DPDP Bill, 2022: Government once again given broad powers to exempt itself from provisions of law

• The Digital Personal Data Protection Bill, 2022 once again grants the government broad power to exempt any of its agencies from compliance with provisions of the Bill
• This power has previously been criticised because it could be misused for surveillance, among other things, and it puts the interests of the state ahead of the right to privacy of individuals
• The 2022 Bill also allows the government to retain data for an unlimited period of time

The Digital Personal Data Protection (DPDP) Bill, 2022 announced on November 18 once again allows the government to exempt any of its agencies from any or all provisions of the Bill. Under Section 18(2) of the Bill, the central government can issue a notification to exempt any “instrumentality of the state” from the provisions of the Bill “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.”

This power is similar to the 2019 version of the PDP Bill. It gives the government way more leeway than the introductory 2018 PDP Bill and removes even the little safeguards that the 2021 version introduced (a full comparison between the previous versions can be found below).

“Acknowledging national and public interest is at times greater than the interest of an individual, a clear grounds-based description of exemptions has been incorporated in the Bill.” — MeitY’s explanatory note

Additionally, Section 18(4) allows the government and its agencies to retain personal data for an unlimited period of time regardless of whether the purpose for which data was collected has been served.

The Ministry of Electronics and Information Technology (MeitY) has invited feedback from the public on the draft Bill by December 17, 2022. The feedback may be submitted on the MyGov website.

What are the other grounds for exemptions under the DPDP Bill, 2022?

Exemptions for a class of data fiduciaries (maybe smaller companies, possibly others): The central government, under Section 18(3), has the power to exempt certain data fiduciaries or a class of data fiduciaries, based on the volume and nature of personal data they process, from certain provisions of the Bill. Specifically, these fiduciaries will be exempt from:

• Section 6 (issuing notice before consent)
• Sub-sections 2 (ensuring accuracy of personal data) and 6 (deleting personal data after purpose is served) of section 9
• Section 10 (obligations when processing personal data of children)
• Section 11 (obligations of Significant Data Fiduciaries)
• Section 12 (data principal’s right to information about personal data)

Exemptions for certain use cases: Section 18(1) exempts entities from provisions of Chapter 2 (obligations of data fiduciaries) except sub-section 4 (provision related to securing data) of section 9, Chapter 3 (rights and duties of data principals), and Section 17 (transfer of personal data outside India) of this Act when:

• Law enforcement purposes: “Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.”
• Legal right or claim: “The processing of personal data is necessary for enforcing any legal right or claim.”
• Judicial purposes: “The processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function.”
• Personal data of those outside India: “Personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.”

Exemption for research and statistical purposes: Under Section 18(2), the central government can exempt entities from the provisions of the Act when the processing of personal data is “necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards specified by the [Data Protection] Board.”

Penalties for offences by the government

Unlike previous iterations of the Bill (see below), the 2022 version does not contain explicit penalties for offences committed by government entities. Thus, government agencies are subject to the same penalties as other data fiduciaries, unless these agencies are exempted by way of notification:

Advertisement. Scroll to continue reading.

How the powers of the government under the Bill have evolved over the years?

What the 2018 Bill said: 

• Can process personal data to carry out welfare and other functions of the State: The Bill allowed the government to process personal data without consent for “any function of Parliament or any State Legislature” and for any function authorised by the law such as to provide welfare services and benefits and for the “the issuance of any certification, license or permit for any action or activity of the data principal by the State.” Sensitive personal data could also be processed without consent if it’s “strictly necessary” for the same purposes mentioned above.
• Exempted government from the Bill for security reasons only if necessary and if there is an explicit law: The Bill allowed the government and law enforcement agencies to process personal data in the interests of the security of the State only if it was “authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.” Additionally, this was allowed only if the data belongs to a person who is “a victim, witness, or any person with information about the relevant offence or contravention” and if compliance with the Bill would “be prejudicial to the prevention, detection, investigation or prosecution of any offence or other contravention of law.”
• Data is subject to purpose limitation: Personal data processed for reasons laid out above should “not be retained once the purpose of prevention, detection, investigation or prosecution of any offence or other contravention of law is complete except where such personal data is necessary for the maintenance of any record or database which constitutes a proportionate measure to prevent, detect or investigate or prosecute any offence or class of offences in future,” the 2018 Bill stated.
• Power to direct DPA on policy matters: Under clause 98, the central government had the power to issue directions to the DPA if it was necessary “in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order” and the DPA was bound by such directions if it was policy-related. While the DPA could express its concerns to the government with regard to the direction received,  the central government had the final say on whether “a question is one of policy or not.”

What the 2019 Bill said: 

• More power to exempt government agencies: Clause 35 of the 2019 Bill diluted the earlier provisions by giving the central government the power to issue an order, after recording reasons in writing, that grants an exemption to any agency of the government from any or all provisions of the Bill if the centre was satisfied that it is “necessary or expedient”:
  • in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
  • for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.”
• Exempted agency subject to certain rules: The order exempting any agency will specify the “procedure, safeguards and oversight mechanism to be followed by the agency.”
• Power to direct DPA on policy matters: The 2019 Bill retained the provisions from the 2018 Bill with regard to the central government’s power to direct DPA on policy matters.

What the 2021 Bill said: 

• Power to exempt government agencies based on a defined procedure: The 2021 version attempted to re-introduce some safeguards, stating that the central government will have the authority to exempt any agency of the government from the provisions of the act, subject to “just, fair, reasonable and proportionate” procedure. The Committee made this change reasoning that it is concerned about “the possible misuse of the provisions when a situation arises whereby the privacy rights of the individual, as provided under this Act, have to be subsumed for the protection of the larger interests of the State.” The Committee also noted that wants aims to “strike a balance between Article 19 of the Constitution, Puttaswamy judgment and individual rights with respect to privacy.”
• Power to direct the DPA in all matters: The 2021 Bill allows the central government to direct the DPA in all matters regardless of whether it was policy-related or not as long as the government may think it is “necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order.” The Committee argued that the DPA should be bound by the directions of the central government “under all cases and not just on questions of policy.”
• Establishing a procedure to protect data: The Committee was concerned about “the capacity of Government departments to protect the large volume of data that they collect” and noted that since the Government will be a significant data fiduciary, “it will have to establish Standard Operating Procedures in the Ministries and Departments etc. to protect the huge amount of data that is collected.” This, however, is a recommendation in the report and not the 2021 Bill itself.

What the 2022 Bill says: Government can exempt any instrumentality of the state on grounds similar to the 2019 version, except it doesn’t even have to be “necessary or expedient.” There is not explicit clause saying government can direct the Data Protection Board on matters of policy, but effectively the government has the power to do so because it is tasked with framing rules for the Board.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

How the penalty for offences by government bodies has changed over the years?

What the 2018 Bill said: 

• Head of the department will be held liable: The Bill held the head of the department or authority that committed the offence liable unless the person can prove that the offence was committed “without her knowledge or that she had exercised all due diligence to prevent the commission of such offence.”
• The responsible officer will also be held liable: If it is proved that the has been committed with “the consent or connivance of, or is attributable to any neglect on the part of, any officer, other than the head of the department or authority, such officer shall also be deemed to be guilty of the offence and shall be liable.”

What the 2019 Bill said: 

• Head of the department and any other responsible officer will be held liable: Same as 2018 version.
• CrPC applicability: The 2019 Bill added that “the provisions of the Code of Criminal Procedure, 1973 relating to public servants continued to apply.”

What the 2021 Bill said: 

• Particular “government data fiduciary” to be liable: Particular “government data fiduciaries” will be held liable for offences under the provisions of the act, instead of departments or authorities or bodies of the state. This is because the government argued before the Committee that the State is a sovereign entity and should not be “directly indicated as responsible for any offence.”
• The relevant person will be held liable: The head of the concerned body must conduct an in-house enquiry, and the person deemed responsible for the offence will be punished unless they can prove they exercised all due diligence to prevent the commission of the offence. This change was made because the Committee felt that holding the head of the department responsible may “impede the decision-making process in the department” and “create multiple hurdles in the everyday functioning of the department.”
• Any other responsible officer will also be liable: As with the previous versions, any other responsible officer will also be held liable.

What the 2022 Bill says: No penalties carved out for government offences specifically. Government entities that aren’t exempt will be subject to the same penalties as other Data Fiduciaries.

Stakeholders’ views on government access to data and penalties

Misuse of power: Various stakeholders speaking at a MediaNama event expressed concerns with the unhindered government access to data because it can be misused, for example, to exempt law enforcement agencies who might use data to crackdown on protestors.

Adequacy with EU: The insufficient safeguards against government access to data might make it harder for India to achieve adequacy with the EU, stakeholders opined.

Enables surveillance: Despite the narrowing of the provision in the 2021 Bill, stakeholders speaking at a MediaNama event complained that the Bill enables surveillance by providing very broad standards for exempting government agencies from its purview and opined that it might get struck down in a court of law.

Advertisement. Scroll to continue reading.

“So in a situation where the government thinks that, for example, for national security, it is expedient to carry out mass surveillance through facial recognition technology, it can use the Clause 35 exemption, I’m pretty sure it’s going to use the Clause 35 exemption to exempt authorities such as probably the Delhi Police or the NCRP, which is going to carry out a facial recognition surveillance.” — Anushka Jain, Associate Counsel at the Internet Freedom Foundation

Bill puts the State’s interests before citizens: “So this is a Personal Data Protection Bill that is flowing out of the right to privacy judgment, but in the long title, it says interest in the security of the state. So the data protection law is seeking to, you know, protect state security over individual privacy and state security is one of its primary objectives,” Anushka Jain said, responding to a question on whether the bill enables the use of National Intelligence Grid (NATGRID) or Pegasus spyware.

The Head of the department should not be tasked with conducting an enquiry into offences: At a MediaNama event, stakeholders criticised this clause because it allows the head of the department to conduct an inquiry into their own department’s wrongdoing. One stakeholder held that there should not be different treatment for a government fiduciary and a private fiduciary in case of an offence.

Note (21 November, 4 pm): This post was updated with more clarity on some of the newer provisions and comparisons to the 2022 Bill in the “How the powers of the government under the Bill have evolved over the years?” and “How the penalty for offences by government bodies has changed over the years?” sections.

Note (23 November 11:30 am): This post was updated with more background on the powers the government had under the 2019 Bill.

Note (24 November, 10:00 am): Clarified that any class of data fiduciaries can be exempt by the central government and that smaller data fiduciaries are just an example.

Also Read

Advertisement. Scroll to continue reading.

• A Complete Guide to the Digital Personal Data Protection Bill 2022
• Data Protection Bill 2021: What Powers Does The Government Have And How Will Its Offences Be Handled?
• How Government Access To Data Is Carved Out Of Fiduciary Obligations
• How Can We Introduce Accountability For Surveillance Of Citizens?

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.