Flaccid & finite framework

On November 18, the Government of India published the much-awaited draft of the 'Digital Personal Data Protection Bill, 2022'. This draft bill will undergo extensive consultation, and the government is aiming to introduce it in the Parliament by the next Budget session. The proposed bill requires a data fiduciary — i.e., an entity that processes user data — to give an itemized notice to the user on data sought to be collected, in clear and plain language. But by just focusing on personal data, it has done away with regulating the use of non-personal data. Non-personal data are any set of data that does not contain personally identifiable information.

While India is still waiting for a data protection law, it is reported that the country had the second-highest number of data breaches in the first half of 2022. A cybersecurity researcher has claimed that sensitive personal data of 280 million Indian citizens, from the Employees' Provident Fund Organisation (EPFO) database, surfaced online. Each record allegedly included personal information like full name, nominee details, marital status, address, bank account numbers, Aadhaar details, income levels etc. The Internet Freedom Foundation has argued that the existing legal vacuum on data protection is an infringement of the fundamental right to privacy.

Background

It may be recalled that in a verdict delivered on August 24, 2017, in the case of Justice KS Puttaswamy vs Union of India, the Supreme Court had unanimously declared the right to privacy a fundamental right of all Indians. Since then, the government has taken initiatives to introduce the data regulation act.

The Justice BN Srikrishna panel was set up in 2017 in the backdrop of the Supreme Court's verdict which entailed direction to the government to draw up a data protection framework for the country. In that year itself, the Srikrishna Committee released a white paper, outlining the areas it would be looking at. Then in July 2018, the committee submitted a draft data protection Bill to the Ministry of Electronics and IT. In December 2019, the Bill was referred to the JCP (Joint Parliamentary Committee), which was then headed by the BJP's Meenakshi Lekhi. In July 2021, BJP MP PP Chaudhary was appointed chairperson of the JCP after Lekhi was made Minister of State for External Affairs. The JCP received yet another extension to submit its report after Chaudhary's appointment.

In December 2021, the JCP tabled its report in the Parliament, which Justice Srikrishna said was heavily in favour of the government. In a media interview, he said that the Bill could turn India into an "Orwellian state", reported The Indian Express. The JCP had proposed 81 amendments to the Bill finalized by the Srikrishna panel, and 12 recommendations including expanding the scope of the proposed law to cover discussions on non-personal data — thereby changing the mandate of the Bill from personal data protection to general data protection.

According to a report by MoneyControl, the 2019 draft of the Bill was mainly criticized over concerns which empowered the government to exempt any government agency from the provisions of the law; and in regards to a section that allowed for non-consensual processing of personal data by the state. It is reported that the government faced major push back from a range of stakeholders, including big tech companies such as Facebook and Google. The tech companies had, in particular, questioned a proposed provision in the Bill called data localization, under which it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined "critical" personal data from the country would be prohibited, reported The Indian Express.

On August 4, 2022, the government withdrew the 2019 draft bill saying, given the large number of amendments that have been proposed, a comprehensive legal framework was needed for the issues under consideration. A revised Bill would be tabled in Parliament in the Winter Session. This resulted in the introduction of the Digital Personal Data Protection Bill 2022.

Digital Personal Data Protection Bill 2022 (DPDB)

On November 18, 2022, the Ministry of Electronics & Information Technology (MeitY) issued the draft Digital Personal Data Protection Bill, 2022 (DPDB), which is open for public consultation till December 17, 2022. Structured into six chapters and one Schedule, DPDB proposes 30 clauses for the regulation of digital personal data processing. Once enacted as law, DPDB is proposed to be implemented in phases, and it will be pertinent for the government to provide adequate window for organisations to gear-up existing data protection practices. In a recent article, Arya Tripathy has identified (mondaq.com) the following eight key features of DPDB:

Application and scope: DPDB will apply to (i) the processing of digital personal data subject to exemptions (material scope), (ii) undertaken within India, and in certain cases, those carried outside of India (territorial scope). DPDB states that it will not apply to (i) non-automated processing, and (ii) offline personal data. Thus, manual data processing such as structured filing systems is outside the purview of the new bill.

DPDB will apply to three key stakeholders in the data processing cycle — (i) data fiduciary: any person who alone or with others determines the purpose and means of processing; (ii) data processor: any person who processes personal data on behalf of data fiduciary, and (iii) data principal: individual to whom the personal data relates, and in context of children (18 years or below), will include their parents and legal guardian.

In the proposed Bill, there is no provision for special categories of sensitive personal data or critical data, and consequently, there are no specific requirements that would apply to the processing of sensitive data sets like health, financial, biometrics, etc.

DPDB will apply to data fiduciaries and processors who process in India, irrespective of whether they are foreign persons or not. DPDB will also apply extraterritorially where digital personal data is processed outside India if such processing is for profiling a data principal in India, or for offering goods or services to the such data principal.

Consent and deemed consent: Digital personal data processing must be for a lawful purpose with the consent or deemed consent of the data principal. Penalty for violation of consent or deemed consent requirements can be up to Rs 500 million

Obligations of data fiduciary: The underlying principle is that the data fiduciary shall be primarily responsible for compliance with DPDB, notwithstanding any contract to the contrary, or any action on part of the data principal. Penalty for non-compliance could be up to Rs 2,500 million.

Significant data fiduciaries: Central government may notify any data fiduciary or class thereof as Significant Data Fiduciary (SDF). While determining them, the government will assess factors such as volume and sensitivity of personal data processed, risk of harm to the data principal, the potential impact on sovereignty and integrity of India and state security, risk to electoral democracy, public order, and other matrices as it may deem necessary. The earlier versions contained more details on the criteria and sought to include certain social media intermediaries within the ambit of SDFs, and now, this has been left open-ended. The penalty for non-compliance with SDF-specific obligations could be up to Rs 1,500 million.

Rights and duties of data principals: DPDB has limited the scope of data principals' rights in relation to their personal data, and seeks to impose certain duties on them. The data principal is obligated to comply with certain duties. One of them requires data principals to comply with the provisions of all applicable laws. This is ambiguous as it can be interpreted to mean that any breach of any applicable law could negate the data principal's rights. Further, the data principal shall not falsely or frivolously register grievances with the data fiduciary, or complain to DPBI. It appears that flexibility to determine whether a grievance or complaint is false or frivolous is left to the data fiduciary and DPBI, respectively.

Furthermore, the data principal shall be obligated to furnish true and material information while applying for any document, service, unique identifier, proof of identity, or proof of address; and all furnished information for the exercise of the right to correction or erasure must be verifiably authentic. Penalty on data principals for breach of their duties could be up to Rs 10,000.

Cross-border data transfer: DPDB states that the Central government, after an assessment of factors as it may deem necessary, notify jurisdictions to which personal data can be transferred, on such terms and conditions as may be specified. This indicates that the central government will have a free hand to determine jurisdictions (either as adequate or inadequate) and come up with conditions for data transfers.

Exemptions: DPDB contemplates sweeping exemptions from substantial provisions for state and certain kinds of processing. In addition to this, DPDB states that retention and storage limitations shall not apply to the state or its instrumentalities, which means that they can retain personal data as long as they deem fit. Further, the Central government is vested with the power to take into account the volume and nature of data processed and then, exempts

certain data fiduciaries from complying with requirements around notice, data accuracy, retention limitation, and access plus confirmation rights.

Owing to the far-reaching powers vested with the Central government, there is increased scepticism that the purport and intent of DPDB, when it applies to the state, can be significantly diluted through exemption notifications.

Data Protection Board of India (DPBI): For purposes of determining non-compliance with DPDB, imposing penalties, issuing directions, and performing other such functions as the Central government may prescribe, DPBI will be established. DPBI's functions are aimed to be digital by design, and will act as an independent regulator. DPBI will be vested with the power to conduct inquiries, summon witnesses, inspect evidence, conduct proceedings relating to complaints, and impose penalties.

Concerns

One of the major concerns flagged by rights activists is that the differentiation between 'sensitive personal information' and 'personal information' has been dropped in the new bill. In the Personal Data Protection Bill, 2019, sensitive personal data referred to personal data in relation to — financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs, and affiliation. Dropping the special status accorded to sensitive personal data becomes acute since under the current Bill, "deemed consent" is allowed to be inferred for just about any legitimate purpose, without any notice or consent. Technically, this means that both private and public entities collecting something as sensitive as biometric information for services rendered by an application using facial recognition technology can be collected without even asking the data principal for their explicit permission. This means that, in a single stroke, the Bill gives equal convenience to both the state instrumentality as well as to the private sector to collect data under the presumption of deemed consent, reported Times of India.

In addition to this, legal analysts have found that the new bill differs from the previous bill (2019) mainly in five critical areas:

Bloomberg has commented that in a reprieve for global companies including Alphabet Inc.'s Google, Amazon.com Inc., and Meta Platforms Inc.'s Facebook, the proposed bill will allow the government to "notify such countries or territories outside India to which a data fiduciary may transfer personal data." As noted in the table, an earlier version of the bill had sought to severely restrict transfer, processing, and storage of data overseas.

In this context, it may be mentioned that in recent years, China has introduced a number of major data protection laws, including the Personal Information Protection Law (PIPL) (effective from November 1, 2021) and the Data Security Law (DSL) (effective from September 1, 2021), together with a series of implementation regulations and administrative rules. In particular, the PIPL establishes a new comprehensive regulatory framework for personal information protection in China, requiring consent as its

principal basis for data collection and handling, introducing provisions with extraterritorial effect, restricting cross-border data transfers and imposing significant revenue-based fines for non-compliant conduct.

It is argued that the PIPL is similar to the EU's General Data Protection Regulation (GDPR) in that it gives Chinese consumers the right to access, correct and delete their personal data gathered by businesses. It also impacts offshore data processors that deliver goods and services or analyze individuals in China. The law includes stringent penalties. Fines can be as much as RMB 50 million or up to 5 per cent of a company's turnover from the previous financial year. Reports indicate that administrative penalties, related to violation of information collection imposed on the People's Bank of China, the China Banking Regulatory Commission and the State Administration of Foreign Exchange, totalled 119 in 2021 alone, with the total amount of fines reaching RMB 46.5 million.

Conclusion

The protection of personal data is a fundamental right of citizens. Since 2017, the Union Government is dithering on this vital issue. The 2022 Bill, the fourth in a series of initiatives during the last five years, seems like a watery variety compared to the previous bill. It is alleged that it focuses on protecting the government's and global IT firms' interests ― as opposed to the protection of the rights of the data subjects. Policymakers may refer to various acts framed by technologically more advanced countries to protect the privacy of their citizens from data sharks. For example,

the General Data Protection Regulation (GDPR), 2016, of the European Union (EU), regulates the exportation of personal data outside the EU.

In addition to protecting only digital data, manually processed data and non-personal data should also be protected.

Views expressed are personal