Draft Digital Personal Data Protection Bill 2022

Why in news?

The fourth draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) - data protection law - has now been made open for public comments.

Justice Srikrishna Committee was set up by the Ministry of Electronics and Information Technology (MeitY) with the mandate of setting out a data protection law for India.

What is the history?

• Based on the recommendations of the Justice Srikrishna Committee, the Digital Personal Data Protection Bill was formulated in 2018 and 2019.
• In 2021, the Data Protection Bill, 2021 that incorporated the recommendations of the Joint Parliamentary Committee on the PDP Bill, 2019 (JPC) was introduced.
• However, citing the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
• The current legal framework for privacy enshrined in the IT Rules, 2011 is wholly inadequate to combat various harms to data principals.
• This is especially inadequate since the right to informational privacy has been upheld as a fundamental right by the Supreme Court in the K.S. Puttaswamy vs Union of India (2017) case.

What is the scope of the present formulation of the Bill?

The users of the digital devices are called the ‘data principals’ while the companies are called the ‘data fiduciaries’.

• The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally. This would include both
  1. Personal data collected online and
  2. Personal data collected offline but is digitised for processing.
• By being inapplicable to data processed manually, this provides for a lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
• Also, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
• Thus, it excluded data processing by Indian data fiduciaries that collect and process personal data outside India, of users who are not located in India.
• This would impact statutory protections available for clients of Indian start-ups operating overseas, thereby impacting their competitiveness.
• This position further seems to be emphasised with the DPDP Bill, 2022 exempting application of most of its protections to personal data processing of non-residents of India by data fiduciaries in India.

How well does the DPDP Bill 2022 protect the data principals?

• The bulwark of most data protection legislations consists of allowing maximum control to the data principal over their personal data.
• This happens by mandating a comprehensive notice to the data principal on different aspects of data processing based on which the data principal can provide explicit consent to such processing.
• While limited circumstances for non-consent based processing of personal data exists, it still gives the data principal the right to access, correct, delete, etc their data.
• The data fiduciary is placed, inter alia, with the obligation of data minimisation, which is to collect only such personal data as is required to
  1. Fulfil the purpose of processing (collection limitation);
  2. Process it only for the purposes stated and no more (purpose limitation) and
  3. Retain it in its servers only for so long as is required to fulfil the stated purpose (storage limitation).
• The current draft removes explicit reference to certain data protection principles such as collection limitation.
• This would allow a data fiduciary to collect any personal data consented to by the data principal.
• Making collection solely contingent on consent, ignores the fact that data principals often do not have the requisite know-how of what kind of personal data is relevant for a particular purpose.
• Also it does away with the concept of “sensitive personal data”, which includes biometric data, health data, genetic data etc.
• By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.
• Additionally, the Bill also reduces the information that a data fiduciary is required to provide to the data principal.
• The previous drafts required considerable information in terms of the rights of the users, grievance redressal mechanism, source and retention period of information collected, etc., to be provided for the user.
• But, the new draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data.
• Moreover, the DPDP Bill, 2022 seems to suppose that a notice is only to be provided to take consent of the data principal. This is a limited understanding of the purpose of notice.
• As such, limiting notice to only consent based personal data processing would limit the scope for the exercise of these rights.
• Deemed consent - The DPDP Bill, 2022 also introduces the concept of “deemed consent”.
• In effect, it bundles purposes of processing which were
  1. Exempt from consent based processing or
  2. Considered “reasonable purposes” for which personal data processing could be undertaken under the ground of “deemed consent”.
• However, there exist some concerns around this due to the vaguely worded grounds for processing such as “public interest” and the removal of additional safeguards for protection of data principals’ interests.

What does the PDP Bill 2022 say about the post mortem privacy?

• It recognises the right to post mortem privacy which was missing from the PDP Bill, 2019 but had been recommended by the Joint Parliamentary Committee on the PDP Bill, 2019 (JPC).
• The right to post mortem privacy would allow the data principal to nominate another individual in case of death or incapacity.

Reference

1. The Hindu | A first look at the new data protection Bill
2. PRS | The Personal Data Protection Bill, 2019