The Digital Personal Data Protection Bill, 2022 (“2022 Bill”) was released by the Ministry of Electronics and Information Technology on November 18, 2022, with the stated intent of being concise, comprehensible, and simplified for the citizens. For these reasons, the 2022 Bill has made significant changes to the framework of the earlier Personal Data Protection Bill, 2019 (“2019 Bill”), which was withdrawn earlier this August during the Monsoon session of the Parliament.
We have prepared this detailed tracker to record the changes made in the 2022 Bill, and compared the differences in the key provisions of the 2022 Bill and the 2019 Bill. This tracker can be a helpful reference while analysing the two Bills, or even a quick guide to the changes brought out in the 2022 Bill.
This tracker has used the 2019 Bill as reference for the changes, as this was the last version of the Data Protection Bill which was introduced before the Parliament as a comprehensive legislation. We have analysed each clause and sub-clause of the 2022 Bill and compared it to the corresponding provisions of the 2019 Bill. We have provided the full text of the provisions (highlighting the differences) as well as a brief summary of changes under the 2022 Bill. Readers may use the 2022 Bill as the base, when looking for the changes made to specific provisions of the 2019 Bill.
As the public and expert analyses and opinions on the 2022 Bill are still being developed, we invite comments on any errors or omissions of corresponding provisions which may be present in this tracker.
On 26th May 2022, the Ministry of Electronics and Information Technology (MeitY), released the Draft National Data Governance Framework Policy (NDG Policy) for feedback and public comments. CCG submitted its comments on the NDG Policy, highlighting its feedback and key concerns with the proposed Data Governance Framework. The comments were authored by Joanne D’Cunha and Bilal Mohamed, and reviewed and edited by Jhalak M. Kakkar and Shashank Mohan.
The draft National Data Governance Framework Policy is a successor to the draft ‘India Data Accessibility and Use’ Policy, which was circulated in February 2022 for public comments and feedback. Among other objectives, the NDG policy aims to “enhance access, quality, and use of data to enable a data-led governance” and “catalyze AI and Data led research and start-up ecosystem”.
CCG’s comments to the MeitY are divided into five parts –
In Part I, of the comments we foreground our concerns by emphasising the need for comprehensive data protection legislation to safeguard citizens from potential privacy risks before implementing a policy around non-personal data governance.
In Part II, we focus on the NDG Policy’s objectives, scope, and key terminologies. We highlight that the NDG Policy lacks in sufficiently defining key terms and phrases such as non personal data, anonymisation, data usage rights, Open Data Portal, Chief Data Officers (CDOs), datasets ecosystem, and ownership of data. Having clear definitions will bring in much needed clarity and help stakeholders appreciate the objectives and implications of the policy. This also improves engagement from the stakeholders including the government in the policy consultation process. This also enhances engagement from the stakeholders, including the various government departments, in the policy consultation process. We also highlight that the policy does not illustrate how it will intersect and interact with other proposed data governance frameworks such as the Data Protection Bill 2021 and the Non Personal Data Governance Framework. We express our concerns around the NDG Policy’s objective of cataloguing datasets for increased processing and sharing of data matching with the aim to deploy AI more efficiently. It relies on creating a repository of data to further analytics, and AI and data led research. However, it does not take into consideration that increasing access to data might not be as beneficial if computational powers of the relevant technologies are inadequate. Therefore, it may be more useful if greater focus is placed on developing computing abilities as opposed to increasing the quantum of data used.
In Part III, we focus on the privacy risks, highlighting concerns around the development and formulation of anonymisation standards given the threat of re-identification from the linkage of different datasets. This, we argue, can pose significant risks to individual privacy, especially in the absence of a data protection legislation that can provide safeguards and recognise individual rights over personal data. In addition to individual privacy harms, we also point to the potential for collective harms from using aggregated data. To this end, we suggest the creation of frameworks that can keep up with the increased risks of reidentification posed by new and emerging technologies.
Part IV of our comments explores the institutional framework and regulatory structure of the proposed India Data Management Office. The proposed IDMO is responsible for framing, managing, reviewing, and revising the NDG Policy. Key concerns on the IDMO’s functioning pertain to the exclusion of technical experts and representatives of civil society and industry in the IDMO. There is also ambiguity on the technical expertise required for Chief Digital Officers of the Digital Management Units of government departments and ministries, and the implementation of the redressal mechanism. In this section, we also highlight the need for a framework within the Policy to define how user charges will be determined for data access. This is particularly relevant to ensure that access to datasets is not skewed and is available to all for the public good.
You can read our full submission to the ministry here.
The right to be forgotten empowers individuals to seek de-indexing, erasure, or deletion of their personal data. The right is significant because it enables an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatised because of specific actions performed in the past”. However,the right to seek the erasure of information from the public domain conflicts with the right to freedom of expression and the right to access information. Thus, even jurisdictions that statutorily recognise the right to be forgotten enforce it in limited circumstances.
In 2014, the European Court of Justice (ECJ) recognised the right in Google Spain SL and Google Inc v Mario Costeja González where the court directed Google to de-index a newspaper article because it disclosed the financial history of the petitioner. De-indexing would remove the site from the search engine’s index (in this case, Google’s) but not from the source web page. The Court noted that in general the petitioner’s (i.e., the data subject’s) rights would override Google’s (i.e., the data controller’s) legitimate interest of prominently publishing the article, however a balance had to be struck depending on the nature of the information, particularly if the information was of interest to the public. In another judgment, Google LLC v CNIL the ECJ ruled that an obligation on a search engine to de-index a webpage for users in the EU did not extend to de-indexing the page in other jurisdictions. Subsequently, Article 17 of the General Data Protection Regulation of the European Union gave statutory recognition to the ‘right to be forgotten’. This Article empowers data subjects to seek the erasure of their personal data, if, among other things,there is no overriding legitimate cause (such as public interest) in the continued processing of their data.
In India, the right is yet to gain statutory recognition. Clause 20 of Data Protection Bill 2021 (‘DPB’), which has been recently scrutinised by a Joint Parliamentary Committee, recognises the right of data principals (i.e., individuals) to prevent the ‘continuing disclosure’ of personal data, if: (i) it has served the purpose for which it was collected or is no longer necessary for the said purpose; (ii) consent for such processing is withdrawn; or (iii) if the disclosure is contrary to any law. However, the right can only be enforced by an order of an Adjudication Officer appointed under the DPB. To get a favourable order, the data principal must demonstrate to the Officer that the interest in preventing the continued disclosure of their data overrides the right to freedom of speech and expression and the right to information of other citizens and the right of the data fiduciary to retain, use and process such data in accordance with provisions of DPB.
While the DPB is yet to be enacted into law, the Privacy High Court Tracker, launched by the Centre for Communication Governance as a part of its Privacy Law Library shows that High Courts across the country have begun to determine the contours of the right to be forgotten as applicable to Indians. Most notable is the Orissa High Court’s decision in Subhranshu Rout @ Gogul v the State of Odisha. This case did not involve a pleading seeking erasure of information. Instead, the discussion on the right to be forgotten arose when a person accused of sexually harassing a woman and uploading images of her on Facebook sought bail. In its judgment rejecting the bail application, the Court noted that while the Indian criminal justice system prescribes strong penal action against the alleged actions of the bail applicant, it did not provide any mechanism to delete the objectionable material from social media permanently. The Court found that allowing such offensive material to remain on social media was an affront to the victim’s privacy rights. The Court discussed the right to be forgotten extensively but did not order the removal of the objectionable material because of a lack of enabling legislation. At the same time, the Court permitted the victim to approach the Court separately, for the erasure of the offensive posts.
The Orissa High Court in Subhranshu Rout was presented with facts that did not require balancing the victim’s rights with the public interest. Unlike the Orissa High Court, the Delhi High Court, on at least two occasions, has passed interim orders enforcing the right to be forgotten against content that may have been in the public interest. The first was the case of Zulfiqar Ahman Khan v Quintillion Business Media. In Zulfiqar, the plaintiff had sought a permanent injunction against the defendant, which had published two articles documenting sexual harassment complaints against him as a part of the #MeToo campaign. After the defendants had agreed to take down the article during the pendency of the suit (without prejudice to their rights), the plaintiffs asked for an injunction against re-publication of the article by third parties. Again, this was not an application seeking erasure of information. Instead, it was a case of plaintiff seeking enforcement of injunction against re-publication of previously injuncted content. But in paragraph 9, the Court cited the right to be forgotten of the plaintiffs as one of the reasons to prevent re-publication of the article. However, the Court did not explain why the plaintiff’s right to privacy should be protected over the right to freedom of speech of the defendants and the right to information of the public at large.
The second case was an interim order in Jorawar Singh Mundy v Union of Indiawhere the petitioner sought the removal of a reported judgment from the public domain. In the judgment, the petitioner’s acquittal was upheld by the Delhi High Court. The petitioner’s grievance was that he faced a considerable disadvantage in seeking employment because the judgement showed up whenever anyone conducted a background verification on him. The Court directed Google to de-index the judgment and directed Indian Kanoon (the website where the judgement was posted) to block the judgement from being accessed via search engines. This interim order is subject to change based on the final decision of the Court, but this case is significant because in Jorawar, unlike the cases mentioned above,the petitioner expressly sought enforcement of his right to be forgotten which was granted by the Court.
However in a similar case, the Madras High Court in Karthik Theodre v Registrar General, Madras High Court, in its final decision dated 3 August 2021, adopted a different approach. The petitioner, therein, also sought destruction or erasure or redaction of personal information from a court decision (a judgment of acquittal) that was available in the public domain. While in its interim order, the Court found that a prima facie case was made out for redacting his name, the final judgment recorded that granting such a plea would lead to ‘utter confusion’ in the absence of a proper policy. The Court also observed that it would be more appropriate to await the enactment of data protection legislation which might provide an objective criterion to be followed while dealing with pleas of redaction of names of accused persons who were acquitted from criminal proceedings.
The Supreme Court has also considered the balance between the right to privacy and freedom of speech and expression in the context of judicial orders in R. Rajagopal v State of Tamil Nadu. In that case, the Court recognised that the right to privacy is implicit under Article 21. Still, it did not extend the protection to individuals from publications based on public records, including Court records. The Apex Court also noted that the exception to this rule must be carved out in cases involving a female victim of sexual assault who ‘should not be subjected to the indignity of [being identified by] her name.’ Considering the ease with which personal data can be accessed in the digital age, the scope of the exception may be expanded to include those cases where the publication of a judgment is unjust – as in the case of Jorawar Singh Mundy,where continued publication of the petitioner’s case did not contribute to public discourse but adversely affected his life. However, as the Madras High Court correctly points out, this should not be done in an ad-hoc manner without objective criteria, ideally provided by legislation or a policy formulated by courts themselves.
Nevertheless, until such criteria are enacted in the form of data protection legislation, which may take a while, the High Courts will continue to formulate the law on the right to be forgotten. The Madras High Court may have passed the buck to the legislature, but the Delhi High Court or the Kerala High Court where another case is pending, may not do so. But consistency across courts, especially in the context of judicial orders, is necessary.
Disclaimer – The author is part of the legal team representing Indian Kanoon in a case related to the right to be forgotten which is pending before the Kerala High Court
The Supreme Court of the US (SCOTUS) has carved out the right to privacy from various provisions of the US constitution, particularly the first, fourth, fifth, ninth and fourteenth amendments to the US constitution. The Court has included the right to privacy in varying contexts through an expansive interpretation of the constitutional provisions. For instance, the Court has read privacy rights into the first amendment for protecting private possession of obscene material from State intrusion; the fourth amendment for protecting privacy of the person and possessions from unreasonable State intrusion; and the fourteenth amendment which recognises an individual’s decisions about abortion and family planning as part of their right of liberty that encompasses aspects of privacy such as dignity and autonomy under the amendment’s due process clause.
The right to privacy is not expressly provided for in the US constitution. However, the Court identified an implicit right to privacy, for the very first time, in Griswold v. Connecticut(1965) in the context of the right to use contraceptives/ marital privacy. Since then, the Court has extended the scope to include, inter alia, reasonable expectation of privacy against State intrusion in Katz v. United States (1967), abortion rights of women in Roe v. Wade (1973), and right to sexual intimacy between consenting adults of the same-sex in Lawrence v. Texas (2003).
The US privacy framework consists of several privacy laws and regulations developed at both the federal and state level. As of now, the US privacy laws are primarily sector specific, instead of a single comprehensive federal data protection law like the European Union’s General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, there are certain states in the US like California that have enacted comprehensive privacy laws, comparable to the GDPR and PIPEDA. The California Consumer Privacy Act (CCPA) which came into effect on January 1, 2020 aims to protect consumers’ privacy across industry. It codifies certain rights and remedies for consumers, and obligations for entities/businesses. One of its main aims is to provide consumers more control over their data by obligating businesses to ensure transparency about how they collect, use, share and sell consumer data.
India is in the midst of establishing a robust data governance framework, which will impact the rights and liabilities of all key stakeholders – the government, private entities, and citizens at large. As a parliamentary committee debates its first personal data protection legislation (‘PDPB 2019’), proposals for the regulation of non-personal data and a data empowerment and protection architecture are already underway.
As data processing capabilities continue to evolve at a feverish pace, basic data protection regulations like the PDPB 2019 might not be sufficient to address new challenges. For example, big data analytics renders traditional notions of consent meaningless as users have no knowledge of how such algorithms behave and what determinations are made about them by such technology.
Creative data governance models, which are aimed at reversing the power dynamics in the larger data economy are the need of the hour. Recognising these challenges policymakers are driving the conversation on data governance in the right direction. However, they might be missing out on crucial experiments being run in other parts of the world.
As users of digital products and services increasingly lose control over data flows, various new models of data governance are being recommended for example, data trusts, data cooperatives, and data commons. Out of these, one of the most promising new models of data governance is – data trusts.
(For the purposes of this blog post, I’ll be using the phrase data processors as an umbrella term to cover data fiduciaries/controllers and data processors in the legal sense. The word users is meant to include all data principals/subjects.)
What are data trusts?
Though there are various definitions of data trusts, one which is helpful in understanding the concept is – ‘data trusts are intermediaries that aggregate user interests and represent them more effectively vis-à-vis data processors.’
To solve the information asymmetries and power imbalances between users and data processors, data trusts will act as facilitators of data flow between the two parties, but on the terms of the users. Data trusts will act in fiduciary duty and in the best interests of its members. They will have the requisite legal and technical knowledge to act on behalf of users. Instead of users making potentially ill-informed decisions over data processing, data trusts will make such decisions on their behalf, based on pre-decided factors like a bar on third-party sharing, and in their best interests. For example, data trusts to users can be what mutual fund managers are to potential investors in capital markets.
Currently, in a typical transaction in the data economy, if users wish to use a particular digital service, neither do they have the knowledge to understand the possible privacy risks nor the negotiation powers for change. Data trusts with a fiduciary responsibility towards users, specialised knowledge, and multiple members might be successful in tilting back the power dynamics in favour of users. Data trusts might be relevant from the perspective of both the protection and controlled sharing of personal as well as non-personal data.
(MeitY’s Non-Personal Data Governance Framework introduces the concept of data trustees and data trusts in India’s larger data governance and regulatory framework. But, this applies only to the governance of ‘non-personal data’ and not personal data, as being recommended here. CCG’s comments on MeitY’s Non-Personal Data Governance Framework, can be accessed – here)
Challenges with data trusts
Though creative solutions like data trusts seem promising in theory, they must be thoroughly tested and experimented with before wide-scale implementation. Firstly, such a new form of trusts, where the subject matter of the trust is data, is not envisaged by Indian law (see section 8 of the Indian Trusts Act, 1882, which provides for only property to be the subject matter of a trust). Current and even proposed regulatory structures don’t account for the regulation of institutions like data trusts (the non-personal data governance framework proposes data trusts, but only as data sharing institutions and not as data managers or data stewards, as being suggested here). Thus, data trusts will need to be codified into Indian law to be an operative model.
Secondly, data processors might not embrace the notion of data trusts, as it may result in loss of market power. Larger tech companies, who have existing stores of data on numerous users may not be sufficiently incentivised to engage with models of data trusts. Structures will need to be built in a way that data processors are incentivised to participate in such novel data governance models.
Thirdly, the business or operational models for data trusts will need to be aligned to their members i.e. users. Data trusts will require money to operate – for profit entities may not have the best interests of users in mind. Subscription based models, whether for profit or not, might fail as users are habitual to free services. Donation based models might need to be monitored closely for added transparency and accountability.
Lastly, other issues like creation of technical specifications for data sharing and security, contours of consent, and whether data trusts will help in data sharing with the government, will need to be accounted for.
Privacy centric data governance models
At this early stage of developing data governance frameworks suited to Indian needs, policymakers are at a crucial juncture of experimenting with different models. These models must be centred around the protection and preservation of privacy rights of Indians, both from private and public entities. Privacy must also be read in its expansive definition as provided by the Supreme Court in JusticeK.S. Puttaswamy vs. Union of India. The autonomy, choice, and control over informational privacy are crucial to the Supreme Court’s interpretation of privacy.
(CCG’s privacy law database that tracks privacy jurisprudence globally and currently contains information from India and Europe, can be accessed – here)
The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.
The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)
In this post we undertake a preliminary examination of:
The scope and applicability of the PDP Bill
The application of general data protection principles
The rights afforded to data subjects
The exemptions provided to the application of the law
In future posts in the series we will examine the Bill and look at the:
The restrictions on cross border transfer of personal data
The structure and functions of the regulatory authority
The enforcement mechanism and the penalties under the PDP Bill
Scope and Applicability
The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data
Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”. (emphasis added)
The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.
Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.
Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.
The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.
Application of PDP Bill 2019
The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.
The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.
Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation inour comments to the Draft Bill 2018.
These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by thecommittee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.
The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.
Data Fiduciaries, Social Media Intermediaries and Consent Managers
As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer.
Social Media Intermediaries
The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.
Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.
The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill.
Data Protection Principles and Obligations of Data Fiduciaries
Consent and grounds for processing
The Bill recognises consent as well as a number of other grounds for the processing of personal data.
Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.
Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.
The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.
In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).
The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).
Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.
A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.
On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.
Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.
Rights of Data Principals
Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten.
Right to Access and Confirmation
The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.
This allows the data principal to exert greater control over their personal data and its use. The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.
Right to Erasure
The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.
The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.
Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.
Exceptions and Exemptions
While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.
The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.
The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.
The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.
Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.
The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.
The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence). Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).
The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional. After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.
Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We hadargued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.
In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.
The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.
Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.
 At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.
Huawei finds support from Indian telcos in the 5G rollout as PayPal withdrew from Facebook’s Libra cryptocurrency project; Foreign Portfolio Investors moved MeitY against in the Data Protection Bill; the CJEU rules against Facebook in case relating to takedown of content globally; and Karnataka joins list of states considering implementing NRC to remove illegal immigrants – presenting this week’s most important developments in law, tech and national security.
[Sep 30] Why the imminent global economic slowdown is a growth opportunity for Indian IT services firms, Tech Circle report.
[Sep 30] Norms tightened for IT items procurement for schools, The Hindu report.
[Oct 1] Govt runs full throttle towards AI, but tech giants want to upskill bureaucrats first, Analytics India Magazine report.
[Oct 3] – presenting this week’s most important developments in law, tech and national security. MeitY launches smart-board for effective monitoring of the key programmes, The Economic Times report.
[Oct 3] “Use human not artificial intelligence…” to keep a tab on illegal constructions: Court to Mumbai civic body, NDTV report.
[Oct 3] India took 3 big productivity leaps: Nilekani, Livemint report.
[Oct 4] MeitY to push for more sops to lure electronic makers, The Economic Times report; Inc42 report.
[Oct 4] Core philosophy of Digital India embedded in Gandhian values: Ravi Shankar Prasad, Financial Express report.
[Oct 4] How can India leverage its data footprint? Experts weigh in at the India Economic Summit, Quartz report.
[Oct 4] Indians think jobs would be easy to find despite automation: WEF, Tech Circle report.
[Oct 4] Telangana govt adopts new framework to use drones for last-mile delivery, The Economic Times report.
[Oct 5] Want to see ‘Assembled in India’ on an iPhone: Ravi Shankar Prasad, The Economic Times report.
[Oct 6] Home market gets attractive for India’s IT giants, The Economic Times report.
[Oct 2] India
Govt requests maximum social media content takedowns in the world, Inc42 report;
Tech Circle report.
Facebook can be forced to delete defamatory content worldwide, top EU court
rules, Politico EU report.
[Oct 4] EU
ruling may spell trouble for Facebook in India, The Economic Times report.
[Oct 4] TikTok,
TikTok… the clock is ticking on the question whether ByteDance pays its content
creators, ET Tech report.
[Oct 6] Why
data localization triggers a heated debate, The Economic Times report.
Sensitive Indian govt data must be stored locally, Outlook report.
Protection and Privacy
[Sep 30] FPIs
move MeitY against data bill, seek exemption, ET markets report,
Financial Express report.
[Oct 1] United
States: CCPA exception approved by California legislature, Mondaq.com report.
[Oct 1] Privacy
is gone, what we need is regulation, says Infosys Kris Gopalakrishnana, News18 report.
Europe’s top court says active consent is needed for tracking cookies, Tech
[Oct 3] Turkey
fines Facebook $282,000 over data privacy breach, Deccan Herald report.
Singapore’s ‘fake news’ law to come into force Wednesday, but rights group
worry it could stifle free speech, The Japan Times report.
Minister says Singapore’s fake news law is about ‘enabling’ free speech, CNBC report.
[Oct 3] Hong
Kong protests: Authorities to announce face mask ban, BBC News report.
[Oct 3] ECHR:
Holocaust denial is not protected free speech, ASIL brief.
[Oct 4] FIR
against Mani Ratnam, Adoor and 47 others who wrote to Modi on communal
violence, The News Minute report;
Times Now report.
[Oct 5] UN asks
Malaysia to repeal laws curbing freedom of speech, The New Indian Express report.
[Oct 6] When
will our varsities get freedom of expression: PC, Deccan Herald report.
[Oct 6] UK
Government to make university students sign contracts limiting speech and
behavior, The Times report.
[Oct 7] FIR on
Adoor and others condemned, The Telegraph report.
[Sep 30] Plea
in SC seeking linking of social media accounts with Aadhaar to check fake news,
The Economic Times report.
[Oct 1] Why
another omnibus national ID card?, The Hindu Business Line report.
[Oct 2] ‘Kenyan
court process better than SC’s approach to Aadhaar challenge’: V Anand, who
testified against biometric project, LiveLaw report.
[Oct 3] Why
Aadhaar is a stumbling block in Modi govt’s flagship maternity scheme, The
Parliament panel to review Aadhaar authority functioning, data security, NDTV report.
This week, Delhi International Airport deployed facial recognition on a ‘trial basis’ for 3 months, landline communications were restored in Kashmir as the Government mulls over certification for online video streaming platforms like Netflix and PrimeVideo – presenting this week’s most important developments in law, tech and national security.
[Sep 3] PAN will be issued
automatically using Aadhaar for filing returns: CBDT, DD News report.
[Sep 3] BJD set to collect Aadhaar
numbers of its members in Odisha, Opposition parties slam move, News 18 report; The New Indian Express report; Financial Express report.
[Sep 5] Aadhaar is secure, says
ex-UIDAI chief, Times of India report.
[Sep 5] Passport-like Aadhaar centre
opened in Chennai: Online appointment booking starts, Livemint report.
[Sep 8] Plans to link Janani Suraksha
and Matra Vandan schemes with Aadhaar: CM Yogi Adityanath, Times of India report.
[Sep 5] Digital media bodies welcome
26% FDI cap, Times of India report.
[Sep 6] Automation ‘not threat’
to India’s IT industry, ET Tech report.
[Sep 6] Tech Mahindra to modernise
AT&T network systems, Tech Circle report.
Data Protection and Governance
[Sep 2] Health data comes under the
purview of Data Protection Bill: IAMAI, Inc42 report.
[Sep 2] Credit history should not be
viewed as sensitive data, say online lenders, Livemint report.
[Sep 3] MeitY may come up with policy
on regulation of non-personal data, Medianama report.
[Sep 3] MeitY to work on a white paper
to gain clarity on public data regulations, Inc42 report.
[Sep 6] Treating data as commons is
more beneficial, says UN report, Medianama report.
[Sep 9] Indian Government may allow
companies to sell non-personal data of its users, Inc42 report, The Economic Times report.
[Sep 9] Tech firms may be compelled to
share public data of its users, ET Tech report.
Data Privacy and Breaches
[Sep 2] Chinese face-swap app Zao faces
backlash over user data protection, KrAsia report; Medianama report.
[Sep 2] Study finds Big Data eliminates
confidentiality in court judgments, Swiss Info report.
[Sep 4] YouTube will pay $170 million
to settle claims it violated child privacy laws, CNBC report; FTC Press Release.
[Sep 4] Facebook will now let people
opt-out of its face recognition feature, Medianama report.
[Sep 4] Mental health websites in
Europe found sharing user data for ads, Tech Crunch report.
[Sep 5] A huge database of Facebook
users’ phone numbers found online, Tech Crunch report.
[Sep 5] Twitter has temporarily
disabled tweet to SMS feature, Medianama report.
[Sep 6] Fake apps a trap to track your
device and crucial data, ET Tech report.
[Sep 6] 419 million Facebook users
phone numbers leaked online, ET Tech report; Medianama report.
[Sep 9] Community social media
platform, LocalCircles, highlights data misuse worries, The Economic Times report.
[Sep 7] Freedom of expression is not
absolute: PCI Chairman, The Hindu report.
[Sep 7] Chennai: Another IAS officer
resign over ‘freedom of expression’, Deccan Chronicle report.
[Sep 8] Justice Deepak Gupta: Law on
sedition needs to be toned down if not abolished, The Wire report.
Online Content Regulation
[Sep 3] Government plans certification
for Netflix, Amazon Prime, Other OTT Platforms, Inc42 report.
[Sep 4] Why Justice for Rights went to
court, asking for online content to be regulated, Medianama report.
[Sep 4] Youtube claims new hate speech
policy working, removals up 5x, Medianama report.
[Sep 6] MeitY may relax norms on
content monitoring for social media firms, ET Tech report; Inc42 report; Entrackr report.
[Sep 4] Offline retailers accuse Amazon
and Flipkart of deep discounting, predatory pricing and undercutting, Medianama
report; Entrackr report.
[Sep 6] Companies rely on digital
certification startups to foolproof customer identity, ET Tech report.
Digital Payments and FinTech
[Sep 3] A sweeping reset is in the
works to bring India in line with fintech’s rise, The Economic Times report.
[Sep 3] Insurance and lending companies
in agro sector should use drones to reduce credit an insurance risks: DEA’s
report on fintech, Medianama report.
MeitY sought views on ‘non-personal data’; India and France announce joint research consortium on AI and digital partnership after NSA-level talks; Section 144 CrPC imposed in areas of Assam anticipating unrest after the publication of the NRC list as the MHA holds a high-level security meet on Kashmir; and the tussle between MeitY and the Niti Aayog for control over the Rs. 7000 cr AI project continues – presenting this week’s most important developments at the intersection of law and tech.
[Aug 27] Aadhaar integration can weed
out fake voters: UIDAI’s Ajay Bhushan Pandey, Business Standard report.
[Aug 27] Government to intensify
Aadhaar enrolment in J&K after Oct 31: Report, Medianama report; Times Now report; The Quint report
[Aug 27] Interview: Why I filed a case
to link Aadhaar and Social Media Accounts, The Quint report.
[Aug 27] Aadhaar database cannot be
hacked even after a billion attempts: Ravi shankar Prasad, Money Control report.
[Aug 27] Most dangerous situation:
Justice Srikrishna on EC-Aadhaar linking, The Quint report.
[Aug 28] Aadhaar ads to women’s
problems in India. Here’s why. The Wire report.
[Aug 28] What Centre will tell Supreme
Court on Aadhaar and social media account linkage, The Hindustan Time report.
[Aug 28] All residents of an MP village
have the same date of birth on their Aadhaar, Business Standard report.
[Aug 29] Blood banks advised to ask for
donors’ Aadhaar cards, Times of India report.
[Aug 29] Aadhaar continues to evolve
and grow as India issues biometric seafarers’ ID, Biometric Update report.
[Aug 31] Aadhaar mandatory for farmers
to avail crop loan in Odisha, Odisha Sun Times report.
[Sep 1] NRIs to get Aadhaar sans
180-day wait in 3 months, The Hindu report.
[Sep 1] Aadhaar-liquor link to check
bottle littering? Deccan Herald report.
[Sep 1] Linking Aadhaar with social
media can lead to insidious profiling of people, says Apar Gupta, Times of
[Aug 27] NASSCOM-DSCI on National
Health Stack: separate regulatory body for health, siloed registries, usage of
single ID, Medianama report.
[Aug 27] Govt looks to develop
electronics component manufacturing base in India: MeitY Secretary, YourStory report; Money Control report.
[Aug 30] India is encouraging foreign
firms to shift biz from China: report, Medianama report; Reuters report.
[Aug 30] Wipro, Google to speed up
digital shift of enterprises, ET Telecom report.
[Aug 30] Government committed to reach
public via technology, Times of India report.
The ECI sought a legal mandate to link Aadhaar with Voter IDs; Facebook approached the Supreme Court over PILs demanding Aadhaar linkage with social media accounts; MEITY invited ‘select stakeholders’ for private consultations over the data protection bill; and a new panel to review defence procurement practices in India was constituted by the Defense Minister Rajnath Singh, who also hinted at dropping India’s no first use policy – presenting this week’s most important developments in law and tech.
[Aug 19] EC seeks statutory baking to collect voters’ Aadhaar
numbers, The Times of India report.
[Aug 19] Facebook approaches SC over Aadhaar linkage pleas, The
Deccan Herald report; Firstpost report.
[Aug 20] Aadhaar to ensure farmers, not middlemen, get benefits,
The Economic Times report.
[Aug 21] SC cautions govt on linking Aadhaar with social media, ET
[Aug 21] Election Commission writes to law ministry, seeks legal
powers to collect Aadhaar numbers for cleaning up voters’ list, Firstpost report.
[Aug 22] Aadhaar may be used to verify SECC beneficiaries, The
Economic Times report.
[Aug 23] Centre to put QR code on fishermen’s Aadhaar cards to
secure sea route: Amit Shah, The Times of India report.
[Aug 24] Aadhaar-social media linking: 10 things to know about the
ongoing issue, India Today report.
[Aug 24] Govt to allow Aadhaar-based KYC for domestic retail
investors; amendments to PMLA to be issues, Firstpost report.
[Aug 25] Linking Aadhaar with electoral rolls will create Delhi,
Mumbai Analyticas: Justice Srikrishna, The Week report.
[Aug 19] Indian companies at a disadvantage in tenders, says
Commerce ministry, Money Control report; The Times of India report.
[Aug 21] India’s IT Industry turns to flexi staffing to keep its
bench from idling, ET Tech report.
[Aug 22] Indian IT Firms step up patent filings as they look to
monetize their IP, ET Tech report.
[Aug 26] Time to revisit FTAs to fire up electronics: Ravi Shankar
Prasad, ET Rise report.
[Aug 21] Government hopes for an Ecommerce GeM, ET Tech report.
[Aug 23] Technology reforming India’s retail businesses, ET Tech report.
[Aug 22] RBI to allow e-mandates on card payments from September
1, Medianama report.
[Aug 22] Digital payment execs met Finance Ministry officials to
discuss demerits of removing MDR: report, Medianama report.
[Aug 18] US lawmakers to visit Switzerland to discuss Facebook’s
Libra, Cointelegraph report.