InsightsPublications

Share :

First Remarks on the Indian Digital Personal Data Protection Bill 2022

Background

In Puttaswamy v. UOI, the Supreme Court, while ruling on the validity of the Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, held that the right to privacy was a fundamental right guaranteed under the Indian Constitution and that such right could not be violated save as with a just, fair and reasonable justification that passes the proportionality test (legitimate goal, rational connection, necessary and not disproportionate). In the instant case, the Supreme Court underlined the need for a framework for the protection of personal data.

A committee of expert was established under the chairpersonship of Justice B. N. Srikrishna which presented the first draft titled the “Personal Data Protection Bill” on the 27th July 2018. A heavily modified version of this draft was tabled in the Lok Sabha in 2019 (“2019 Bill”)[1] which was criticized on the wide powers and exemptions afforded to the Central Government and being too onerous on the data processors. The 2019 Bill was referred to the Joint Parliamentary Committee that released a report in December 2021 proposing more than 80 amendments to the 2019 Bill.

On the 3rd of August 2022, the MeitY withdrew the 2019 Bill stating that a “comprehensive legal framework” was being worked upon which would be presented as a new bill.

Here are our first remarks on the 2022 Bill:

Shorter and easier to comprehend

The 2022 Bill[2] has been shortened from over 90 clauses to around 30 and is also noticeably easier to comprehend when compared to the earlier versions. The drafters have explained that the bill has been drafted in a plain and simple language so that “even a person with basic understanding of law is able to understand its provisions”. Illustrations and contextual definitions have been incorporated to further clarify the provisions.

Blanket exemptions to the Central Government carried on from previous drafts

Clause 18(2) of the 2022 Bill allows the Central Government to exempt any “instrumentality of the State” from the application of the 2022 Bill in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement of certain crimes. In doing so, it carries forward the much-criticized provision of the previous iterations of the Bill, undermining the effective respect for citizens’ right to privacy. As expounded in Puttaswamy v. UOI, the inclusion of a test of proportionately may ensure the restriction of ungrounded infringements of privacy and surveillance.

The Data Protection Board of India is under the control of the Central Government

Pursuant to Clause 19 of the 2022 Bill, the Central Government shall establish a Data Protection Board of India which shall be tasked with determining non-compliance and impose penalties. Significantly, the Board shall have no authority to decide upon issues connected to the proposed Act. Furthermore, the Board composition and functioning shall be under the supervision of the Central Government.

Duties and penalties applicable to data principals

Clause 16 of the 2022 Bill imposes duties on data principals such as the duty not to register false or frivolous grievances or complaints, provide any false information, suppress any material information, impersonate another person and give only verifiably authentic information. Furthermore, the schedule to the 2022 Bill prescribes a penalty of up to INR 10,000 (approximately 120 euros) for each instance of non-compliance. A provision which imposes duties/penalties on the very subjects whose rights the legislators intend to safeguard finds no precedence in data protections laws passed outside India.

Scope of deemed consent is expansive in nature

Personal data may be legitimately processed relying on the deemed consent of the data principal. Clause 8(7) and (8) provide that the data principal shall be deemed to have given consent to the processing of personal data “for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance” and “in public interest, including for prevention and detection of fraud; mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws; network and information security; credit scoring; operation of search engines for processing of publicly available personal data; and recovery of debt”. There is a risk that the vague list of instances where consent of the data principal shall be deemed to have been given, may lead to unrestrained processing without any real permission from the data principal.

Fewer disclosures to the data principals

For the processing of personal data, a data fiduciary is required to disclose its privacy policy to the data principal and obtain his/her consent to the terms of a “privacy policy”. Contrary to its previous iterations, the 2022 Bill does not require data fiduciaries to inform the data principals of the duration that their personal data may be stored, whether the data shall be transferred out of India, or whether the data collected will be shared with third parties. In other jurisdictions, such information is provided to data principals, to enable them to give an informed consent to the processing of data.

No requirement of data localization

In regard to transfer of personal data outside India, the 2022 Bill has done away with the obligation of data fiduciaries to maintain a mirrored copy in India which was present in the previous iterations of the 2022 Bill. However, according to Clause 17 of the bill, a transfer outside India may be made only to countries notified by the Central Government in accordance with the terms and conditions as may be specified from time to time. Notably, a standard to decide which countries shall be eligible is missing and we will have to await further information from the Central Government on whether a uniform test will be applied.

Financial Penalties

The 2022 Bill imposes heavy penalties on data fiduciaries and data processors for non-compliance including a penalty of up to INR 250 crores (approximately 30 million euros) for each failure to take reasonable security safeguards to prevent personal data breach, a penalty of up to INR 200 crores (approximately 23 million euros) for each failure to notify the Data Protection Board of India and the affected data principals in the event of a personal data breach or the non-fulfillment of additional obligations in relation to the processing of personal data or children.

However, the 2022 Bill does not provide for compensation to the affected data principals in the event of a breach by the data fiduciary or processor.

Conclusion

The Central Government has been grappling with the subject of personal data protection for almost five years and the absence of a framework has let breaches of the right to privacy, recognized as a fundamental right by the Supreme Court since 2017, go unchecked. The 2022 Bill is an opportunity to fill the void and the government should make sure it discharges this responsibility taking into account the needs of all stakeholders but above all, ensure real protection of its citizens’ right to privacy.

Luca Antony, Eptalex Associate

First Remarks on the Indian Digital Personal Data Protection Bill 2022