Akshay Pathak and Neha Kumari are second year law students at National law institute university, Bhopal.
INTRODUCTION
The Ministry of Electronics and Information Technology recently released the draft of ‘the Digital Personal Data Protection Bill’ (DPDP Bill 2022). The earlier version of the Data Protection Bill and its subsequent draft, as submitted by the Joint parliamentary committee (JPC), was withdrawn by the Ministry of Electronics and Information Technology (hereinafter MeitY) in August 2022. After a brief hiatus, the Government rolled out the present draft Bill with the intent to present a simple and easily comprehensible draft, both in terms of understanding and future compliances. DPDP comes with explanatory illustrations to aid in the interpretation of the clauses with disclaimers that such note, shall not be the part of the proposed Bill.
The ‘Digital Nagriks’ (Indian citizenry, as referred to in the draft Bill) is a significant participant in digital innovation. To this end, the Bill has emphasized that “Data in general and Personal Data in specific are at the core of this fast-growing Digital Economy and Eco-system of digital products, services, and intermediation” and hence, a nuanced set of framework and rules needs to be enacted to facilitate a safe growth environment and regulate responsible usage of data.
Even though the current draft appears to be a streamlined and improved version of the previous Draft, which the MeitY released back in 2021, it still has a distinct set of problems—namely, the government is given a great deal of discretion. Additionally, issues with localizing cross-border data deemed consent, also go against the aspirations endorsed by the draft. In this blog post, we outline the key differences between the data protection act of the EU and the present draft, along with the draft’s promising features, problems, and potential suggestions for fixing them.
PROMISING FEATURES OF THE DRAFT BILL
The Bill encompasses within it several promising features which are expected to be instrumental in protecting and safeguarding personal data. For instance, the bill uses the pronouns “her” and “she” to refer to individuals which is a first-of-its-kind initiative adopted in legislative drafting. In terms of structure, it has now been reduced from the earlier draft that included over ninty clauses to thirty—upholding both brevity and understandability. From the perspective of data principals, it has also been improved by requiring the data fiduciary to notify the data principal in the event of a breach, as opposed to the previous draft bill wherein only notifying the data protection authority was necessary. The bill also mandates that data fiduciaries must provide consent notices to data principals in English or any other language listed in the Constitution’s Eighth Schedule, at the request of the data principal—The drafters correctly considered the pertinent linguistic demographic of India, which in turn, would help data principals understand the terms relating to the use of their personal data.
COMPARATIVE ANALYSIS
The General Data Protection Regulation (hereafter GDPR), since it came into effect in 2018, is regarded as a precedent in the field of data protection and regulation. In fact, several nations use GDPR as a model while framing laws governing data protection in their respective jurisdictions. Even the Sri Krishnan Committee Report, which served as the basis for many versions of MeitY’s data protection laws’ drafts that were made public in recent years, contained multiple references to the GDPR. But despite being cited several times in the Report, there is still a significant difference between the GDPR and the DPDP as elaborated below.
Categorization of data
In the GDPR, there is a categorical classification of personal data along with other special categories—namely, relating to racial/ethnic, political opinion, processing of generic data and biometric data, etc., while on the other hand, DPDP classified all types of data as Personal data, which need to be regulated, and there exists no classification pertaining to sensitive or special data. Additionally, personal data that exists exclusively in digital form could be regulated in accordance with Clause 4 of DPDP, which further curtails the ambit of DPDP in comparison to GDPR.
Processing of personal data and consent
According to article 6 of GDPR , the purposes and parameters for the processing of personal data must be explicit and detailed. While on the other hand, DPDP failed to provide elaborate grounds for the processing of personal data—the word “lawful purposes” is slyly added by the government to give data fiduciaries more leeway to use the personal data any way they see fit as long as it is not prohibited by law. Additionally, even though the definition of consent might appear similar in both pieces of legislation, the DPDP is vulnerable to abuse due to the concept of deemed consent, which refers to circumstances in which the data principal’s consent will be deemed to have been given and will not require further explicit notice for the processing of personal data.
Data Security and Data Collection Limitations
The GDPR states that certain data can be gathered and saved provided the users are entirely anonymous. Further data fiduciaries are not allowed to keep data in a form that makes it possible to identify individual users. Also, data must be retained for as little time as possible. However, in DPDP, no such restrictions are placed on data fiduciaries for the collection of personal data, and the introduction of deemed consent only worsens the situation as it completely ignores the fact that data principals frequently lack the necessary knowledge of what kind of personal data is necessary for a given service.
Data Protection Board
The GDPR under chapter 6, explicitly and distinctly, laid down the rules and regulations for the appointment of the Independent European Data Protection Board, which is responsible for independent monitoring and regulation of personal data without the intervention of any third party—which is also in line with the principle of checks-and-balances and enhances data security against potential exploitation of personal data by the European Union. But on the other hand, the central government of India by enabling itself to appoint the ‘Chief Executive Officer’ of the ‘Data Protection Board’ and determine the ‘terms and conditions of her service’, completely violates the principles outlined in the GDPR.
WORRYING PROVISIONS AND SUGGESTIONS
Unlike the previous draft bills, which were significantly inspired by the EU General Data Protection Regulation, this bill seems to be shorter and simpler. However, it comes with open-ended language that needs to be defined in order to avoid vagueness and consequently its misuse by the authorities.
For instance, the phrase “as may be prescribed” has been mentioned in the draft bill shockingly eighteen times. This enables the executive to mould and play with the bill as per their whims and fancies.
Therefore, to eliminate and prevent ambiguity and vagueness, the bill must be drafted to precisely define the terms.
Furthermore, the word grievance has not been defined in the bill. The Government should consider defining it akin to the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 for clarity on the types of grievances that can be registered. In absence of this, it can be vaguely interpreted by the data fiduciaries to shy away from their obligations.
The next question that comes is whether the draft bill has incorporated the recognized principles of data protection or not. The current draft doesn’t refer explicitly to the principle of data collection limitation. This enables the data fiduciary to collect any personal data to which a data principal has consented. It disregards the fact that many times data principals do not have the requisite know-how of what kind of personal data is required for a particular service.
For instance, a photo editing app may process data related to location or contact information even though it does not require such data to perform its primary function of editing.
Therefore, data must be distinctly divided into categories like personal data, biometric data, etc., and data fiduciaries may only be permitted to collect information that is required for them to provide their services. Also,the maximum amount of time for which data can be retained should be stated in the legislation.
It also does not provide rules for the processing of “sensitive personal data”. Most data protection laws designate specific categories of personal data as “sensitive personal data”due to the higher risk of harm that can be caused by its unauthorized processing. Examples of this include biometric information, health information, genetic information, etc. Explicit consent is required before processing, and data protection impact assessments are required, giving this personal data a higher level of protection. The draft bill eliminates these additional protections by removing this distinction. It should incorporate a special clause for “sensitive personal data” which needs to be addressed essentially.
The draft bill also introduces the concept of “deemed consent” that is the situations under which the consent of the data principal will be deemed to be given and will require no notice. It groups those purposes of processing that are either exempt from consent-based processing or are considered ‘fair and reasonable purposes.’ However, it inculcates some vaguely worded grounds such as “public interest” which provides room for misuse and removes additional safeguards for the protection of the rights of ‘Digital Nagriks’. Therefore, it is necessary to outline the circumstances in which the public interest ground may be invoked, along with supporting examples.
Apart from this, the government has assumed wide powers by exempting “instrumentalities of the state” from the application of the draft bill without any checks/balances and obligations on the state to meet the criteria of “legality, necessity, and proportionality” upheld in the Justice K. S. Puttaswamy judgment. Further, by enabling the Central Government to appoint the ‘Chief Executive Officer’ of the ‘Data Protection Board’ (DPB) and determine the ‘terms and conditions of her service’, the draft is likely to impair the DPBs ability to hold government accountable for data breaches. To ensure that it operates independently, a separate chapter must be added to the bill, which lays down clear, precise and impartial procedure for the selection of the board members without any interference from the Central government. Same can be adopted from the GDPR.
CONCLUSION
The Government must consider the public comments and make those comments available to everyone to secure the interests of all stakeholders. Further, for future frameworks, the Government can release a white paper, highlighting its intent and understanding of the issues. The DPDP Bill, in its current state, will act as a catalyst towards India becoming a surveillance state and the same needs to be avoided.