bill, 2022, inviting public comments till December 17. The new Draft Bill has come after the former Personal Data Protection Bill, 2019, was withdrawn in the Parliament this year.
Digital rights activists have welcomed the Bill with mixed feelings. Prateek Waghre, Policy Director, Internet Freedom Foundation, says that “Since the Draft Bill leaves most details to be prescribed at a later date in the absence of adequate legislative guardrails, it means that there is a high degree of discretion with union government to define these as rules/notifications, with lower accountability. This is especially concerning for citizens since many of the specifics that will impact individuals and their data may not be open to public feedback.”
The proposed data protection law in India is currently in its fourth revision. The Personal Data Protection Bill 2019 and the Data Protection Bill 2021 of the Joint Parliamentary Committee are predecessors of the 2022 Bill. Although the new Bill is a progressive and welcome step in establishing a data protection regime in India, it is filled with vague nuances that are sure to ramp up anxieties.
So, what is new in the Bill? What has been removed, and what does it mean for your rights?
Your consent
This Bill mandates that consent must be freely given, and it has to be specific and informed. Further, there has to be an unambiguous indication of the user’s wishes via a ‘clear affirmative action’ stating the specified purpose for processing this personal data. This implies that the companies that are taking and processing your data must give the option to take affirmative consent for the specified purpose. For example, the entity that takes your data cannot ‘assume’ your consent. It must specify why it is taking your data. For entities that take your data, the Bill mandates that such a request for consent must be available in all languages mentioned in the Eighth Schedule of the Constitution, which would imply languages such as Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani amongst others.
The Bill also provides a freeway for processing employee data by companies. For example, employees would be deemed to have given consent for processing biometric data for attendance. It also states that you would be ‘deemed’ to have given consent if the processing is for the ‘public interest’, which includes the Central government prescribing ‘fair and reasonable’ purposes through rules. The use of cryptic terminologies in the Bill has left digital rights activists in a frenzy.
Government exempted from surveillance?
Use of broad terminologies such as “sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these,” the union government may exempt any “instrumentality” of the State from the application of Bill.
This is a concern for digital rights organisations as it might lead to serious violations of citizens’ privacy. It would grant the notified government entities exemption from the application of the law. This is due to the fact that these standards are overly ambiguous and broad, making them susceptible to misunderstanding and abuse. Data collection without any strong and clear data protection law could lead to mass surveillance if the legislation is not applied to government agencies.
Shruti explains that several provisions have led to greater concerns for the fundamental right to privacy of the citizens. “A key problem with the new Bill is that it empowers the Central government to exempt any government agency from the Act on wide grounds such as sovereignty and integrity, national security and the like. The concern emanates from the non-compliance with the Puttaswamy mandate in this provision, which instals necessary checks and balances in exercising such wide powers. The Puttaswamy judgement laid down the requirements of legality, necessity, and proportionality, and it was prescribed that any restriction on the fundamental right to privacy must fulfil these three requirements. However, the new Bill did away with all limitations and accorded the Central government a carte blanche exemption without any limitation as envisaged by the Supreme Court.”
The Data Protection Board is not independent
As per the Bill, the Central government may, at a later time, specify the Board’s size, makeup, selection procedure, the terms and conditions of appointment and service, and the dismissal of the Chairperson and other Members. This would mean that the Central government would indirectly stay in control of the Board. However, the Bill states that the Data Protection Board is an ‘independent entity’. The contradictory language of the Bill is worrisome. The Central Government will appoint the Chief Executive to lead the Board.
Know your rights: You could manage your consent
This draft Bill introduces a new category of entities called “Consent Manager” and defines it as a Data Fiduciary (the entity that takes an individual’s data) which enables Data Principal (the individual or you) to give, manage, review, and withdraw consent through an accessible platform. This entity shall be registered with the Data Protection Board and act on behalf of the user.
You will have the right to obtain information on the personal data being processed by the entities that collect, store and process your data. Further, you also would have a right to seek information on where and with whom your data is being shared, i.e., the details of the identities of all Data Fiduciaries with whom the personal data has been shared. If the Bill comes in its current form, you would have the right to correct, complete the incomplete personal data, update such personal data or erase such personal data. Data Fiduciaries, on receipt of such requests, would have no option but to comply.
You have the right to readily available means of registering a grievance with the entities, which must be responded to within seven days. You may register a complaint with the Data Protection Board if no response is received. In the event of incapacity, such as death or any other incapacitation, then you have the right to nominate another individual to exercise such rights on your behalf.
Data Localisation and Cross Border Transfer
Data localization, which is also known as data residency, is the practice of keeping the citizen’s data inside the territory of the country and subject to local regulations, thereby restricting the otherwise free flow of data from one country to another. It implies that storage and processing of such data shall be done in the country it has originated from. Hence, it is, in a way granting the local authority/regulator the very exclusive jurisdiction required to access this data. Law enforcement agencies are often left wanting to access the data of citizens, which may be stored outside the territory of the country; however, data localization was supposed to become a game changer, as it had been included in the preceding Bills. Needless to say. It is also a measure against foreign surveillance of such personal data.
Experts believe that India’s trade negotiations on bilateral and multilateral platforms will benefit from easing data localization regulations and facilitating seamless data flow. The strict localization requirements envisioned under prior draughts of the Data Privacy Bill have been one of the primary discussion issues as India negotiates Free Trade Agreements with a number of countries.
Shruti adds, “However, with the new draft allowing data flows with trusted geographies, India may find it easier to derive data secure status. It is also opportune that the relaxation in the data flows norms comes at a time when India is just about to take over the G20 leadership. Our innovation-enabling policies and progressive narrative on data flows will benefit the digital economy immensely by opening new doors to foreign investments. However, Data Protection Law will be a horizontal sector agnostic legislation.”
In conclusion, it will be critical for India to develop a standardised procedure for determining countries to which data can flow to provide greater clarity on the implementation of this provision. Previously, the Reserve Bank of India (RBI) had introduced regulations for cross-border data transfer of card information. Similarly, the Security and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) are just a few examples of sectoral regulators that are not prohibited by this, among other things, by establishing pertinent, industry-specific standards for the management, storing, and processing of data. The rules that will be announced under the law must therefore be used only to ensure proper harmonisation across the agencies and regulators.
Going forward
There is a legislative void in the current data protection regime. Even though digital rights activists worry about the Bill in its current form, its very importance cannot be avoided. Since the Bill is currently in the discussion process, there have been many stakeholders voicing for the people. At the same time, the strict penalties prescribed by the Bill are a light of hope for an implementable Act at par with global standards.