It’s more cryptic than you thought. Data protection bill explained!

Representative image | Photo courtesy: Storyblocks

On November 18, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Bill, 2022, inviting public comments till December 17. The new Draft Bill has come after the former Personal Data Protection Bill, 2019, was withdrawn in the Parliament this year.

This Bill is a comprehensive document with just 30 clauses compared to its predecessor, which had 99. However, it is a job not done well. It mentions “may be prescribed by the Central government” over 17 times in the draft leaving its scope in sheer ambiguity. Further, it even grants power to the Central government to exempt government agencies/its instrumentalities from the application of the act if it comes in its current form.

Digital rights activists have welcomed the Bill with mixed feelings. Prateek Waghre, Policy Director, Internet Freedom Foundation, says that “Since the Draft Bill leaves most details to be prescribed at a later date in the absence of adequate legislative guardrails, it means that there is a high degree of discretion with union government to define these as rules/notifications, with lower accountability. This is especially concerning for citizens since many of the specifics that will impact individuals and their data may not be open to public feedback.”

The proposed data protection law in India is currently in its fourth revision. The Personal Data Protection Bill 2019 and the Data Protection Bill 2021 of the Joint Parliamentary Committee are predecessors of the 2022 Bill. Although the new Bill is a progressive and welcome step in establishing a data protection regime in India, it is filled with vague nuances that are sure to ramp up anxieties.

So, what is new in the Bill? What has been removed, and what does it mean for your rights?

Your consent

This Bill mandates that consent must be freely given, and it has to be specific and informed. Further, there has to be an unambiguous indication of the user’s wishes via a ‘clear affirmative action’ stating the specified purpose for processing this personal data. This implies that the companies that are taking and processing your data must give the option to take affirmative consent for the specified purpose. For example, the entity that takes your data cannot ‘assume’ your consent. It must specify why it is taking your data. For entities that take your data, the Bill mandates that such a request for consent must be available in all languages mentioned in the Eighth Schedule of the Constitution, which would imply languages such as Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani amongst others.

Representative image | Photo courtesy: Storyblocks

However, the bothersome bit begins with the new concept of “Deemed Consent” that the Bill appears to introduce. Compared to the global data protection laws, the concept of deemed consent is unique to this Bill. The Bill lists down conditions where such consent is deemed to have been given by you for processing your data. In a situation where you, as a user, would voluntarily provide your personal data, consent would be deemed to be given. For example, if you give your name or mobile number to a restaurant for reserving a table, your consent for this data is deemed to be given! However, the provision is extremely broad to determine such instances conclusively.

The Bill also provides a freeway for processing employee data by companies. For example, employees would be deemed to have given consent for processing biometric data for attendance. It also states that you would be ‘deemed’ to have given consent if the processing is for the ‘public interest’, which includes the Central government prescribing ‘fair and reasonable’ purposes through rules. The use of cryptic terminologies in the Bill has left digital rights activists in a frenzy.

Shruti Shreya, Programme Manager at The Dialogue, explains that “Clause 8 of the Draft Digital Personal Data Protection Bill 2022 introduces the concept of deemed consent. The deemed consent is where it is assumed that the data provided by the data principal is deemed to be used for other purposes listed in the Bill. This provision is similar to the clauses in the previous versions of the Bill, which lay out reasonable purposes for data fiduciaries to process personal data without the consent of the data principal. However, the terminology and the wider applicability of such a provision in DPDPB 2022 could pose concerns. Deemed consent dilutes the purpose of having notice and information disclosed to individuals for providing informed consent, as data fiduciaries could process data with limited information disclosure using this provision. This would infringe on the privacy rights of the individuals and the purpose limitation test proposed by the Supreme Court.”

Government exempted from surveillance?

Use of broad terminologies such as “sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these,” the union government may exempt any “instrumentality” of the State from the application of Bill.

This is a concern for digital rights organisations as it might lead to serious violations of citizens’ privacy. It would grant the notified government entities exemption from the application of the law. This is due to the fact that these standards are overly ambiguous and broad, making them susceptible to misunderstanding and abuse. Data collection without any strong and clear data protection law could lead to mass surveillance if the legislation is not applied to government agencies.

Representative image | Photo courtesy: Storyblocks

Shruti explains that several provisions have led to greater concerns for the fundamental right to privacy of the citizens. “A key problem with the new Bill is that it empowers the Central government to exempt any government agency from the Act on wide grounds such as sovereignty and integrity, national security and the like. The concern emanates from the non-compliance with the Puttaswamy mandate in this provision, which instals necessary checks and balances in exercising such wide powers. The Puttaswamy judgement laid down the requirements of legality, necessity, and proportionality, and it was prescribed that any restriction on the fundamental right to privacy must fulfil these three requirements. However, the new Bill did away with all limitations and accorded the Central government a carte blanche exemption without any limitation as envisaged by the Supreme Court.”

Waghre adds, “Ongoing concerns from previous iterations such as the exemptions to the state, independence of the data protection authority (which has now been restricted to being an ‘adjudication mechanism’ as per statements from MeitY) still remain despite concerns being raised by civil society organisations. Internet Freedom Foundation will continue to raise awareness about privacy as a fundamental right, engage with the consultation process and encourage our community to do the same.”

The Data Protection Board is not independent

As per the Bill, the Central government may, at a later time, specify the Board’s size, makeup, selection procedure, the terms and conditions of appointment and service, and the dismissal of the Chairperson and other Members. This would mean that the Central government would indirectly stay in control of the Board. However, the Bill states that the Data Protection Board is an ‘independent entity’. The contradictory language of the Bill is worrisome. The Central Government will appoint the Chief Executive to lead the Board.

Shreya explains, “All the appointments will be made by the Central government, which may pose concerns from the perspective of separation of power and principles of natural justice as the government itself also falls within the purview of the Bill. Keeping in mind the aggressive push of the Government towards the adoption of digital measures, it is critical that the DPB functions independently and in a supervisory capacity with regard to the government’s handling of user data. Purely executive-driven appointments may bring into question the ability of such an authority to perform as an independent arbitrator in cases involving the government. Accordingly, as we move forward and deliberate on the Bill, it will be important to revisit the Board’s appointment process. The selection process of the Board should include more judicial involvement. Justice Sri Krishna Committee report recommended including judicial members within the selection committee. The Board’s independence, which is mainly dependent on its appointment, is also required from an international perspective. Without such a separate and independent body, India’s chance to be considered adequate for the essential purposes of cross-border transfer of data by other jurisdictions may be reduced, impacting our position in the global digital economy.”

Know your rights: You could manage your consent

This draft Bill introduces a new category of entities called “Consent Manager” and defines it as a Data Fiduciary (the entity that takes an individual’s data) which enables Data Principal (the individual or you) to give, manage, review, and withdraw consent through an accessible platform. This entity shall be registered with the Data Protection Board and act on behalf of the user.

Representative image | Photo courtesy: Storyblocks

Nishchal Anand, Partner at Pranay Anand Das and Khanna (Panda Law), is an expert on technology laws. While speaking to The Probe, Anand explains that “Since it appears to be an elaborate process which could be time consuming, the government has perhaps created another entity which would only manage the data related to giving, taking, withdrawal of consent and keep a record of the same. This could be the case if such entities which manage consent or provide it as a service to data fiduciaries already exist or government in its wisdom has contemplated that owing such a process being built into the law, there maybe a requirement for consent managers in the future.”

You will have the right to obtain information on the personal data being processed by the entities that collect, store and process your data. Further, you also would have a right to seek information on where and with whom your data is being shared, i.e., the details of the identities of all Data Fiduciaries with whom the personal data has been shared. If the Bill comes in its current form, you would have the right to correct, complete the incomplete personal data, update such personal data or erase such personal data. Data Fiduciaries, on receipt of such requests, would have no option but to comply.

You have the right to readily available means of registering a grievance with the entities, which must be responded to within seven days. You may register a complaint with the Data Protection Board if no response is received. In the event of incapacity, such as death or any other incapacitation, then you have the right to nominate another individual to exercise such rights on your behalf.

You would have the right to withdraw consent that is given to such entities at any time. Such entities need to make sure that the process of withdrawing consent is as easy and accessible as the process of requesting has been. However, the Bill states that the consequences of such withdrawal are to be borne by the one who withdraws the consent. For example, if you withdraw consent from giving data to Facebook, Facebook is free to discontinue its services. Although the Bill does not specify a ‘reasonable to assume’ limit, it mandates that a Data Fiduciary entity must cease to retain personal data as soon as it is reasonable to assume that the purpose for which it was collected has been exhausted.

Representative image | Photo courtesy: Storyblocks

Data Localisation and Cross Border Transfer

Data localization, which is also known as data residency, is the practice of keeping the citizen’s data inside the territory of the country and subject to local regulations, thereby restricting the otherwise free flow of data from one country to another. It implies that storage and processing of such data shall be done in the country it has originated from. Hence, it is, in a way granting the local authority/regulator the very exclusive jurisdiction required to access this data. Law enforcement agencies are often left wanting to access the data of citizens, which may be stored outside the territory of the country; however, data localization was supposed to become a game changer, as it had been included in the preceding Bills. Needless to say. It is also a measure against foreign surveillance of such personal data.

However, Data localization, or the necessity to process and keep data only in India, has been eliminated by the Bill. Shruti Shreya explains, “This is one of the most significant and laudable moves. The draft permits the cross-border transfer of data with certain countries and territories that will be notified by the government based on the terms and conditions that it may specify. This provision is similar to the provision on data flows under the EU’s General Data Protection Regulation which allows the transfer of personal data to other jurisdictions that have similar levels of data protection standards. The Dialogue’s research shows that cross-border data flow is fundamental to the growth of the digital economy. The BPO sector in India is an integral part of our digital economy, which is heavily dependent on processing foreign national data. This provision will help increase their competitiveness in digital markets by inspiring greater business confidence. Moreover, the relief from overarching compliance costs will reduce entry barriers in Indian markets and further innovation.”

Experts believe that India’s trade negotiations on bilateral and multilateral platforms will benefit from easing data localization regulations and facilitating seamless data flow. The strict localization requirements envisioned under prior draughts of the Data Privacy Bill have been one of the primary discussion issues as India negotiates Free Trade Agreements with a number of countries.

Shruti adds, “However, with the new draft allowing data flows with trusted geographies, India may find it easier to derive data secure status. It is also opportune that the relaxation in the data flows norms comes at a time when India is just about to take over the G20 leadership. Our innovation-enabling policies and progressive narrative on data flows will benefit the digital economy immensely by opening new doors to foreign investments. However, Data Protection Law will be a horizontal sector agnostic legislation.”

In conclusion, it will be critical for India to develop a standardised procedure for determining countries to which data can flow to provide greater clarity on the implementation of this provision. Previously, the Reserve Bank of India (RBI) had introduced regulations for cross-border data transfer of card information. Similarly, the Security and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) are just a few examples of sectoral regulators that are not prohibited by this, among other things, by establishing pertinent, industry-specific standards for the management, storing, and processing of data. The rules that will be announced under the law must therefore be used only to ensure proper harmonisation across the agencies and regulators.

Going forward

There is a legislative void in the current data protection regime. Even though digital rights activists worry about the Bill in its current form, its very importance cannot be avoided. Since the Bill is currently in the discussion process, there have been many stakeholders voicing for the people. At the same time, the strict penalties prescribed by the Bill are a light of hope for an implementable Act at par with global standards.