Concerns with India’s new Personal Data Protection Bill

In News

The Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022)  has now been made open for public comment.

About  DPDP Bill, 2022

• It applies to all processing of personal data that is carried out digitally. This would include both personal data collected online and personal data collected offline but is digitised for processing. 
• It aims to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto.

Drawbacks 

• The right to data portability: It allows the data principal to receive in a structured format all the personal data they had provided to the data fiduciary and data that the data fiduciary generated on the data principal while processing for provisioning of its services. 
  • This empowered data principals by allowing them to choose between different platforms and enhanced competition between data fiduciaries to increase consumer welfare.
    • The DPDP Bill, 2022 does not provide for this right
• The right to be forgotten: It allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data. 
  • This has to be balanced with the right to freedom of speech and expression and the right to information for all other individuals. 
    • The DPDP Bill, 2022 subsumes this right under the right to erasure. 
• Personal data processing of children:    the DPDP Bill, 2022 carries forward the approach of its previous iterations, with regard to the personal data processing of children
  • A major issue that remains is that the age of digital consent, which is the age at which an individual can consent to their personal data being processed, continues to be 18. This means that parental/guardian consent would be required to process the personal data of children and adolescents below the age of 18 years.
    • Such restrictions are in violation of India’s obligations under the Convention on the Rights of the Child.
• Data localisation requirements:. The PDP Bill, 2019 provided for a three-tiered categorisation based on which personal data could be moved across borders. 
  • The DPDP Bill, 2022 allows for cross-border data flow to “countries and territories” notified by the Central government. 
    • However, the draft legislation fails to provide any guidance or criteria for the consideration of the Union government while making this notification. 
•  Design of the regulatory framework: In comparison to the regulatory framework conceptualised under the previous iterations of the draft law, where the proposed regulator, the Data Protection Authority, was enshrined with significant powers of regulation-making, enforcement and adjudication, the current draft considerably reduces the scope of the proposed Data Protection Board of India (DPB). 
•  State-based processing of personal data: the current Bill provides considerable exemptions to the state’s processing of personal data. 
  • an exemption from most data protection obligations is provided if the processing is undertaken “in the interests of prevention, detection, investigation of any offence or any other contravention of any law” 
  • This may be in violation of the “necessity and proportionality” test laid down by the Supreme Court in Puttaswamy vs Union of India. 
• Nature of Penalties: the quantum of penalties that can be imposed, with the cap being placed at ?500 crores, are of a much higher magnitude than provided for under the PDP Bill, 2019. 

• the DPDP Bill, 2022 does not allow them to seek compensation from data fiduciaries for the harm they have suffered due to unlawful processing. 

Suggestions and Conclusions 

• Union Minister of State for Electronics and IT has said the new draft puts India in a position where the entire digital economy can be viewed through the prism of “trust and protection”, and will help the government “move towards more data-led governance where we can create analytical models to figure out where the gaps are and then plug them”.
• The Centre should fix the gaps in the new draft quickly and ensure that citizens get a strong data protection law at the earliest. It is also critical to bring a balance between the individual, the companies which hold and process our data, and the State.
  • “People must engage with this process.