The renewed draft of the Digital Personal Data Protection Bill, 2023, to be tabled in the ongoing monsoon session of the Parliament, is now out. The Bill, which establishes a legal framework for processing digital personal data while protecting an individual’s right to privacy, has gone through multiple iterations since 2018 with the Parliamentary Committee on Information Technology, data privacy advocates, and the general public, raising various concerns regarding the amount of power it gives the government, among other issues. The Parliamentary Committee has now approved a report saying that it endorses the proposed legislation “without any reservations or ambiguity”. Several Opposition MPs walked out of the committee’s meeting on Wednesday, July 26, objecting to the report and alleging that it was shared with them only a day before the meeting.
Among the MPs who walked out of the meeting in protest are Communist Party of India (Marxist) MP John Brittas, Congress MP Karti P Chidambaram, and Trinamool Congress MPs Jawhar Sircar and Mohua Moitra. John Brittas has also moved a dissent note against the report, which was endorsed by Karti Chidambaram. Here are some of the contentions in the latest version of India’s proposed personal data protection law which the Opposition MPs are unhappy with. You can read what the previous versions said here and here.
One of the main concerns Brittas raised is that like its previous iterations, the current version of the Bill too makes exceptions for government entities to process the personal data of individuals in certain instances. The Bill includes a provision for taking ‘deemed consent’ from the person to whom the data is related for providing subsidies, benefits, services, certificates, licenses, and permits by the government, for compliance with any judgment or order issued under existing laws, for responding to a medical emergency involving a threat to life, for providing health services during a threat to public health, for providing services during a disaster or breakdown of public order, and in the context of employees to prevent corporate espionage, maintain confidentiality etc.
Objecting to this, Brittas in his dissent note said, “The question is whether these exemptions will meet the proportionality test as set out by Supreme Court in the Puttaswamy judgement. Will it not lead to a violation of the fundamental right to privacy? The committee, unfortunately, has taken a very soft stance on this matter.”
The Bill itself has been necessitated by the 2017 landmark Supreme Court judgement more widely known as the Puttaswamy judgement on the right to privacy, which laid down various conditions for the government to impinge on the right to privacy, including the requirement of proportionality. If the state decides to encroach into a citizen’s privacy, it is required to show a legitimate aim and to furnish proof that there is no other equally effective way to achieve this aim with less infringement on the person’s privacy and that the infringement is proportional to the gains coming out of it.
Brittas’s dissent note mentioned th,at Section 18(3) of the draft Bill empowers the Union government to exempt any entity or agency from the legislation. T,he Section says that the Union government may exempt certain entities including startups from provisions of the Bill such as issuing notice to the person whose data is being processed by them, the requirement to ensure that the data processed by them is complete, accurate, and consistent, the provision to erase a person’s data when they withdraw their consent or when the processing for the specified purpose is completed, certain obligations related to the processing of children’s data including taking parental consent and avoiding behavioural monitoring or targeted advertising, as well as individuals’ right to access information about their personal data.
Moreover, und,er Section 18(5), the Union government also has the power to exempt any entity from any provision of the Bill for any period of time, until five years since the law comes into effect.
Brittas further questioned certain new additions to the Bill, stating that the new version leaves a lot of power with the executive to frame rules on important matters related to citizens’ data security, with the phrase “as may be prescribed” appearing 18 times in the 24-page Bill under 30 clauses.
The dissent note further pointed out that the Bill excludes personal data collected in non-digital formats, and anonymised personal data and non-personal data from its ambit, despite recommendations to include them by the Joint Parliamentary Committee.
While earlier versions of the Bill only excluded manual data processed by ‘smaller entities’, the draft Bill released for public opinion in 2022 excluded these from its purview. This also includes the non-automated processing of personal data, offline personal data, personal data processed by an individual for any personal or domestic purpose, and personal data about an individual that is contained in a record that has been in existence for at least 100 years.
The Digital Personal Data Protection Bill, 2023 applies to personal data collected in digital form or collected in non-digital form and later digitised, within the territory of India. It also applies to digital personal data outside the territory of India, “if such processing is in connection with any activity related to the offering of goods or services” to persons in India. It does not apply to personal data processed by an individual for any personal or domestic purpose.
The new version of the Bill does not provide for the right to data portability (a person’s right to obtain and reuse their personal data, and allow its migration from one entity to another for their own purposes) and the right to be forgotten (the right of an individual to erase or limit access to content related to them online) — both of which are recognised by the European Union’s data protection law, the General Data Protection Regulation (GDPR). Brittas noted that the Joint Parliamentary Committee that examined the 2019 version of the Bill had recommended retaining these rights.
Whi,le Section 13(3) of the new Bill does recognise the right to the erasure of personal data, the government is exempt from this provision und,er Section 18(4). The government is also exempt from the provision of erasing personal data once an individual withdraws their consent or when the processing for the specified purpose is completed [provided und,er Section 9(7)].
The new draft Bill does not distinguish between sensitive and critical personal data, a classification recommended by the Justice Srikrishna Committee that drafted an earlier version of the legislation in 2018, which was also included in the Personal Data Protection Bill, 2019, and the Joint Parliamentary Committee’s recommendations. Sensitive personal data includes financial data, health data, biometric data, genetic data, data pertaining to one’s sex life, sexual orientation, caste, tribe, religious and political affiliations, whether a person is transgender or intersex, etc. Critical data is data that cannot be sent outside India, and this was left to be identified by the government from time to time.
The dissent note also contests the proposed Data Protection Board of India, instead of an independent Data Protection Authority as mentioned in previous versions. Brittas said that giving power to the Union government to appoint the Board’s members means it is at risk of becoming a “puppet” with little independence.
As per the latest version of the Bill, the Board will consist of a chairperson and other members appointed by the Union government, which can also remove them under certain conditions. These members will have knowledge or experience of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, etc., and at least one among them must be a legal expert.
The Board will have the same powers as a civil court under the Code of Civil Procedure, 1908, with respect to summoning and enforcing the attendance of persons, examining them on oath, inspecting any data or documents, etc. It has the power to inquire into complaints of breaches and impose financial penalties.
Brittas pointed out that the Joint Parliamentary Committee Report on the 2019 version of the Bill had recommended that a selection committee shall nominate the members of the Data Protection Authority, which should include the Attorney General of India, independent experts from fields such as data protection, information technology, or cyber laws, and Directors of an Indian Institute of Technology (IIT) and an Indian Institute of Management (IIM). “None of this has been touched upon in the 2022 draft,” he noted.
While earlier drafts of the Bill and the Joint Parliamentary Committee’s recommendations provided for an Appellate Tribunal, the latest draft has no such provision, Brittas further noted. The Data Protection Board of India can impose a penalty against a data fiduciary (any person, company, or the government who stores or processes personal data) for a breach of personal data, but it doesn’t have the power to provide compensation to the aggrieved parties, he said.
The dissent note said that the new draft law no longer requires local storage of data, and unlike previous versions, it does not ask businesses to store certain sensitive and critical data exclusively in India or to mirror a copy of it on Indian servers. It points out that while some businesses can only transfer data to countries notified by the Indian government, how and why the government would pick these countries remains unclear. “Without the assessment criteria being defined in the Bill, it could depend more on geopolitics than privacy safeguards,” the note said.
The new version of the Bill says that a data fiduciary – any entity that collects or processes the data of an individual — may transfer personal data for processing to any country or territory outside India unless restricted by the Union government. However, exemptions exist for “legitimate purposes” such as cases where the processing of personal data is necessary for enforcing any legal right or claim, or when the processing is to find information about a person from whom a claim is due against a debt owed by her.
Any existing laws that provide for a higher degree of restrictions on the transfer of personal data outside India will also still apply.
The dissent note also said that the Bill must make it mandatory for entities using personal data to inform the individuals concerned if the data will be shared with any third party along with the party’s details in advance. It also said that apart from financial penalties, there should also be penal provisions to ensure criminal liability of big corporates that deliberately misuse personal data. As per the Bill, the penalties for various breaches range from Rs 10,000 to Rs 250 crore.
Brittas also contested the claim in the parliamentary panels’ report that the legislation would help combat cybercrime and strengthen India’s defense capabilities, saying they were entirely unrelated to the Bill. He objected to the congratulatory tone of the report towards the Ministry of Electronics and Information Technology and the use of several “pompous” words.