IFF's consultation response on the draft Digital Personal Data Protection Bill, 2022

tl;dr

Read our response for the public consultation for the draft Digital Personal Data Protection Bill, 2022. The submissions have to be made through this link and the last date for submission is December 17, 2022.

Issues with the consultation process

Before we get into the response, it is important to highlight certain issues with the consultation process for the draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022). The consultation process requires interested participants to register on the MyGov website in order to be able to provide comments. This is a significant hurdle as many individuals may not want to register on a government portal for this exercise. Further, the feedback can only be given for specific chapters or clauses in the DPDPB, 2022 and each specific response has a character limit of 2500 characters. This significantly restricts the ability to provide in-depth feedback on the provisions of the Bill as well as feedback which may not be specific to a particular clause.

Our public writing on the DPDPB, 2022

Our staff wrote extensively on the issues with the DPDPB, 2022 in esteemed newspapers and online portals. One of the biggest issue with the DPDPB, 2022 was that it sacrificed sufficient privacy protections at the altar of brevity, a concern highlighted by our Executive Director Apar Gupta in his op-ed titled, “Digital Data Protection Bill uses brevity and vagueness to empower government, undermine privacy”, in the Indian Express.  IFF’s Policy Director Prateek Waghre pointed out how the DPDPB, 2022 fails to provide primacy to user interests through his op-ed titled, “Failing Digital Nagriks”, in the Financial Express. IFF’s Policy Counsel Anushka Jain and IFF’s Associate Litigation Counsel Krishnesh Bapat pointed out the specific issues the DPDPB, 2022 resulting in the expansion of the surveillance powers of the State through their op-ed in the Hindu titled, “A Bill protecting state surveillance”. In Bar & Bench, IFF’s Litigation Counsel Tanmay Singh and Associate Policy Counsel Tejasi Panjiar wrote about the DPDPB, 2022 being an unfortunate departure from the ethos of the Puttaswamy judgement through their op-ed titled, “The Data Protection Bill, 2022 fails Indians substantively and procedurally”.

Our response

Our detailed response has been submitted to the Ministry of Electronics & Information Technology through the MyGov.in portal and can be accessed here. Our major concerns are:

A. Notice

Under clause 6(1), the data fiduciary is only required to notify the data principal about the nature of personal data sought to be collected and the purpose of processing of personal data. However, it does not require data fiduciaries to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries.

In the absence of such notice requirements, the data principal will not receive information which will allow them to make an informed decision about the processing of their personal data.  For example, the California Consumer Privacy Act, 2018 requires businesses to inform the consumers from whom data is being collected whether their data will be sold or shared further at or before the point of collection.

B. Deemed consent

The DPDPB, 2022 allows the data fiduciary to “deem” or assume consent of the data principal if the processing is considered necessary as per certain situations which Clause 8 lays down. Here, essentially the DPDPB, 2022 allows for non-consensual processing of personal data. It is essential that consent is the foundational framework upon which any data protection regulation in the country is built and any derogation from it needs to be tailored narrowly.

For example, the Singapore Personal Data Protection Act, 2012 has a similarly named section on deemed consent where consent can be deemed only if the individual voluntarily provides the personal data to the organisation for that purpose and it is reasonable that the individual would voluntarily provide the data. Thus, only Clause 8(1), which pertains to a situation similar to the Singaporean legislation, can be said to be a situation where consent may be reasonably deemed.

However, the situations contained in Clause 8 where non-consensual processing will be carried out, such as for the breakdown of public order, for purposes related to employment, and in public interest allow for wide and vague interpretations.  This could result in excessive processing of the personal data collected due to the absence of specific and informed consent of the data principal. Further, since the processing will take place without consent, it restricts the data principal from withdrawing the consent at will.

C. Duties of data principal

Clause 16 of the DPDPB, 2022 introduces certain duties of the data principal for the first time which raises serious concerns, especially because under Schedule 1 of the DPDPB, 2022 non-compliance with this clause can lead to a financial penalty of 10,000 INR being imposed on the data principal. Duties imposed include that the data principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board and shall, under no circumstances furnish any false particulars or suppress any material information or impersonate another person.

Here, it becomes essential to highlight that the decision to categorise a complaint as “frivolous” lies with the Data Protection Board which may classify a complaint as frivolous even if the data principal did not intend it to be so. Here, granting the power to impose penalties also overlaps with existing inherent powers of civil courts which the Data Protection Board will also enjoy. Such excessive powers may end up being misused.

Additionally, it is not an uncommon practice for people to protect their private information by obfuscating personally identifiable information when setting up online accounts for many services including accounts on social media services and email services. Clubbing such actions with actions which may be illegal such as impersonation and fraud can result in individuals no longer being able to enjoy the internet without excessive and unreasonable restrictions.

D. Transfer of personal data outside India

The DPDPB, 2022 has removed the data localisation requirements that were contained in previous versions of the data protection legislation proposed by the Union Government. However, while this is a positive step, the clause is ambiguously phrased and appears to propose an allowlist approach wherein the Union Government will notify certain jurisdictions outside India to which personal data collected in India may be transferred. This notification will be done based on certain factors which the Union Government may deem necessary, and which are currently unspecified.

Here, the failure to specify the factors which the Union Government will assess to include jurisdictions in the allowlist is a cause of concern. In the absence of clear and reasonable standards, any such notification may be done on the basis of criteria that do not adequately protect the right to privacy of Indian data principals and can be influenced by other considerations/negotiations. For example, Articles 44 to 50 of the General Data Protection Regime permit transfer of personal data of EU data principals only to such countries which provide an adequate level of protection to such data.

E. Exemptions

Clause 18(2)(a) of the DPDPB, 2022 allows the Union Government to exempt any government “instrumentality” (GI) from its application for certain interests. This would give all data collection & processing activities of these GIs complete immunity from any protections that the DPDPB puts in place.

Interests stated in the provision for which exemption may be exercised are excessively vague & thus open to misuse through overbroad application resulting in a large no. of GIs being granted exemption from the application of law. Further, the exemption granted itself, i.e., all activities of the exempted agency will be outside the purview of the law, is also overbroad.

Granting such blanket exemptions directly violates the Supreme Court’s decision in K.S. Puttaswamy v Union of India [2017], wherein the Court held that any state invasion into citizen privacy must satisfy the thresholds of  legality, necessity, proportionality, & procedural safeguards to prevent misuse. By granting blanket exemptions, Union Government is preempting any review, judicial or otherwise, of the actions of the GIs, which could result in gross violations of citizen privacy by the state.

The existing surveillance architecture in India has been the focus of criticism by human rights & privacy activists for decades. The criticism stems from a failure to meaningfully & narrowly define the grounds under which surveillance may be conducted, which is also a failure of the exemption granted within Clause 18(2)(a). Further, the provisions concentrate all surveillance powers with the executive branch & do not have safeguards such as judicial review of surveillance orders in place. The data protection law was expected to institute much awaited safeguards on this architecture but exemptions granted under 18(2)(a) instead widened government surveillance powers.

We worry that Clause 18(3) may be used to exempt some private actors even if they process personal data which can be considered sensitive, thereby limiting the effectiveness of the law. Clause 18(4) exempts the “State or any instrumentality of the State” from the mandate to comply with data deletion requirements under the law. As a result, any data collected by the State may be retained by them in perpetuity, in direct violation of the internationally recognised best principle of storage limitation, which states that data should only be retained as long as is necessary to fulfil the purpose for which it was collected.

F. Data Protection Board of India

Under this provision, the Union Government has been empowered to prescribe the strength and composition of the Data Protection Board, the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members at a later stage. Further, the Union Government has also been empowered to appoint the Chief Executive of the Board. However, no criteria has been specified for the appointment or for who will make the appointment compared to previous versions.

The vesting of these powers with the Union Government calls into question the independence of the Board. Since the Board is tasked with determining non-compliance with the provisions of the law by data fiduciaries and data processors including state data fiduciaries and state data processors, it is essential that they provide primacy to data principals and their interests while deciding matters brought before them. However, an executive-appointed Chief Executive may not be able to exercise effective oversight over the executive itself. Therefore, it is essential that the Board is independent of executive control. This was also held by the Supreme Court of India in Madras Bar Association vs Union of India (2020) wherein they stated that, “Dispensation of justice by the Tribunals can be effective only when they function independent of any executive control: this renders them credible and generates public confidence”.

G. Financial Penalty

Clause 25, in consonance with Schedule 1, imposes financial penalties if the Data Protection Board decides that the non-compliance that has taken place is significant. One of the non-compliances listed in Schedule 1 is with Clause 16 of the DPDPB, 2022 which relates to duties of the data principal. It is a cause of concern that not only have duties been imposed on the data principal, but that they may also be penalised for non-compliance.

These provisions go against the ethos of a data protection legislation which aims to provide protection to the rights of individuals who want to regulate the manner in which their data may be processed. Further, the imposition of a penalty may also result in data principals being apprehensive about raising grievances as they may be concerned about being penalised if the Data Protection Board fails to find merit in their grievance.

Our recommendations

Our primary recommendation is that the DPDPB, 2022 should be recalled. Our recommendation flows from the myriad shortcomings of the DPDPB, 2022 which includes the abject vagueness of the draft due to various important provisions being left for executive rule-making without legislative guidance at a later stage, consent being “deemed” in certain situations allowing for non-consensual processing of data, expanded exemptions being provided to state and private data fiduciaries, and the lack of independence of the Data Protection Board among others.

Though the DPB, 2021 was not without its shortcomings, the consultation process should resume from a version of DPB, 2021, which was the outcome of institutional processes, and should also account for specific civil society feedback received over the years. Here, it is essential that there is  clear reasoning provided for any further changes made to the bill as a result of the responses received in this consultation as was done through the Joint Parliamentary Committee Report in December, 2021.

We would like to thank the following members of the NLSIU, Bengaluru Law and Technology Society (‘L-Tech’) Student Research Panel for providing assistance with research: Abhishek Jasuja, Barath Arjun BK, Chetan R, Chiranth S, Chytanya S Agarwal, Kanav Khanna, Kasvi Thakkar, Nidhi Agarwal, Niveditha K Prasad, Parth Kantak, Priyansh Dixit, Sarthak Virdi, Sarthak Wadhwa, Sukarm Sharma, Shikhar Sharma (Convenor, L-Tech), Siddharth Johar (Joint Convenor, L-Tech).

Important documents

  1. Our response on the DPDPB, 2022 along with a covering letter sent to MeitY dated December 23, 2022 (link)
  2. IFF's first read of the draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)
  3. IFF Members' and Donors' Briefing Call | Draft DPDP Bill, 2022: Whom Does It Protect? dated November 25, 2022 (link)

Note: This post was updated on December 23, 2022.