The Union Ministry of Electronics and Information Technology (MeitY) recently released the draft Digital Personal Data Protection (DPDP) Bill, and sought inputs from the public about it. The feedback can be submitted here.
This bill seeks to replace the previous Personal Data Protection Bill (PDP Bill), which was withdrawn in August 2022. However, experts have expressed several concerns in connection with the bill.
So could the bill, if passed, mean the sarkar will have more power over your personal data? And how will it impact the RTI Act?
Also will it be better now for all data principals to "lawyer up", or at least familiarise themselves with all applicable laws, in a bid to ward off penalties?
“Data Principal”, is defined in the bill, as the individual to whom the personal data relates (where such an individual is a child, it includes the child’s parents or lawful guardian). For example: users on a social media platform, who share their data with the platform are data principals.
Essentially, the DPDP bill is quite different from the PDP bill. ere's how much:
HOW DOES THE NEW BILL AFFECT CROSS-BORDER DATA FLOW?
Cross border data flow essentially entails the flow of personal data from one jurisdiction to another. For instance when a user submits their data to an internet portal, it may be stored in one place and processed in another. This transfer of data across countries for storage and/or processing is referred to as cross border data flow.
Explaining the difference in the mechanism for cross border data flow in the DPDP bill versus how it was proposed in the PDP bill, Tech Policy expert Trishee Goyal told The Quint:
"The DPDP Bill, 2022 does away with the PDP's three tiered classification and restrictions on transferring of cross border data flows, even as it still allows cross border transfer of personal data only to the jurisdictions notified by the central government.”
What does this mean?
"Unlike the PDP Bill, the DPDP Bill fails to provide any legislative guidance on criteria which the notified jurisdictions should satisfy."Tech Policy expert Trishee Goyal
But, why does it matter?
"This lack of guidance is problematic for a number of reasons," Goyal further explained, adding:
"First, it suffers from excessive delegation. Second, absence of criteria could create apprehension in the minds of data principals on whether the jurisdictions where their personal data is being transferred adhere to sufficient data protection safeguards. This is especially so because the DPDP Bill allows cross border transfer of sensitive personal data without the explicit consent of the data principals. Third, for the data fiduciaries, it creates confusion on what the govt considers desirable jurisdictions where personal data transfers may be allowed in the future."
WHAT ABOUT OTHER POWERS OF THE CENTRAL GOVERNMENT?
A reading of the bill suggests a significant amplification of the Central Government’s 'rule-making' powers. Even when it comes at the cost of reduction of the scope of the Data Protection Board.
About 14 clauses in the DPDP Bill provide the Central Government with the power to make rules. This, as pointed out by Trishee Goyal in an article for The Hindu, allows the government to become one of the largest data fiduciaries in the country. But what is a 'data fiduciary'?
“Data Fiduciary” has been defined in the bill as any person who alone, or in conjunction with other persons, determines the purpose and means of processing of personal data.
Apar Gupta, founder of Internet Freedom Foundation, notes (in an article for The Indian Express) that the phrase “as may be prescribed” has been used in 18 instances in the text of the new Bill.
For instance, the strength and composition of the Data Protection Board, the process of selection and removal of the Chairperson and other members “are all, as may be prescribed.” The Central Government will also appoint, and determine the terms and conditions of appointment of, the Chief Executive of the Data Protection Board.
“It is reasonable to ask at this juncture: Will any such board be able to exercise any oversight and issue fines on any government authority?”Apar Gupta
However, as per PTI, IT Minister Ashwini Vaishnaw has said that the architecture of the new body will ensure its autonomy.
“Who appoints SEBI and board of RBI…Government appoints. Are these bodies not independent…independence and autonomy come from law…”IT Minister Ashwini Vaishnaw
DOES THE BILL PASS SUPREME COURT'S THREE-PART TEST?
Goyal and Gupta also talk, in their pieces, about the Bill being potentially violative of the Supreme Court’s landmark judgment in Puttaswamy vs Union of India.
Noting that Puttaswamy’s three-part test includes words such as “necessary”, “reasonable” and, “proportional”, Apar Gupta also adds that the majority opinion said that the data protection law should have, “due regard to what has been set out in this judgment”.
“However, it seems the judgment and such legal standards have largely been ignored,” Gupta writes.
Because the Bill permits exemption to the government from most data protection obligations if the processing is carried out “in the interests of prevention, detection, investigation of any offence or any other contravention of any law”.
Besides, as noted by Goyal, a complete exemption can be granted when personal data is being processed “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”.
“This is a lower standard than the one prescribed under the privacy judgment,” Gupta adds.
The Union government can also notify similar exemption to certain data fiduciaries on grounds of “volume and natural of personal data” being processed. This is irrespective of purpose.
DUTIES ON DATA PRINCIPALS
The DPDP bill also does not allow data principals to seek compensation from data fiduciaries in cases of unlawful processing. But, it does place duties on data principals, which could lead to penalties. This, according to Goyal, is “a very unusual move and perhaps the only one of its kind among data protection legislations.”
For instance, now a penalty can be imposed on a data principal for registering “a false or frivolous grievance or complaint with a Data Fiduciary or the Board.” What a Data Fiduciary may consider a frivolous grievance or complain is unknown at the moment, but this duty (under Clause 16 (2)) can have a chilling effect on users.
They are also mandated (under 16 (1)) to comply with provisions of all applicable laws while exercising their rights under this Act. How all data principals are expected to know and remember all the applicable laws remains unclear, as well.
IMPACT ON RTI ACT
Experts have, further, observed that Clause 30 of the Bill weakens the Right to Information Act.
Clause 30(2) proposes amendment to Section 8(j) of the RTI Act.
Section 8(j) presently exempts disclosure of “information with relates to personal information” which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual. But this is unless the Central Public Information Officer (or a similar appropriate authority) is satisfied that the the larger public interest justifies the disclosure. The provision to this section further states that “the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”
However, the DPDP Bill proposes to amend this section to omit all words, except “information which relates to personal information.”
What this essentially means is, if the amendment is approved, personal information will be completely exempt from disclosure. This is even if the relevant authority would have otherwise found that disclosure to be consequential to larger public interest.
Former Central Information Commissioner Shailesh Gandhi told LiveLaw:
“This will make RTI Right to Denial of Information. Most information relates to a person and thus could be denied…This is the biggest step to weaken RTI and its potential to curb corruption and wrongdoing…”
VAGUENESS OF LANGUAGE, VAST SURVEILLANCE: OTHER CONCERNS WITH THE BILL
“...the simplicity of the drafting choices of the Digital Data Protection Bill, 2022 comes at the price of individual privacy,” Gupta writes in his article.
This is because while the bill appears to be written with brevity and in plain English, it is riddled with vagueness.
According to Gupta, “Vagueness animates several proposed clauses that create vast regulatory power for the central government. They will determine significant policy choices that are usually first prescribed, but presently absent in legislative guidance.”
This means that when the bill does not specify and limit the scope of the central government, and leaves a lot for "as may be prescribed", it paves the way for unprecedented control of personal data by the State. It also reduces the checks on data fiduciaries and threatens the privacy of the data principal.
Further, Gupta laments that clause 16 of the Bill which mandates users to furnish “verifiably authentic” information, coupled with the authentication requirements under Telecommunications Bill, 2022 can lead to “the creation of a vast surveillance apparatus.” This is because a user refusing to supply such “verifiably authentic” information faces penalties and denial of service.
(With inputs from The Hindu, The Indian Express, LiveLaw and PTI.)