In the digital age, our lives can increasingly be reduced to various data points such as what we post on social media, food we order, cabs we take, purchases we make, our bank accounts, our mobile numbers, people we match with on dating profiles etc. These data points, when collated, can create a comprehensive profile of an individual. Thus, it is essential that access and use of our information is regulated to ensure that the information we provide is not misused.
The Supreme Court of India, while stating that informational privacy is an important facet of the right to privacy under the fundamental right to life, emphasised that the Union Government should examine and put into place a robust regime for data protection.
Yesterday, there were reports that a draft of the data protection law which has been approved by the Union Cabinet will be presented before the Parliament in the upcoming Monsoon session. Reports suggested that the draft version approved by the Cabinet closely replicates the draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022). The DPDPB, 2022 has already been discussed at length. However, it is essential to continue conversation around the proposal to ensure that awareness of its issues increases.
Legislative history and timeline
1. Previous versions of a Draft Privacy Bill have been coordinated through the Ministry of Personnel, Public Grievances, and Pensions since 2011. Drafts of that bill dealt both with data protection and surveillance reform till 2014; however this did not proceed further.
2. An Expert Committee on Privacy headed by Justice A.P. Shah under the erstwhile Planning Commission presented a report on October 12, 2012 which serves as an influential document on international & national privacy standards.
3. The Expert Committee on Data Protection chaired by Justice BN Srikrishna was constituted by the Ministry for Electronics and Information Technology (“MeitY”) on July 31, 2017. The Committee released its 176 page Report to the MeitY and proposed the Personal Data Protection Bill, 2018 on July 27, 2018.
4. As soon as the Personal Data Protection Bill, 2019 (PDPB, 2019) was introduced in the Parliament on December 11, 2019, it was sent to a Joint Parliamentary Committee (JPC) with members from both the Houses for its review and suggestions.
5. After nearly two years and several extensions, the Joint Committee on the Personal Data Protection Bill, 2019 brought out its report on December 16, 2021. The Report also contained a new version of the law titled, “The Data Protection Bill, 2021” (DBP, 2021).
6. However, the DPB, 2021 was withdrawn by the Minister for Communications and Information Technology, Ashwini Vaishnaw on August 3, 2022. The Ministry of Electronics & Information Technology (MeitY) released the DPDPB, 2022 on November 18, 2022 for public consultation.
7. On July 5, 2023, news reports stated that the Union Cabinet has approved a draft of the data protection law, which will be presented before the Parliament in the upcoming Monsoon session. Reports suggested that the draft version approved by the Cabinet closely replicates the draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022). Some likely changes include a blacklist of countries to which transfer of Indian data will be prohibited, and lower penalties for data breaches.
Key issues with the DPDPB, 2022
The DPDPB, 2022 failed to adequately address data protection concerns and instead put in place a regime to facilitate the data processing activities of state and private actors. It failed to include the extensive comments and feedback that had been received and collated from various stakeholders through the years as part of the consultation process for the Data Protection Bill, 2021. Instead, the notice accompanying the DPDPB, 2022 stated that comments received on the proposal will not be disclosed publicly.
In response to a Right to Information request filed by Internet Freedom Foundation seeking a copy of the submissions received as part of the consultation process, MeitY states that the submissions will not be disclosed as they are being held in a fiduciary capacity to enable stakeholders to make submissions freely. This marred the entire consultation process and lowered public confidence in the draft’s development. References to there being over 20,000 responses by unnamed government officials mean little after such opacity surrounding the process and nature of responses. Further, the consultation process requires interested participants to register on the MyGov website in order to be able to provide comments, which is a significant hurdle.
The DPDPB, 2022 was an excessively stripped down version which worsened substantially on specific fronts. This includes:
1. Objective: The DPDPB, 2022’s placed the need for data processing on par with recognising individual privacy rights.
2. Consent: The DPDPB, 2022 allowed the Data Fiduciary to “deem” or assume consent of the Data Principal if the processing is considered necessary as per certain situations such as for the breakdown of public order, for purposes related to employment, and in public interest.
3. Rights and duties of data principals: For the first time in the history of the data protection legislation in India, duties such as not registering a false or frivolous grievance or complaint were imposed on the Data Principal, the violation of which could result in penalties (of up to Rs 10,000).
4. Wide exemptions for the government and no surveillance reform: The Union government retained the power to exempt any government instrumentality (GI) from the application of the DPDPB, 2022. The DPDPB, 2022, like its predecessors, failed to include any provisions which would enable the reform of the surveillance architecture in India.
5. Independence of regulatory authority: The independence of the Data Protection Board under the DPDPB was questionable. The Union government was empowered to prescribe the strength and composition of the Data Protection Board, the process of selection, terms and conditions of appointment and service, removal of its chairperson and other members at a later stage as well as appointing the chief executive of the Board.
6. Depth and comprehensiveness: The DPDPB, 2022 left various provisions to executive rule-making “as may be prescribed” at a later stage in the absence of legislative guidance and scrutiny.
Our primary recommendation for the DPDPB, 2022 was that it should be withdrawn. However we also provided specific recommendations for several provisions in line with the response that we submitted as part of the consultation process for the DPDPB, 2022. Some of our recommendations were:
1. The preamble of the DPDPB, 2022 must be suitably amended to state, in no uncertain terms, that the overriding objective of the Bill is protection of data and informational privacy, from private as well as state actors. Doing so would ensure that data protection regimes in India remain focused on the data principal and provide us, the citizens of India, with control over our own data. The preamble must also be suitably amended such that the reference to the individual rights of natural persons falls in line with the Supreme Court’s right to privacy judgement and the model privacy principles recommended by the Justice A.P. Shah Committee Report.
2. The deemed consent clause of the DPDPB, 2022 must be amended to place strict notice requirements on data fiduciaries which mandate them to disclose all relevant information about the collection, storage, processing, and retention of their personal data.
3. While certain exceptions are necessary in order to facilitate a functional data protection regime, these exceptions can, if not worded clearly, could lead to more harm. Therefore, any exception should be worded clearly, limited in purpose, necessary and proportionate to the aim, and accompanied by sufficient procedural safeguards.
4. The DPDPB, 2022 should be amended to remove all duties and penalties which may be imposed on data principals.
5. Any exemptions sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse. Further, there is a need for a specific chapter pertaining to surveillance reform to be included in the DPDPB, 2022. A procedure must also be put in place for such agencies to seek permission from a judicial authority – preferably by special benches or tribunals comprising of High Court judges. Additionally, an appropriate oversight and accountability structure should be created as part of the DPB by adding within it an office for surveillance reform. Judicial permission that may be granted for emergency surveillance and communications interception must be required to follow the necessity and proportionality principles. To administer such judicial orders, the DPB must determine compliance and enforcement mechanisms.
We hope that the upcoming draft version of the data protection legislation recognises the issues we have stated above and inculcates the recommendations we have made.
An earlier version of this post appeared on the Internet Freedom Foundation’s website.
Anushka Jain is Policy Counsel and Prateek Waghre is Policy Director at the Internet Freedom Foundation.