An Analysis of Draft Digital Personal Data Protection Bill 2022

/ Governance, Legislature
Draft PDP

The Union Government will again be going to introduce a revised personal data protection bill and for which it has released its draft. The draft bill comes up with many new provisions and changes in relation to the previous bills. On the one hand, these new changes brought new remedies and rights to the data principals, and on the other, it provided the data fiduciaries with the excessive right to process this data. Making these provisions to be not as straight forwards as they seem to be and have certain anomalies that have become controversial issues. This article deals in taking up important issues, providing analysis and suggestions for the same.

Introduction to the Draft Bill

The Personal Data Protection bill comes up with the objective of formulating better digital data protection mechanisms in India, which is necessary in order to control and manage the growing digital data processing by companies. The landmark judgement of Justice KS Puttaswammy v. UOI (2017)1 provides a broader obligation on the shoulder of the state to protect the privacy of individuals over the digital sphere, and the bill becomes thereby more necessary to ensure this protection of privacy. 

The bill was introduced with seven major principles. The principle is to create lawful, transparent processing of data by individuals. The collection of data should be only for the purpose. There has to be data minimisation and accuracy. Further, the storage should be only for perpetual storage. And the collector should be accountable for the processing. 

The bill defined “data” as “a means of representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.” Taking a wider scope to cover the data holistically as any kind of information transmitted. Further, it provides personal data as the data with which an individual can be identified. 

Further, the bill provides the nomenclature of the person whose data is processed as “Data Principal” and the person who uses it for its purpose as “Data Fiduciary”. And the person who processes it as “Data Processor”. Processing is defined as the whole range of actions that can be taken with respect to personal data. Also, the bill provides that in the case of data of children, both children with their legal guardian as ‘data principals”.

The certain rights to the data principals are:- 

  1. Right to access basic information as specified in the 8th schedule of the Indian constitution.
  2. Right to give or withdraw consent for the purpose of data collection.
  3. Right to erase or correction of data
  4. Right of the nomination of up person who exercises the right on behalf of him/her after the death.

Further, the bill proposed to create a Data Protection Board, which is responsible for ensuring compliance with these provisions of the bill. Further, the board is also responsible for processing the complaint by the consumer. The bill also proposed to impose penalties on both data fiduciaries and data principals. On data fiduciary for data breaches or non-compliance with the provision add on data principle for false documents, information or frivolous complaints. 

Analysis of Problems and Suggestions

The bill contains several important yet controversial provisions. The article deals in taking up few important issues, providing analysis and suggestions for the same.

  • Unfiltered Classification

The draft bill does not equally treat the state and the non-state act. 

The draft bill proposes that the data fiduciary needs to obtain the consent of the data principles before processing the personal data. And it can be used only for the authorised purposes for which an individual has provided its consent. Also, before requesting consent, a notification must be issued. The notice would contain information about the personal data to be gathered and the processing aim. 

However, there is an exception to this rule that is the central government has the power to collect and process any information on the ground of national security, and it can utilise the retained data to create a 360-degree profile for surveillance. As per the Srikrishna Committee (2018) recommendation and the obligation such as fair and reasonable processing have to be applied.  (as laid in the case of PUCL v. UOI). 

Further, the bill says that consent shall be taken as deemed consent when the state and its instrumentalities process data in order to offer benefits and services (commercial services). This means the individuals’ consent is not required before their data is processed by state discoms, SBI, or other government health offices and businesses.  There has been a violation of article 14 as the state agency is treated differently from the private agency for the same commercial transaction without any reasonable nexus.

The Srikrishna Committee (2018) observed that this consent is immaterial as the data principals do not have any choice but to refuse consent if they need the benefit or service.9 However, there is a flaw in this rationale because this consent would be for both commercial and non-commercial functions of the state. It has to be left to the citizen to give consent.

  • Unaware Consent 

As reported by Business Insider, a 2017 Deloitte survey found that 91% of people accept legal terms and service conditions without reading them, amongst 2,000 people in U.S. Even amongst Ages 18 to 34, the percentage is significantly higher, agreeing to 97% of the terms before reading.10 (Looking at the census of education and awareness this number is even higher in India)

Though interestingly, it has to be noted that more than half of the users would uninstall the application or would not access any site if there is a governmental or explicit warning of privacy issues. This shows that though the people were concerned for their privacy, but they possessed little time to read the notices. And that is only what the bill is going to do. 

Also, these terms and conditions asking for permission and giving notices about the data usage are a kind of standard contract in which no negotiation or bargaining could be possible. In order to use or access, they need to give permissions. Thus, enhancing another page that would be skipped by everyone would not be per se solution. 

  • Awareness Body

Information Technology Act 2001  dates back to more than twenty years when the digital revolution is just at the onset of opening its wings, and though that old, people are not even still aware of their rights over their data and the protection against data piracy or online fraud. This is because of the less awareness about it. Thereby, it is suggested that these laws not to have become merely another piece of terms and conditions, and there has to be an actual application that is the public and the people be able to control their data. 

There needs to be an ad hoc body specially created for the purpose of awareness about it. And a flagship campaign that would introduce people to the digital world and make them aware of the value of personal data and how it can be missed. Succinctly, providing them with a reason as to why they need to protect the data and the knowledge on how to protect this data. This makes them actually provide consent, being aware of the ills and advantages and deciding rationally as to whether the consent has to be given or not. 

Further, it is suggested that the standardisation of consent contract should be minimised and greater flexibility need to be provided to the users. The data fiduciaries should be asked to make consent of the data as discretionary and not mandatory for all the data that are secondary to the purpose. Also, the bill proposed that the power to revoke consent is always available. It is suggested that this revocation of the consent process should be easy enough and clearly perceptible.

  • Right To Data Portability And The Right To Be Forgotten Not Provided

The right to data portability and the right to be forgotten are not covered by the draft Bill of 2021. The right to be forgotten originated from the Google Inc v AEPD and Mario Costeja González case1it was for the first time in this case that the Court of Justice of the European Union (CJEU) ruled that the search engine needed to consider the request of removal of data which no longer remains relevant for the motive for which it is taken up. Article 17 of the GDPR provides the right to erasure or forget. One can find that the draft bill has discussed and provided the right to erase the data. However, the scope was much narrower as compared to the GDPR and the other previous draft bill, it only handed this to the discretion of the data fiduciary that if the data becomes unreasonable, then they can erase it. And instead of this discretion of the data fiduciary, this needs to be treated as a right of the data principal. 

Similarly, Art. 20 of GDPR provides the right to data portability. This right provides you to get control over the data and, if feasible, can transmit the data to another controller. These rights are the acknowledgement of the wealth of private data, and providing this right means making the subject to be the owner of their data and the right to control this data. 

Even the General Data Protection Regulation (GDPR) of the European Union likewise acknowledged these rights as one of the most significant rights. These rights were also intended to be protected by the draft Bill of 2018 and 2019, which were both tabled in Parliament.

Author Paul De Hert and more, in their paper, showed how this right constitutes an incumbent part of the fundamental right of digital users. They showed right-to-data portability under two different approaches: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario).

Even in 2019, the Joint Parliamentary Committee also suggested keeping these rights. These rights were also approved to be included by Srikrishna Committee (2018). According to the committee, a robust set of primary data rights is a crucial element of data protection legislation. And thus, it is opinionated that these rights need to be inculcated. 

  • Issue of Transparency

It has been observed that the bill talks about the transparent mechanism. It provides that the data principle is able to control and use the data according to their wishes. However, there are two questions that arose. 

First, the extent of the state to which it can use personal data on the grounds of national security. As stated earlier, the state can take a privacy for the purpose of national security. However, the term national security is much wider and can be misused as well. There would not be any transparency as to what action can hamper national security, in lieu of which this ground can be used. It needs to be noted that the state can exercise illegitimate use of this exception to exercise surveillance over the citizen. Further, it is also being questioned as would the individual can challenge it in a court of law, demanding to show why surveillance over his/her data becomes a subject of national security. 

Also, it has been questioned that under RTI can, and any individual seeks this information as to how many times they used it or who constitutes the “Significant Data Fiduciary” under the bill. Thus, there are certain questions still that still need to be debated and determined. These issues need to be dealt with and provides in a clear way. 

Second, transparency in allocation of data outside India. The bill provides that the central government can allocate the data outside the countries. Transfers will be subject to terms and conditions. However, it has been observed that the draft bill was silent about the arrangement amongst which the data was allowed to be transferred. Further, would the place of the transferor be under the total control of the government or not. Also, it needs to be analysed that though not control but would, the data principal able to know or monitor the data. It is suggested that the data needs to be located at a place under the control of the government, and the data principal needs to provide permission to monitor it.  

Other Suggestions

Apart from the above issues there are certain other issues that needs to be dealt. Here the article provides certain suggestion that if implemented would made the bill more convenient. 

There is a need for a mechanism to prevent the dissemination of false statements of fact. This is not only in line to curb the incitement of offences against the state but also in order to create a reliable online space where the information gathered and propagated could be trusted. And there is no mass exodus of the user from authentic to false information. Thereby it even prevents the proliferation of unreasonable anxiety amongst the people due to any false news or information, just as it was in times of COVID-19 spread due to false information.

There is Insufficient recourse for the data principal in case of a breach. No appellate mechanism is present in the draft bill, as there is in the previous bills. The implication of this is the exemption of data fiduciaries from obligations. The bill does not give a person any redress in cases when their legal rights are suppressed due to the processing of erroneous decisions. Such a remedy might need to be stipulated in the specific laws. 

Further, the bill also faces the challenge of the verification process as to how to process the children\’s consent through a guardian, as at first, to identify the children, there needs to be verifiable data, and that would clash with the anonymity. The bill needs to clarify the verification mechanism and explain how the age is going to be determined for the procession of data.

Appraisal of the Deterrence Mechanism

The data fiduciary has been obliged to take the utmost care of the personal data of the principles. Installing all care and reasonable means to avoid data theft or piracy. And in case there is a data leak, they are liable to pay a fine and penalty. This fine and penalty would work as a deterrence mechanism that though they are not committing any wrong, they would be charged for negligence and lack of proper handling of the valuable information. This would make the data fiduciary more responsible towards data protection.  

Conclusion

Data or Personal data is the central nucleus of a user. And the basic purpose of cyber offences is at first to break the walls of this personal data, and as soon as the personal data is leaked, there can be any offence such as cyber attacks, cyber harassment, data theft, spoofing, credit card fraud and much more. Thus, as safe as these walls of data protection, as strong as the cyber security of the nation.

References

  1. K.S. Puttaswamy and Anr. vs. Union of India (2017) 10 SCC 1
  2. The Draft Digital Personal Data Protection Bill, 2022, clause 3(12) Ministry of Electronics and Information Technology, November 18, 2022.
  3. ibid
  4. Indian Const. Sch. 8
  5. Justice B.N. Srikrishna Committee, ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’, Committee of Experts on digital protection bill, July 2018.
  6. PUCL v. UOI AIR 1997 SC 568
  7. Prs Analysis,  Draft Digital Personal Data Protection Bill, 2022, Ministry: Electronics and Information Technology, https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022
  8. Indian Const. Art. 14 
  9. Justice B.N. Srikrishna Committee, ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’, Committee of Experts on digital protection bill, July 2018.
  10. Deloitte survey, (2017) Global Mobile Consumer Survey: US edition, Pg12, reported by Business Insider India.
  11. Information Technology Act 2000,  No. 21, Acts of Parliament,2000(India)
  12. Google Inc v AEPD and Mario Costeja González C-131/12
  13. General Data Protection Regulation (GDPR), European Union. Art. 17
  14. General Data Protection Regulation (GDPR), European Union. Art. 20 
  15. Ibid 
  16. The Personal Data Protection Bill, 2018, Clause 26, Ministry of Electronics and Information Technology.
  17. The Personal Data Protection Bill, 2018, Clause 19, Ministry of Electronics and Information Technology.
  18. Paul De Hert, and other,The right to data portability in the GDPR: Towards user-centric interoperability of digital services,Computer Law & Security Review,Volume 34, Issue 2, 2018, Pages 193-203, ISSN 0267-3649,https://www.sciencedirect.com/science/article/pii/S0267364917303333 
  19. Justice B.N. Srikrishna Committee, ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’, Committee of Experts on digital protection bill, July 2018.
  20. Prs Analysis,  Draft Digital Personal Data Protection Bill, 2022, Ministry: Electronics and Information Technology, https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022
  21. Prs Analysis,  Draft Digital Personal Data Protection Bill, 2022, Ministry: Electronics and Information Technology, https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022

About Hardik Jain

Hardik is a second-year student of the BBA LLB. (Hons) program of Symbiosis Law School (Pune). Besides academics, he has worked at the office of Adv. Pradeep Rai, BSK Legal Solicitors and Advocates, and other legal offices and firms. Also, he is an independent writer, writing for more than two years for reputed blogs and journals.

View all posts by Hardik Jain

Hardik Jain

Hardik is a second-year student of the BBA LLB. (Hons) program of Symbiosis Law School (Pune). Besides academics, he has worked at the office of Adv. Pradeep Rai, BSK Legal Solicitors and Advocates, and other legal offices and firms. Also, he is an independent writer, writing for more than two years for reputed blogs and journals.

Related Posts

Subscribe to Our Newsletter

Stay at the top of policy developments in India and globally with our weekly picks of un-paywalled content from across the internet.

Want to Read Our Latest Edition Before You Commit?
Scroll to Top