Version 3 - Digital Personal Data Protection Bill 2022

On 18 November 2022, the Ministry of Electronics and Information Technology (MeITy) shared a draft of Digital Personal Data Protection Bill 2022 (DPDP22) and sought comments of the public by 17th Dec 2022. The proposed bill is dramatically different from earlier two of Avatars – Personal Data Protection Bill 2019 and Draft Data Protection Act 2021.

Indians in general are not too much concerned about privacy. You may find a person returning from the hospital will discuss the health issues of the patient with an unknown cab driver and the best part is that the cab driver will advise him as to what medicine should be given.

However, the subject of privacy was first discussed in detail during the Privy Council meetings and during the drafting of the Constitution of India. Europe has been at the forefront of privacy and personal data and has been bringing up several regulations including Safe Haven, General Data Protection Regulation and Privacy Sheild. After the GDPR coming into force most of the nations of the world followed in the footsteps of Europe. Some went in different directions but creating appropriate legal structure for protecting privacy and personal data in cyberspace. In recent past (2012) Justice AP Shah Committee had made several recommendations on Personal Data Protection. The Supreme Court of India in case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India have ruled that privacy is inherent part of personal freedom and covered under the Article 21 of the Constitution as a Fundamental right of every person in the territorial control of India. The Supreme Court also directed the government to come out with a law to protect privacy off individuals specially in the Internet environment and establish appropriate procedures to protect their fundamental rights. The government constituted Justice Srikrishna Committee which proposed Personal Data Protection Bill 2018. However, the government did not approve the bill prepared by Justice Srikrishna Committee and on 11th December 2019 placed the Personal Data Protection Bill 2019 in the parliament. At the outset itself government conceded that the bill requires a deeper understanding through especially constituted 40-member Joint Parliamentary Committee. The Joint Parliamentary Committee in 2021 came out with draft Data Protection Act 2021 which was looking at issue in entirely different direction and encompasses much wider subject. It became real challenge to enhance the scope of the bill from personal data protection to complete data protection. Therefore, the government decided to withdraw the Personal Data Protection Bill 2019 as well as did not table draft Data Protection Act 2021 proposed by the Joint Parliamentary Commitee. The MeITy has now come out with draft Digital Personal Data Protection Bill- 2022 (DPDP22) and ask the public to offer comments by 15th December 2022.

The DPDP22 is a far shorter bill with crisp and simple language. it has just 30f sections and understandable by common man. The number of definitions has been reduced dramatically and even the existing definitions have been pruned and modified. the focus of the DPDP22 is on compliance rather than on penalties and punishments. There is no section related to criminal offence and all crime related activities have been deleted from the definitions or the concerned sections. The draft bill proposes to create Data Protection Board of India instead of Data Protection Authority of India. The complete bill is barebone and provided basic infrastructure of law for protection of personal data in digital space. Most of the dirty work is left for the executive to define and frame through rules and implement them. This has made the law flexible and dynamic to meet the everchanging scenarios and environment of cyberspace.

This is the path breaking law which has used the words ‘she’ and ‘her’ while referring to any natural person instead of ‘he’ and ‘him/his’ to emphasis on women empowerment. It has been suggested in the proposed bill that interaction with the data principle, specially notice, should be in the language understandable by her. The languages proposed are English and Indian languages from the 8th schedule of the Constitution. The complete chapter on employer-employee relationship has been deleted and concerns the employers have been addressed adequately. At present there is no proposal to have any ‘sensitive personal data’ but the term does appear while making any data fiduciary a significant data fiduciary. The bill also deleted the ‘rights of deletion’, which is a major deviation from the laws related to rights of an individual in rest of the world, especially GDPR. Earlier versions had the rights of deletion but implemented in a complicated manner, but now these rights have been totally removed. The proposed bill gives some examples to understand the respective section, which is a good practice. The children rights related to personal data is now conferred upon the parents and legal guardians. The powers of NGOs and other organisations have been removed.

The DPDP22 has introduced a very interesting feature where any dispute can be transferred to the Alternate Dispute Resolution (ADR) mechanism such as mediation. Also, the proposed law brings in the concept of “voluntary undertaking”. By these two approaches, the focus will shift from penalties and fines towards compliance. Once the board is agreed to the voluntary undertaking all the proceedings against any data fiduciary or data processor shall stop. It is presumed that in case of data fiduciary or data processor failed to comply with its voluntary undertaking there will be heavy penalties, however same is not mentioned anywhere in the proposed law. The penalties have been made very steep (see Table below), which could be as high as rupees 250 crores (more than 30 million US dollars), But this is only in case where a data fiduciary or a data processor has failed to institute appropriate (cyber) security measures. The penalty here is limited to rupees 5 crore per instance. There is no provision for any ‘compensation’ to data principle, hence practically all the money will be made by the government. Previous versions had clearly mentioned that penalty will go to the consolidated fund of India while compensation shall be paid to the affected data principal. Now only penalty has been mentioned, technically government in ad-hoc manner can dole out the compensation. Or data principal may require a different paint in civil court under the law of tort.

The draft bill is based on the seven principles

The digital personal data should be collected in a fair and transparent manner and only for a lawful purpose
Digital personal data shall be collected which is necessary to provide the services or functionality.
The data so collect should be bare minimum.
The personal data shall always be accurate and updated.
the purpose of data shall be limited by time, usage and the law time being in force.
There should be reasonable safeguard placed by the data principle and data processor to prevent any digital personal data beach.
The data fiduciary shall be accountable for any loss of personal data.

The bill has removed two important features from the previous versions.

There is no sensitive personal data now and everything is digital personal data
The right of deletion has been completely removed, the right to erasure as was there earlier continue to exist. Data principle right to nominate has been incorporated as suggested by the joint parliamentary committee.

Some of the significant changes in the definitions are:

In the definition of “automated” words ‘any equipment’ has been replaced by ‘any digital process’, which implies that law will now be applicable on the processes rather than on the devices, hence Artificial Intelligence and metaverse created personal data will be covered.
For the consent emphasis has been shifted to giving such consent freely, specific and informed through and affirmative action by the data principle with reasonable understanding of what the processing will lead to. This is significant change at concept level.
All the features related to criminalities have been removed from the definition of harm. This is in line with the concept that criminal aspects have been kept out of the proposed bill.
The definition of personal data has been simplified dramatically.
The word public interest has been newly defined. Unlike previous Bills the limitation of ‘cognizable offence’ is related to only with the case is where sovereignty or integrity of the nation, security of the state, friendly relation with foreign state, and maintenance of the public orders is involved. This implies that police will not have unlimited powers under the head of ‘cognizable offence’ but only those cognizable offence as mentioned above.
Though significant data fiduciary has not been defined and has been left to the executive to define it through rules, but in case any organisation or data fiduciary is declared as significant data fiduciary then such organisation will require to appoint a data protection officer, an independent data auditor and required to undertake periodic data protection impact assessment and audit.

Unlike previous versions of the personal data protection or data protection bills, there is a proposal to introduce “duties of data principle” where she needs to comply with the provision of the laws of India, not to register any false grievances or undertake any unfair means. The data principal will be required to furnish verifiable authentic information while exercising their rights of correction or erasure.

The “Grounds for Processing of Personal Data Without Consent” chapter is now cleverly worded under the new concept of ‘Deemed Consent’. The advantage of this wording is that the restriction mentioned under obligations and principals of Digital Personal Data Processing continue to apply event where explicit consent is not taken. Also, relevant personal data of an employee with the employer for the specific purpose (for example biometrics for attendance purpose) is considered as ‘deemed consent’.

The exemption chapter has become muddier and does not mention any procedure which can be adopted in case of such exemption. There is no procedure under law for the agencies who are primarily blamed for breaching fundamental rights of privacy.

It has been proposed to create Data Protection Board of India which will be totally controlled by the Central Government of the day. The Board will have the power to review its own decision, however no new applet authority has been created. In case of any appeal against the orders of The Board, a person can approach the High Court for appeal, and by implication the Supreme Court for Special Leave Petition (SLP).

The proposed Digital Data Protection Bill 2022 has been made shorter and crisper because of one major significant change in the approach of law framing. Most of the dirty work have been left to the executive to create appropriate provisions of law through rules. Normally rules are the administrative law and are subordinate to the main enactment. However, in this case the rules are made part of the act through clever wording in section 3. It technically means that whichever rules is passed by the executive through Gazette notification will amount to be the part of the enactment as if passed by the legislature. This singular major change in the drafting of law has its own positives and negatives. It transfers the powers of major part of the law to the executive but for the courts the same will be considered as if passed by the legislature. The advantage of such a wording is that law becomes very flexible and can meet the challenges of ever-changing scenario of the technology revolution. The government can respond quickly without going back to legislature for every small change. However, disadvantages that power corrupts, and absolute power corrupts absolutely. There are checks and balances built into it, where rules are required to be placed in the parliament for 30 days and objections by the member of parliament can be raised to cancel it or modify it. This procedure is in force since independence, but it has been observed that it is very rare where any rule or regulation got challenged just because it is placed in the parliament. Therefore, such a dramatic change in the law drafting can make the law nibble but places huge responsibility on the member of parliaments (who are many times bounded by the party whips) to raise objection in the interest of public.

Utopian?? May be.....

Please share your views by clicking on your assessment.......

Which is better?