The 2019 Personal Data Protection Bill was shaped by a decade of work. Having withdrawn that Bill amidst a welter of concerns raised, the IT Minister had the unenviable task of going back to the drawing board. Does the recently unveiled 2022 Digital Personal Data Protection Bill do a better job of balancing competing priorities?
The Prime Minister wisely sought a fresh, simple and easily comprehensible Bill. The earlier JPC-version was unwieldy, cumbersome and strayed into adjacent areas. The new, concise Bill achieves the simplicity mandate by omitting areas such as non-personal and physical data. It sensibly steers clear of a detailed categorisation of personal data or types of harm and does not explicitly list social media as a separate category. Instead, it relies on a simple, straightforward definition of personal data with a crisper explanation of harm.
Technical and organisational measures/security safeguards, provisions for hardware certification, regulatory sandbox and fairness of algorithms have rightly been discarded. A calibrated, practical approach of allowing data to be moved to a yet-to-be named white list of countries has replaced ‘hard data localisation’. This gives the government valuable negotiating space in bilateral dealings. However, additional, more rigorous sectoral stipulations — example, RBI mandating payments data localisation — are permissible.
But has the new Bill skimped too much on detail? The phrase “as may be prescribed” occurs at 18 places covering Data Protection Board (DPB), form and manner of personal data breach notifications, registration and functions of consent manager, parental consent for processing of personal data of children, additional obligations for Significant Data Fiduciaries, etc.
The lack of elaboration of the role and composition of the DPB, and the terms and qualifications of the chairman and members has raised questions regarding the scope, independence and autonomy of the Board especially since the power of appointment vests with the government.
Does this approach leave too much latitude to government in rule-making and constitute an unsustainable delegation of legislative powers to the executive? Can unpredictable erosion of data privacy or needlessly stringent restrictions ensue later with attendant uncertainty for users, businesses, investors and innovators? More legislative guidance for rule-making is needed in the Act itself.
The 2022 Bill does not explicitly limit data collection or purpose. But the Explanatory Note indicates an intention to largely retain the earlier rigour. The caveat that it is not a part of the Bill makes it unclear what weight can be attached to it in inferring intent. Hence, the resultant uncertainty about what might follow by way of rules. The advocates of less onerous restrictions can derive comfort from the Bill, while the champions of privacy can draw comfort from the elaboration in the Explanatory Note. That battle could shift to the rule-making stage.
Excessive reliance on user consent is out-of-sync with reality and puts a disproportionate burden on the user to protect her data. Under this Bill, consent cannot override data protection stipulations. Consent can be given directly or through consent aggregators accountable to Data Principals, increasing accountability. However, providing choice of any language to a user for consent is onerous. Any language supported by the platform is more apt.
Data fiduciaries need some flexibility in defining business purpose when obtaining consent. Significantly, the term “business purpose” is used but not defined in the 2022 Bill. This approach affords requisite latitude to digital platforms without compromising data protection only if some restrictions are imposed on transfer of data without consent. The deemed consent provision affords desirable latitude to service providers going beyond the more limited right to process data without consent in the 2019 Bill. However, lack of transparency regarding usage and absence of a withdrawal provision is a concern.
Data of minors
Minors being defined as individuals below 18 years of age for all online activity is not appropriate. It is unclear whether the prescribed obligations for handling data of minors apply only when they disclose that they are children. Thankfully, the Bill does not require data fiduciaries to undertake KYC to determine if a user is a child — that would have compromised rather than protected her data.
Obtaining verifiable parental consent prior to processing children’s personal data could pose challenges, undermine privacy of both while ignoring the fact that many parents may need guidance from children on according consent. Age-grading content/apps is more in tune with today’s reality.
Balancing the concerns of the government security establishment and those of zealous guardians of privacy is never easy. Numerous concerns expressed regarding wide-ranging and almost unlimited powers assigned to the government in the 2019 Bill have not resulted in any roll-back. If anything, the new draft is even more expansive in this regard.
It empowers the Central Government to exempt any instrumentality of the State from compliance. Ideally this ought to have been context-specific rather than institution-linked and been subject to the Supreme Court prescribed safeguards of necessity, proportionality, and legality. Further, the State and its instrumentalities have been exempted from the requirement of erasing data after processing and when the purpose has been fulfilled.
The new Bill is a commendable attempt to simplify the law. By titling it the ‘Digital Data Protection Law’ and by conspicuously avoiding use of the word ‘privacy’, it conveys that this is merely a law governing how intermediaries deal with digital personal data. Privacy continues to rest on the Supreme Court’s ruling that it is a Fundamental Right. The broad exemptions given to the government may well conflict with that ruling, at least in part.
In its quest for simplicity, the Bill may have left too much room for speculation on the ultimate shape and form of the regulatory structure. Having to wait for the rules to figure this out may not be desirable. Instead, a few further elaborations of certain key provisions in the law itself would help.
The writer is the Chairman of the Centre for The Digital Future and a former IT and Telecom Secretary