Read our brief on the draft Digital Personal Data Protection Bill, 2022 which was released for public consultation on November 18, 2022. In our brief, we take a look at the proposal’s legislative history and summarise its top issues. Further, we analyse if it passes the Supreme Court’s Puttaswamy thresholds (Spoiler Alert: It doesn't) for state invasion into people’s privacy. We compare the 2022 version with its predecessors in India and also with data protection legislations in other countries. Finally, we have done a detailed analysis of the specific issues with the proposal and provided recommendations to resolve them.
Why should you care?
In the digital age, our lives can increasingly be reduced to various data points such as what we post on social media, food we order, cabs we take, purchases we make, our bank accounts, our mobile numbers, people we match with on dating profiles etc. These data points, when collated, can create a comprehensive profile of an individual. Thus, it is essential that access and use of our information is regulated to ensure that the information we provide is not misused. The Supreme Court of India, while stating that informational privacy is an important facet of the right to privacy under the fundamental right to life, emphasised that the Union Government should examine and put into place a robust regime for data protection.
We know that the DPDPB, 2022 has already been discussed at length. However, it is essential to continue conversation around the proposal to ensure that awareness of its issues increases. Further, on January 31, 2023, the Solicitor General stated before the Supreme Court of India that “a Data Protection Bill, after administrative compliances, is to be introduced before the Parliament in the second half of the Budget Session, 2023”. Thus, this proposal could become law within the next few months. Our brief includes fresh analysis that we have conducted to ensure that our community is able to meaningfully engage with the proposal.
Legislative history and timeline
Previous versions of a Draft Privacy Bill have been coordinated through the Ministry of Personnel, Public Grievances, and Pensions since 2011. Drafts of that bill dealt both with data protection and surveillance reform till 2014; however this did not proceed further. An Expert Committee on Privacy headed by Justice A.P. Shah under the erstwhile Planning Commission presented a report on October 12, 2012 which serves as an influential document on international & national privacy standards. The Expert Committee on Data Protection chaired by Justice BN Srikrishna was constituted by the Ministry for Electronics and Information Technology (“MeitY”) on July 31, 2017. The Committee released its 176 page Report to the MeitY and proposed the Personal Data Protection Bill, 2018 on July 27, 2018. As soon as the Personal Data Protection Bill, 2019 (“PDPB, 2019”) was introduced in the Parliament on December 11, 2019, it was sent to a Joint Parliamentary Committee (“JPC”) with members from both the Houses for its review and suggestions. After nearly two years and several extensions, the Joint Committee on the Personal Data Protection Bill, 2019 brought out its report on December 16, 2021. The Report also contained a new version of the law titled, “The Data Protection Bill, 2021” (“DBP, 2021”). However, the DPB, 2021 was withdrawn by the Minister for Communications and Information Technology, Ashwini Vaishnaw on August 3, 2022. The Ministry of Electronics & Information Technology (MeitY) released the DPDPB, 2022 on November 18, 2022 for public consultation.
Our issues with the DPDPB, 2022
As we have said earlier, we believe that the DPDPB, 2022 fails to adequately address data protection concerns and instead puts in place a regime to facilitate the data processing activities of state and private actors. It is disappointing that this new bill fails to include the extensive comments and feedback that had been received and collated from various stakeholders through the years as part of the consultation process for the DPB, 2021. Instead, the notice accompanying the DPDPB, 2022 states that comments received on the proposal will not be disclosed publicly. This mars the entire consultation process and lowers public confidence in the development of this proposal.
While individual provisions have been discussed at length in the brief, we believe it is also essential to take a step back and assess the whether ultimately the DPDPB, 2022 will protect the informational privacy of Indian citizens. We believe that the draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) fails to address these concerns adequately.
In this brief, we have compared the DPDPB, 2022 to the DPB, 2021 in order to highlight the worsening of the proposal as compared to previous iterations in India. While the DPB, 2021 was not a perfect version of the data protection legislation that India needs, it had developed over the years with extensive feedback and participation from civil society and other stakeholders. On the contrary, the DPDPB, 2022 is an excessively stripped down version which worsens substantially on specific fronts such as notice requirements, exemptions provided to government & private actors, and the powers & independence of the Data Protection Board.
We have also compared the DPDPB, 2022 to data protection legislations of other jurisdictions. Through this we aim to highlight where the DPDPB, 2022 stands in terms of protecting the rights of Indian citizens compared to other countries. Provisions such as duties of data principal do not find place in any other legislation that we have examined. (Please refer to our in-depth analysis and comparison of the data protection legislations of foreign jurisdictions here)
Our primary recommendation is that the DPDPB, 2022 should be withdrawn. However we have also provided specific recommendations for several provisions in line with the response that we have submitted as part of the consultation process for the DPDPB, 2022. Some of our recommendations are:
- The preamble of the DPDPB, 2022 must be suitably amended to state, in no uncertain terms, that the overriding objective of the Bill is protection of data and informational privacy, from private as well as state actors. Doing so would ensure that data protection regimes in India remain focused on the data principal and provide us, the citizens of India, with control over our own data. The preamble must also be suitably amended such that the reference to the individual rights of natural persons falls in line with the Supreme Court’s right to privacy judgement and the model privacy principles recommended by the Justice A.P. Shah Committee Report.
- Clause 6 must be amended to place strict notice requirements on data fiduciaries which mandate them to disclose all relevant information about the collection, storage, processing, and retention of their personal data.
- While certain exceptions are necessary in order to facilitate a functional data protection regime, these exceptions can, if not worded clearly, could lead to more harm. Therefore, any exception should be worded clearly, limited in purpose, necessary and proportionate to the aim, and accompanied by sufficient procedural safeguards.
- The DPDPB, 2022 should be amended to remove all duties and penalties which may be imposed on data principals.
- Any exemptions sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse. Further, there is a need for a specific chapter pertaining to surveillance reform to be included in the DPDPB, 2022. A procedure must also be put in place for such agencies to seek permission from a judicial authority - preferably by special benches or tribunals comprising of High Court judges. Additionally, an appropriate oversight and accountability structure should be created as part of the DPB by adding within it an office for surveillance reform. Judicial permission that may be granted for emergency surveillance and communications interception must be required to follow the necessity and proportionality principles. To administer such judicial orders, the DPB must determine compliance and enforcement mechanisms.
We would like to thank the following members of the NLSIU, Bengaluru Law and Technology Society (‘L-Tech’) Student Research Panel for providing assistance with research: Abhishek Jasuja, Barath Arjun BK, Chetan R, Chiranth S, Chytanya S Agarwal, Kanav Khanna, Kasvi Thakkar, Nidhi Agarwal, Niveditha K Prasad, Parth Kantak, Priyansh Dixit, Sarthak Virdi, Sarthak Wadhwa, Sukarm Sharma, Shikhar Sharma (Convenor, L-Tech), Siddharth Johar (Joint Convenor, L-Tech).
- A Public Brief of the Digital Personal Data Protection Bill, 2022 dated February 16, 2023 (link)
- The Digital Personal Data Protection Bill, 2022 does not satisfy the Supreme Court’s Puttaswamy principles dated December 16, 2022 (link)
- IFF's consultation response on the draft Digital Personal Data Protection Bill, 2022 dated December 16, 2022 (link)
- IFF's first read of the draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)
- IFF Members' and Donors' Briefing Call | Draft DPDP Bill, 2022: Whom Does It Protect? dated November 25, 2022 (link)