Read our consultation response on the draft Digital Personal Data Protection Bill, 2022

Clause/Sub-ClauseResponse (2500 character limit)Preliminary Chapter: As a wholeOur primary recommendation is that the DPDPB, 2022 should be recalled. Our recommendation flows from the myriad shortcomings of the DPDPB, 2022 which includes the abject vagueness of the draft due to various important provisions being left for executive rule-making without legislative guidance at a later stage, consent being “deemed” in certain situations allowing for non-consensual processing of data, expanded exemptions being provided to state and private data fiduciaries, and the lack of independence of the Data Protection Board among others.Though the DPB, 2021 was not without its shortcomings, the consultation process should resume from a version of DPB, 2021, which was the outcome of institutional processes, and also accounted for specific civil society feedback received over the years. Here, it is essential that there is  clear reasoning provided for any further changes made to the bill as a result of the responses received in this consultation as was done through the Joint Parliamentary Committee Report in December, 2021. 4. Application of the ActIt is unclear why the scope of the DPDPB, 2022 has been restricted to “digital personal data”. This clause raises concerns over the processing and protection of personal data which does not fall under the scope of the DPDPB, 2022. Such restriction goes against the decision of the Supreme Court of India in K.S. Puttaswamy v Union of India (2017) wherein the Court held that “Informational privacy is a facet of the right to privacy”. The Court also emphasised the need to put in place a “robust regime for data protection”. However, by restricting the scope, the DPDPB, 2022 fails to deliver.  5. Grounds for processing digital personal dataThe DPDPB, 2022 fails to provide an exhaustive list of grounds which would constitute lawful purposes for processing of digital personal data. Instead, it states that “lawful purpose” means any purpose which is not expressly forbidden by law. However, this standard may result in misuse. The increasing use of technology in governance in India is being carried out in the absence of any regulating legal frameworks. Thus, it is essential that the DPDPB, 2022 provides first principles which would kickstart the regulation of these heretofore unregulated sectors.  For example, the General Data Protection Regulation of the European Union, under Art.6, clearly lays down six specific grounds on the basis of which processing of data may be categorised as “lawful”. 6(1). NoticeUnder clause 6(1), the data fiduciary is only required to notify the data principal about the nature of personal data sought to be collected and the purpose of processing of personal data. However, it does not require data fiduciaries to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries. In the absence of such notice requirements, the data principal will not receive information which will allow them to make an informed decision about the processing of their personal data.  For example, the California Consumer Privacy Act, 2018 requires businesses to inform the consumers from whom data is being collected whether their data will be sold or shared further at or before the point of collection. 8. Deemed consentThe DPDPB, 2022 allows the data fiduciary to “deem” or assume consent of the data principal if the processing is considered necessary as per certain situations which Clause 8 lays down. Here, essentially the DPDPB, 2022 allows for non-consensual processing of personal data. It is essential that consent is the foundational framework upon which any data protection regulation in the country is built and any derogation from it needs to be tailored narrowly. For example, the Singapore Personal Data Protection Act, 2012 has a similarly named section on deemed consent where consent can be deemed only if the individual voluntarily provides the personal data to the organisation for that purpose and it is reasonable that the individual would voluntarily provide the data. Thus, only Clause 8(1), which pertains to a situation similar to the Singaporean legislation, can be said to be a situation where consent may be reasonably deemed. However, the situations contained in Clause 8 where non-consensual processing will be carried out, such as for the breakdown of public order, for purposes related to employment, and in public interest allow for wide and vague interpretations.  This could result in excessive processing of the personal data collected due to the absence of specific and informed consent of the data principal. Further, since the processing will take place without consent, it restricts the data principal from withdrawing the consent at will.9(5). General obligations of Data FiduciaryA significant issue with previous iterations of the DPDPB, 2022 was that they did not require data fiduciaries to notify data principals in the event of a breach. Thus, users whose data has been breached, would not have even known that their data has been compromised. Clause 9(5) of DPDPB, 2022 addresses this concern by mandating fiduciaries to notify the Board and Data Principals whenever there is a breach, irrespective of its nature. This is a welcome step. 10(4). Additional obligations in relation to processing of personal data ofchildrenWhile sub-clauses (1) and (3) of Clause 10 put in place specific obligations which have to be adhered to while processing childrens’ data, Clause 10(4) allows the Union Government to exempt data fiduciaries from the application of Clauses 10(1) and 10(3) for certain purposes. Here, the exempted purposes have not been specified and will be prescribed by the Union Government at a later stage. As a result, while the DPDPB, 2022 provides additional protections to childrens’ data, they are weakened at the outset by the ability of the Union Government to create exceptions at a later stage which can include companies/organisations that may process significant volumes of children’s data. This also showcases the vague and unchecked rule making powers that the Government has retained for itself  in the absence of legislative guidance as it is unlikely that these exceptions will be put to parliamentary scrutiny when they are eventually prescribed. 11(1). Additional obligations of Significant Data FiduciaryThe Union Government has retained the right to notify any Data Fiduciary or class of Data Fiduciaries as a “Significant Data Fiduciary”, on the basis of an assessment of relevant factors which have been listed in the Clause. The list of factors include undefined terms such as “potential impact on the sovereignty and integrity of India”, “risk to electoral democracy”, “security of the State”, and “public order”. Additionally, the Union Government has also retained the power to include any other factors that they think are relevant and necessary at a later stage. As a result, any data fiduciary may be classified as significant and may have to comply with additional obligations. These additional obligations may be excessively burdensome for certain data fiduciaries and may result in them being unfairly pushed out of the market. Chapter 3: Chapter as a wholeThe inclusion of the rights to information about personal data, to correction and erasure of personal data, of grievance redressal, and to nominate is a positive step towards protecting the interests of the data principal. However, the right to data portability which was present in the Data Protection Bill, 2021, has been removed from the DPDPB, 2022. The right to data portability allows data principals to reuse their data for their own purposes and thus, provides them with increased control over it. It is unclear why this right has been removed. 12(3). Right to information about personal dataSub-clause 3 of Clause 12 provides data principals with the right to obtain information about third-party sharing of their data from data fiduciaries. Under the sub-clause, data fiduciaries are required to provide data principals with information about the identities of all the data fiduciaries with whom the personal data has been shared along with the categories of personal data so shared. However, the sub-clause does not require data fiduciaries to share information about the purpose for which data has been shared and the processing activities undertaken by the third party even though similar disclosures have been mandated for the primary data fiduciary. It is a cause of concern that the rights of data principals have been weakened against third parties. It is essential that data principals are provided with identical rights against all data fiduciaries and data processors who gain access to their data irrespective of whether they are the data fiduciary that the data principal shared their personal data with initially or they are a third party which has obtained the personal data from another data fiduciary. 16. Duties of data principalThe DPDPB, 2022 introduces certain duties of the data principal for the first time which raises serious concerns, especially because under Schedule 1 of the DPDPB, 2022 non-compliance with this clause can lead to a financial penalty of 10,000 INR being imposed on the data principal. Duties imposed include that the data principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board and shall, under no circumstances furnish any false particulars or suppress any material information or impersonate another person. Here, it becomes essential to highlight that the decision to categorise a complaint as “frivolous” lies with the Data Protection Board which may classify a complaint as frivolous even if the data principal did not intend it to be so. Here, granting the power to impose penalties also overlaps with existing inherent powers of civil courts which the Data Protection Board will also enjoy. Such excessive powers may end up being misused. Additionally, it is not an uncommon practice for people to protect their private information by obfuscating personally identifiable information when setting up online accounts for many services including accounts on social media services and email services. Clubbing such actions with actions which may be illegal such as impersonation and fraud can result in individuals no longer being able to enjoy the internet without excessive and unreasonable restrictions. 17. Transfer of personal data outside IndiaThe DPDPB, 2022 has removed the data localisation requirements that were contained in previous versions of the data protection legislation proposed by the Union Government. However, while this is a positive step, the clause is ambiguously phrased and appears to propose an allowlist approach wherein the Union Government will notify certain jurisdictions outside India to which personal data collected in India may be transferred. This notification will be done based on certain factors which the Union Government may deem necessary, and which are currently unspecified. Here, the failure to specify the factors which the Union Government will assess to include jurisdictions in the allowlist is a cause of concern. In the absence of clear and reasonable standards, any such notification may be done on the basis of criteria that do not adequately protect the right to privacy of Indian data principals and can be influenced by other considerations/negotiations. For example, Articles 44 to 50 of the General Data Protection Regime permit transfer of personal data of EU data principals only to such countries which provide an adequate level of protection to such data.18. ExemptionsCl. 18(2)(a) of the DPDPB, 2022 allows the Union Government to exempt any government “instrumentality” (GI) from its application for certain interests. This would give all data collection & processing activities of these GIs complete immunity from any protections that the DPDPB puts in place.Interests stated in the provision for which exemption may be exercised are excessively vague & thus open to misuse through overbroad application resulting in a large no. of GIs being granted exemption from the application of law. Further, the exemption granted itself, i.e., all activities of the exempted agency will be outside the purview of the law, is also overbroad.Granting such blanket exemptions directly violates the Supreme Court’s decision in K.S. Puttaswamy v Union of India [2017], wherein the Court held that any state invasion into citizen privacy must satisfy the thresholds of  legality, necessity, proportionality, & procedural safeguards to prevent misuse. By granting blanket exemptions, Union Government is preempting any review, judicial or otherwise, of the actions of the GIs, which could result in gross violations of citizen privacy by the state.The existing surveillance architecture in India has been the focus of criticism by human rights & privacy activists for decades. The criticism stems from a failure to meaningfully & narrowly define the grounds under which surveillance may be conducted, which is also a failure of the exemption granted within Clause 18(2)(a). Further, the provisions concentrate all surveillance powers with the executive branch & do not have safeguards such as judicial review of surveillance orders in place. The data protection law was expected to institute much awaited safeguards on this architecture but exemptions granted under 18(2)(a) instead widened government surveillance powers.We worry that Clause 18(3) may be used to exempt some private actors even if they process personal data which can be considered sensitive, thereby limiting the effectiveness of the law. Clause 18(4) exempts the “State or any instrumentality of the State” from the mandate to comply with data deletion requirements under the law. As a result, any data collected by the State may be retained by them in perpetuity, in direct violation of the internationally recognised best principle of storage limitation, which states that data should only be retained as long as is necessary to fulfil the purpose for which it was collected.19. Data Protection Board of IndiaUnder this provision, the Union Government has been empowered to prescribe the strength and composition of the Data Protection Board, the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members at a later stage. Further, the Union Government has also been empowered to appoint the Chief Executive of the Board. However, no criteria has been specified for the appointment or for who will make the appointment compared to previous versions.The vesting of these powers with the Union Government calls into question the independence of the Board. Since the Board is tasked with determining non-compliance with the provisions of the law by data fiduciaries and data processors including state data fiduciaries and state data processors, it is essential that they provide primacy to data principals and their interests while deciding matters brought before them. However, an executive-appointed Chief Executive may not be able to exercise effective oversight over the executive itself. Therefore, it is essential that the Board is independent of executive control. This was also held by the Supreme Court of India in Madras Bar Association vs Union of India (2020) wherein they stated that, “Dispensation of justice by the Tribunals can be effective only when they function independent of any executive control: this renders them credible and generates public confidence”. 22. Review and AppealUnder Clause 22(3), the DPDPB, 2022 restricts the jurisdiction of civil courts and provides exclusive jurisdiction to the Data Protection Board over all disputes arising out of the provisions of the Bill, thereby creating a specialised tribunal. The creation of a specialised tribunal raises concerns because it undermines the stature of the judiciary and offers more control to the executive. Additionally, India's historical experience with tribunals has been disappointing. Eg: the Central Information Commission takes close to two years before any appeal is placed before it can be heard due to high pendency of cases. 25. Financial PenaltyClause 25, in consonance with Schedule 1, imposes financial penalties if the Data Protection Board decides that the non-compliance that has taken place is significant. One of the non-compliances listed in Schedule 1 is with Clause 16 of the DPDPB, 2022 which relates to duties of the data principal. It is a cause of concern that not only have duties been imposed on the data principal, but that they may also be penalised for non-compliance. These provisions go against the ethos of a data protection legislation which aims to provide protection to the rights of individuals who want to regulate the manner in which their data may be processed. Further, the imposition of a penalty may also result in data principals being apprehensive about raising grievances as they may be concerned about being penalised if the Data Protection Board fails to find merit in their grievance. 30. AmendmentsClause 30(1)(a) aims to omit Section 43A of the IT Act. Section 43A provides damages to affected users in case of a data breach. By taking away the provision to award damages to affected persons, and by introducing Clause 25 which contemplates monetary fines even on the data principal, no direct relief will be provided to the directly affected persons, the individual who has suffered the loss of their personal and sensitive data.We must note that on one hand the Bill makes a positive alteration, by introducing provisions mandating that the data principal be notified in case of a breach to their personal data. However, on the other hand, the State makes no provision for compensating the data principal in the case of any such occurrence, marking an injudicious deviation from the earlier iterations of the Bill. Clause 30(2)(a) of the DPDPB, 2022 states that Clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 shall be amended to remove the public interest exception to disclosure of personal information under the RTI Act. Here, concerns arise that such an amendment would irrevocably weaken the RTI Act and its aim to promote transparency in governance. It is unclear why this amendment has been included in the DPDPB, 2022 since the RTI Act itself protected against overbroad disclosures of personal information and only allowed sharing of personal information when there was a legitimate public interest, thereby balancing the need for institutional transparency against the right to privacy of the individuals who constitute the institution. However, the blanket exemption from sharing personal information will be a significant setback for transparency efforts in the country. Clause 30(2)(b) omits the proviso to Section 8(1)(j) in the RTI Act. The proviso states that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person. This was another exemption that was introduced in the RTI Act, to ensure that information is not withheld arbitrarily or without sufficient grounds. However, by attempting to omit the proviso, it weakens the RTI Act, because the grounds on which information can and cannot be denied to the Parliament or a State Legislature are well defined, and have been in existence for a long time. 

This is a companion discussion topic for the original entry at https://internetfreedom.in/read-our-consultation-response/