The draft Digital Personal Data Protection Bill, 2022, released on Friday, is a mix of hits and misses, with more misses than hits, and would need multiple iterations before becoming practical, according to experts.
A large majority of digital rights activists said that the Bill did not seem to work towards protecting people, but ensures that the government retains all power without any checks or balances — an issue that has been raised since the first draft of the bill was released in 2018, they said.
“Some of the problem areas (in the revised Bill) have existed since the first draft came out, but there is no improvement,” Namrata Maheshwari, Asia Pacific Policy Counsel at not for profit digital rights organisation Access Now, told The Hindu. “In fact, I think those issues have been aggravated. For example, the extent of exemptions and discretionary powers that the government has…,” she added.
She pointed out that the government has been given the power to exempt not only government agencies but any entity that is collecting user data, from having to comply with the provisions of this bill when it is signed into law.
Technology Lawyer Mishi Choudhary said the Bill should be called “As May Be Prescribed By Govt Bill” as a lot is left to the Rules. “Rules that the Executive in India has a track record of exploiting to expand its powers… There is no right for compensation to individuals in case of a data breach. They have no right to data portability.”
“The Data Protection Board is toothless as most power is given to the Executive to prescribe through Rules,” she said.
“People must engage with this process and tell the government now that they need people protection in a simple way where they are not exploited or targeted by business or Govt. for their data and they have a simple grievance redressal mechanism.”
Ms. Maheshwari also noted that throughout the Act, there had been use of open-ended language such as “as necessary” or “as may be prescribed”. “The problem is the scope of things on which the government will have rule-making power such as grievance redressal system or the functioning of the data protection board of India,” she said.
Kazim Rizvi, founder, The Dialogue, a tech policy think tank, said that narrowing the scope of the data protection regime to personal data protection is a welcome move, as it resonates with the concerns of various stakeholders. “Getting the genesis of the data protection regime straight by concentrating only on personal data, now non-personal data could be used to unlock social and economic value to benefit citizens, businesses, and communities in India with appropriate safeguards in place,” he said, adding that relaxing data localisation provisions to notify countries to which data can flow, could aid India in unlocking the comparative advantage of accessing innovative technological solutions from across the globe, which in turn helps domestic companies.
“In addition, the free flow of data will help startups access cost-effective technology and storage solutions, as our research shows. Moreover, allowing data transfers will also ensure that India is not isolated from the global value chain, helping businesses stay resilient in production and supply chain management and fostering overseas collaboration,” Mr. Rizvi said.
Ms. Maheshwari also said that another issue is the independence of the data protection authority which is now being called the Data Protection Board of India. “Here the central government retains the power to appoint the chairperson and the power to prescribe the guidelines and rules related to the appointment, terms and conditions and even functioning of the body. One of the most basic elements of an independent data protection authority across the world is that it has to be independent but that is not the case here.”
She added that a key difference between the two bills is that the new one does away with the category of sensitive data. The point of creating that categorisation is that data fiduciaries have to follow certain greater obligations and duties because they’re dealing with information that is more sensitive. “I think removal of this categorisation is problematic because then it puts all kinds of data in the same basket.”
Expressing hope that this time the Bill will be enacted, Prasanth Sugathan, legal director, SFLC.IN said the bill is a mix of hits and misses. “The bill does not consider the harm that could be caused to a data principal by surveillance. The explanatory note gives a detailed list of principals that the bill has tried to incorporate. However, this is not legally binding.”
Likewise, Manish Sehgal, partner, Deloitte India, added that the Bill’s exemptions for central and State agencies, along with exclusion of personal data stored and / or processed in non-digital (original / handwritten / paper) format may be a gap in protecting personal data and ensuring privacy in entirety.
“As per the draft Bill, Data Principals are responsible to provide verifiably authentic personal data while exercising their rights. It’s interesting to note that the bill has also proposed a penalty of ₹10,000/- for non-compliance of duties expected of a Data Principal, which isn’t a common trend. However, this is likely to promote authenticity in data principal requests and limit non-legitimate requests,” Mr. Sehgal said.
Abhishek Malhotra, managing partner, TMT Law Practice, said, “The draft Bill has watered down the objective of a data privacy and protection framework. It appears to give a simpler framework for people to be able to adopt it seamlessly. Unfortunately, however, the scope and applicability provisions have also been curtailed and limited to where collection is online or digitised and where Indians are targeted for profiling.”
He added that the qualified title adding “Digital” to the bill, does not add any value to the nature of the legislation but just seems to be one shot amongst a slew of “digital India” policies and legislations that the government intends to roll out.
“One welcome aspect is that along with rights of the data principals prescribed within the Bill, there is explicit mention of the duties that the Digital Nagrik will have to adhere to. This is likely to bring in welcome reinforcements to the onerous obligations of the data fiduciaries,” he said.
Amit Jaju, senior managing director at Ankura Consulting Group (India), added that the Bill was far from final and would need multiple iterations before becoming practical. “However, this time it is much more simplified, the non-personal data is kept out of the ambit and the focus is more on financial penalties than a criminal conviction. Not bringing data localisation under a requirement will make it difficult to detect and investigate non-compliance and breaches. This is the single biggest gap in the latest draft and is in contradiction to other regulatory requirements such as from the RBI and Cert-In.”