The Ministry of Electronics and Information Technology (MeitY) released a new data protection bill on November 18, 2022. This is the fourth iteration of a data protection bill in India after the Puttaswamy judgment in 2017. We appreciate the efforts of MeitY in drafting a clear and accessible Digital Personal Data Protection Bill, 2022 (‘DPDP Bill’). However, the proposed framework does not provide comprehensive protection of privacy rights and redressal of harms for data principals. In many instances, the DPDP Bill dilutes or misses out on safeguards and protections that were present in earlier versions of the Bill.
Our submission to MeitY, as part of the public consultation on the DPDP Bill, highlights the following five fundamental concerns with the DPDP Bill: (i) Fails to safeguard the privacy of data principals, (ii) Absence of key data protection principles, (iii) Excessive reliance on delegated legislation, (iv) Lack of independence and regulatory powers for the Data Protection Board of India, (‘DPBI’), and (v) Imposition of onerous burdens on data principals.
1. Fails to safeguard the privacy of data principals: We would like to highlight that the DPDP Bill does not place the right to privacy of the data principal at the centre of its objectives. The Supreme Court in Puttaswamy has explicitly recognized the right to privacy of individuals. Consequently, a data protection law should be rights-centric and drafted with the intention of protecting privacy and empowering individuals to meaningfully exercise this right. Instead, by focusing on removing barriers from data processing activities, the Bill dilutes the rights of data principals, limits the understanding of harm, and eases obligations of data fiduciaries. For example, the preamble focuses on processing data in a manner that recognises the right to data protection alongside the need to lawfully process data. This is a significant departure from previous iterations of the Bill. To clarify its intent the Bill should go further and explicitly state that (i) the right to privacy is a fundamental right in India and (ii) it seeks to protect the informational privacy of individuals.
2. Absence of key data protection principles: Universally recognised data protection principles such as collection limitation, purpose limitation, and openness are not adequately reflected in the framework of the DPDP Bill. To ensure a privacy focused data protection regulation, it is crucial for the Bill to be grounded in strong principles that enshrine the rights of individuals. The A.P. Shah Committee in 2012 examined numerous international privacy practices and principles and recommended the incorporation of national privacy principles in any privacy legislation. These principles have been further referred to by the Supreme Court in Puttaswamy. The explanatory note accompanying the Bill features a few of these principles but it is important for all of them to be included within the data protection legislation itself. We thus recommend that core data protection principles are incorporated in the text of the Bill.
3. Excessive reliance on delegated legislation: Delegating rule making power to the government is necessary to provide flexibility, accommodate future circumstances, and prevent laws from becoming obsolete. However, the DPDP Bill does so without providing any legislative guidance or criteria for the framing of such delegated legislation to the government. Having guidelines set out precisely in the text of the Bill will not only help data principals but also the government in their rule-making power. This ties in with the government’s goal of ensuring comprehensibility of the law for citizens as expressed in the explanatory note released alongside the Bill. Therefore, the DPDP Bill must articulate foundational principles, safeguards, and criteria to guide the framing of delegated legislation within the text of the Bill.
4. Lack of independence and regulatory powers for the DPBI: The DPDP Bill envisions the Data Protection Board of India (‘DPBI’) as only a quasi-judicial body. This is a departure from the previous versions of the Bill where a regulatory authority was envisaged. Data protection is a technical subject that necessitates the establishment of an expert regulator composed of individuals with the necessary expertise and regulatory capacity to exercise various regulatory powers. To ensure effective data protection, it may be crucial for the DPBI to have regulatory powers, especially for subject areas such as determining the grounds for non-consensual grounds of processing personal data.
The DPBI’s functions are further diminished by its lack of independence. The government will determine many aspects of its operation and functioning such as the appointment and removal of its members. As a result, the DPBI may not be well positioned to take decisions which are independent of government considerations.
We recommend that the Bill establish a board with independent regulatory and adjudicatory powers. Such a body will be well positioned to serve the best interests of data principals.
5. Imposition of onerous burdens on data principals: Many provisions of the DPDP Bill discourage and disincentivise data principals from exercising their rights. For instance, data principals are burdened with unforeseen consequences while exercising their basic right to withdraw consent for processing data. Many data principals who would otherwise have exercised this choice will now refrain from doing so, due to the uncertainty about what the ‘consequences’ of such withdrawal could entail.
Additionally, before proceeding with their grievances against data fiduciaries, data principals have to jump through several hoops. They have to ensure that they are fulfilling several duties or risk paying a hefty penalty. The DPBI may at various stages dismiss complaints due to insufficient grounds or demerits. Even when a data principal is successful in establishing a valid claim, the DPBI cannot impose penalties on a data fiduciary without establishing that the non-compliance is ‘significant’ in nature. The Bill does not provide the DPBI with powers to provide any compensation to data principals. Thus, a data protection regulation whose enforcement mechanism that disadvantages data principals in these ways will not be able to effectively fulfil its objectives. Additionally, the Bill specifically imposes duties and penalties on data principals, which will only further hinder them from exercising their rights. We recommend that (i) duties of data principals be removed from the Bill (ii) the DPBI should be able to impose penalties for even non-significant non-compliance and (iii) the DPBI should be empowered to provide sufficient compensation to data principals.
*(Due to character limits on the innovateindia.mygov.in website, we were able to provide only part submissions to MeitY. For our complete comments on the Digital Personal Data Protection Bill, 2022, please click here – https://bit.ly/3WBdzXg)