Anshumaan Jaiswal is a third year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow.
The Digital Personal Data Protection Bill, 2022 (hereinafter The DPDP Bill, 2022) was released by the Ministry of Electronics and Information Technology on November 18, 2022 after the Personal Data Protection Bill, 2019 was scrapped by the Union Government in August 2022. This is the fourth iteration of a Personal Data Protection law in the nation post the landmark judgement in K.S. Puttaswamy v. Union of India, which necessitated formulation of a data protection regime as it brought informational privacy within the ambit of right to privacy, a fundamental right under Article 21.
Considering that India has still not had a data protection act, as all previous iterations of the law were either scrapped or referred to joint parliamentary committees and were never made into acts, this is a monumental occasion as a fluid yet strict data protection law is the need of the hour in India. This piece shall aim to provide clear and comprehensive analysis of the provisions contained within the DPDP Bill, 2022, highlighting its strengths and welcome changes as well as the lacunae within.
At first sight, the DPDP Bill appears to be a concise and crisp law contained in just twenty-four pages thus standing strong on the front of brevity. Also, the language used by the bill is not complex in nature and is not laden with technical jargon and considering that the bill is aimed at protecting the informational privacy of data principals, a vast majority of which are common citizens, this is a commendable step.
WHERE DOES THE BILL FALTER?
Deemed Consent – A Misnomer
In Section 8 the concept of ‘deemed’ consent is introduced for the first time in the Indian data protection regime, this section states that a data principal’s consent would be deemed for processing of their personal data in certain situations which are enumerated from clause (1) to clause (8). These include stipulations where the data principal voluntarily gives its personal data for purposes including fulfilment of function of law, public interest, for providing functions of healthcare etc.
This concept of deemed consent at first appears inherently problematic as to why would the consent of data principal be diluted as to be considered ‘deemed’ when it is accorded a status of importance under Section 7; moreover, there would exist possibilities where the data fiduciaries would try to misuse this provision. But on a deeper study, if parallels are drawn between Section 8 and the General Data Protection Regulation (GDPR), the concept of deemed consent is very akin to the principle of legitimate interests laid down in Section 6(1)(f) of GDPR. Legitimate interest is the most flexible of the GDPR’s lawful bases for processing personal data and applies whenever a company uses personal information in a way that the data subject would expect. ‘Interests’ can refer to almost anything in this context, including a company’s or another party’s commercial interests or broader societal benefits. This similarity can very well be understood by the illustration appended to Section 8(1) where the information furnished by a data principal to a restauranteur would be used by him to confirm a reservation, a purpose which the data principal would have expected.
Therefore, a re-writing of this provision is very necessary to quell out the confusion by the use of the word ‘deemed’ consent, which in actuality is a globally accepted practice and principle.
Exemptions Under The Bill
Certain exemptions were provided for the government under Section 35 of the Personal Data Protection Bill, 2019 and Section 18 of the DPDP Bill, 2022 carries forward these wide and undefined exemptions. Section 18 of the bill empowers the Union Government to exempt state instrumentalities from provisions of the Bill, for processing of personal data “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”. These standards of public order, interests of sovereignty and integrity amongst others are very widely worded exemptions with no concrete definition attached to them neither under the Bill or any other law in force. These vague and broad exemptions raise possibilities of unfettered mass surveillance of personal data of citizens of the nation.
In the K.S. Puttaswamy judgement, the Supreme Court provided the trifecta of legality, necessity and proportionality and thus any exemption to not violate the informational privacy of citizens should be based on these three grounds rather than vague grounds such as public order or interests of state.
Creation Of A Data Protection Board –
Section 19 of the Bill envisages formation of a Data Protection Board of India (hereinafter DPB) which is to function as the primary grievance redressal authority for all violations under the bill. The issue with formation of a DPB are two-fold in nature:
Firstly, the formation, composition, selection process, terms and conditions of appointment of members of the Board as well as appointment and removal of the Chairperson of the Board shall all be matters determined by the Union Government. As a result, the independence of the Board from the executive is compromised and in disputes where the government is the perpetrator of the wrong, the Board would in all probability be skewed in its judgement. For an effective DPB, its independence from the executive must be made a necessity to ensure that no biases exist in the grievance redressal process.
Secondly, the DPDP Bill is a specialised legislation on a niche and technical area and therefore, the provisions for the formation of a DPB should be detailed and thorough in nature. The bill itself does not lay down any power and function of the Board, neither does it lay down the qualifications and responsibilities of its chairperson and the members and is clearly devoid of any details as to its constitution and working. This is extremely poor on the part of the drafters as all these details are stated to be as prescribed by the Union Government on a later opportunity. Inspiration could have been drawn from niche legislations like SEBI Act, Competition Act which laid down clear and expansive provisions as to the powers and functioning of the respective regulatory authorities.
Allowist Approach On Data Localisation –
Section 17 of the Bill propagates an Allowist approach towards data localisation. Data localisation is a concept which ensures that personal data of data principals within the country cannot be transferred outside the country by such data fiduciaries or at least in all circumstances a copy of such personal data must be within the country. This provision provides an exception to data localisation, i.e., data may be shared by the data fiduciaries to nations which the union government may prescribe. This is an Allowist approach as no threshold or guidelines as to what the selection criteria should be based upon is provided for. Moreover, no information as to whether these selected nations shall have minimal data protection regimes in place as enunciated by the GDPR regulation which allows transfer of data into only those European countries with at least some minimal amount of data protection regime in place is provided for in the Section. This is a serious issue as too much discretion is being bestowed upon the Union Government.
Too Much Left For Delegated Legislation?
One of the major concerns with the bill raised by the civil society is the use of the phrase ‘as may be prescribed’ as many as eighteen times in the bill. For the sake of brevity and a concise legislation, the drafters have left a lot to be legislated by the executive including important elements like exemptions (Section 18), exceptions to data localisation (Section 17), exceptions to processing of personal data by children (Section 10), strength, composition and functioning of the DPB (Section 19) and many more. Questions are imperative to be raised as to the presence of requisite safeguards against abuse of executive discretion in law making and even though laying is mandated by Section 26, it remains to be seen whether this rule making exercise by the executive would be detrimental to the data privacy of citizens or not.
CONCLUSION
The DPDP Bill, 2022 is sought to be placed before the Parliament in the Budget Session of 2023 for passing of the bill. The bill was open for public consultation till 17th of December and the government has plenty time on hand to mend the provisions of the bill wherever necessary. Re-writing of certain provisions is necessary to clear out their meaning and specific and explicit safeguards need to be put in place to control the delegated legislation.
The bill in itself is a comprehensive and momentous exercise as a principle-based legislation was what was needed for regulating technology and data, both dynamic in their nature. It maintains the delicate balance between too much and not too much detailing, as the previous would make it redundant in a very short span of time. In my opinion, if the bill is corrected in the right areas, it can prove to be one of pioneers in data protection regime for countries around the globe.