This post is authored by Tejaswita Kharel*
In order to ease the enforcement process for data protection laws, various jurisdictions such as Singapore and Australia have incorporated voluntary undertaking provisions. Such a provision encourages organisations to self regulate and adopt accountable practices. It is also believed that the incorporation of such a provision in data protection compliance frameworks will help build a collaborative relationship between data protection boards and data fiduciaries.
India has recently also taken a step in this direction. Clause 24 of the Digital Personal Data Protection Bill, 2022 [“Bill”] provides that the Data Protection Board [“Board”] may accept voluntary undertaking at any stage and that the acceptance of such undertaking by the Board would constitute a bar to proceedings.
However, while voluntary undertaking provisions may work elsewhere, Clause 24 should be removed from the Bill for the following reasons:
1] Excessive Scope of Voluntary Undertaking Provision
The voluntary undertaking regime in Singapore clearly provides that the request to invoke a voluntary undertaking process must be made “soon after the [breach] incident is known”. But the voluntary undertaking provision in the Bill states that the undertaking can be given at “any stage” including before a breach has even taken place. This will allow data fiduciaries to delay their compliance with the provisions of the Bill and postpone the implementation of important provisions of the Bill.
For example Clause 9(4) of the Bill provides that “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.” A fiduciary could offer a voluntary undertaking stating that it will comply with this clause after a period of six months, during which time multiple breaches can occur. The scope of the voluntary undertaking clause in the Bill is thus massive and is likely to give too much leeway to data fiduciaries to circumvent the law and violate the rights of the Data Principals.
2] Lack of Regulatory Standards for Voluntary Undertaking
Additionally, there is no set standard for what a voluntary undertaking offer is supposed to contain. While Clause 24 states that a voluntary undertaking may include “undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicise the voluntary undertaking”, the requirements are not specific enough to ensure that fiduciaries will adequately comply with the provisions of the Bill. Data fiduciaries have no requirement to provide for an in-depth remediation plan unlike in Singapore.
3] Excessive Discretion of the Board
Clause 24 merely says that the Board “may” accept voluntary undertakings. While it is clear that the Board has the discretion to decide whether it is appropriate to accept an undertaking or not, it is necessary to have standards for acceptance or rejection of such undertakings in order to reduce possibilities of arbitrariness and misuse of the voluntary undertaking regime.
Hence, while it is important to ensure that the compliance burden on data fiduciaries is not too heavy in order to achieve effective implementation of the Bill, the current voluntary undertaking provision acts as a loophole which will allow fiduciaries to circumvent formal proceedings and exempt themselves from liability under the Bill.
The voluntary undertaking provision in the Bill should be removed. It provides too much leeway to fiduciaries to submit voluntary undertakings that will exempt them from application of key provisions of the Bill. Moreover, it fails to constrain the Board from accepting such offers.
In addition, several clauses of the Bill adequately provide for flexibility in case of non-compliance. Clause 25(2) ensures that data fiduciaries are not penalised excessively and Clause 21(11) ensures that they are not punished for non-significant non-compliance.
The benefit of a voluntary undertaking system is that data fiduciaries will aid the Board in understanding the technological difficulties and processes involved in the regulation of data protection. However, this understanding is something that can be achieved through regular and active discussions with stakeholders. This is the direction that countries like the United Kingdom are also moving towards.
*Tejaswita is a Research Analyst at the Centre for Communication Governance.