State surveillance, reduced obligations, and eight other issues with the 2022 Data Protection Bill: IFF

“The DPDPB, 2022 contains around 30 clauses, shrunk considerably from previous drafts of data protection proposals which contained 90+ clauses. As per the explanatory memorandum this is to achieve simplicity in drafting, however [this] has made the present version bereft of first principles at several places,” the Internet Freedom Foundation (IFF) remarked in its first read of the draft Digital Personal Data Protection (DPDP) Bill, 2022 [Bill, summary, guide], which was released for public consultation on November 18.

“The existing legal vacuum on data protection portends an Orwellian state and is clearly an infringement of the fundamental right to privacy. The shortcomings of the DPDPB, 2022 are an opportunity for stakeholders participating in the public consultation process to push for the foundational principles that were laid down by the Supreme Court in the Right to Privacy decision in 2017.” – IFF

The IT Ministry has invited feedback from the public on the Bill by December 17, 2022. The feedback may be submitted on the MyGov website.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

What are IFF’s top concerns?

1. Enables State surveillance: The DPDP Bill, 2022, like its predecessors allows the central government to exempt any of its entities from the Bill on grounds like the security of State and public order. “This would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy. This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse. If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance. Any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse of use,” IFF noted.
2. Deemed consent grounds too wide: “Clauses 8(6), (7), & (8) state that consent of a Data Principal for data processing will be deemed in certain situations including for the maintenance of public order, purposes related to employment, and in public interest respectively. These categories allow for wide and vague interpretations of when a Data Principal has been deemed to have consented thereby allowing for excessive processing of personal data collected in the absence of specific and informed consent,” IFF stated.
3. Data Protection Board is not independent: The Bill proposes the establishment of a Data Protection Board to ensure compliance with the Act. “The strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members shall be such as may be prescribed by the Union Government at a later stage. Further Clause 19(3), the Chief Executive of the Board will be appointed by the Union Government. These provisions continue the disappointments of previous iterations as the Data Protection Board (DPB) still does not have the independence needed to sufficiently protect the interests of Data Principals,” IFF noted. “Since the DPB will oversee compliance to the provisions of the legislation by the private sector as well as government agencies, it is pertinent that the board be fundamentally independent from the executive’s control,” IFF added.
4. Reduced obligations under notice: When seeking consent, data fiduciaries must present a notice to users describing what data is collected and for what purposes. “Unlike previous iterations of the bill, it does not require data fiduciaries to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries. Thus, data fiduciaries can continue to obtain consent of principals by providing limited information and then using their personal data in a manner principals might not have anticipated,” IFF explained.
5. Users are subject to duties and penalties: “Under Clause 16, duties imposed on the Data Principal include complying with the provisions of all applicable laws, not registering a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board, not furnishing any false particulars or suppress any material information or impersonate another person, and furnishing only such information as is verifiably authentic. Non-compliance with this Clause carries a penalty of upto 10,000 INR which may be imposed on the Data Principal. These are worrying developments since a legislation that is supposed to protect the rights of individuals is now imposing penalties on them,” IFF remarked.
6. “As may be prescribed”: “The DPDPB, 2022 mentions the phrase ‘as may be prescribed’ 18 times. This is symbolic of the vague and unchecked powers that the Union Government has retained for itself to frame rules at a later stage in the absence of legislative guidance,” IFF noted.
7. The arbitrary power of government to exempt certain fiduciaries: IFF complained that Clause 18(3) allows the central government to exempt certain fiduciaries or classes of fiduciaries from certain provisions of the Bill on unknown grounds.
8. No clarity on which countries can data be transferred to: While the DPDP Bill removes the data localisation requirement present in the previous Bills and allows data fiduciaries to transfer personal data to such countries as the Union Government may pressure, the Bill “does not prescribe any standards/criteria based on which the Union Government should decide which countries to allow data transfers to. This enables the arbitrary exercise of power where countries may be selected or not selected based on considerations other than the protection of personal data of Indians,” IFF noted. “This is in contrast with Articles 44 to 50 of the General Data Protection Regime which permits the transfer of personal data of Europeans only to such countries which provide a minimum level of protection to such data,” IFF added.
9. No public disclosure of consultation submission: IFF also stated its concern that the government had decided not to publicly disclose the feedback it received from the public consultation. “This will weaken public trust in the development of the DPDPB, 2022 as it hampers the principles of transparency and accountability in the consultation process.”
10. A white paper would have helped: “While we appreciate that a draft bill has been put out for public consultation, we would have preferred if the Ministry had made available, through a white paper, the issues it considered while developing the “comprehensive legal framework”, of which the DPDPB, 2022 will be a crucial part,” IFF opined.

Some positive changes in the Bill

1. Data breach notification to users: “A significant issue with previous iterations of the bill was that they did not require data fiduciaries to notify data principals in the event of a breach. Thus, users whose data has been breached, would not have even known that their data has been compromised. Clause 9(3) of DPDPB, 2022 addresses this concern by mandating fiduciaries to notify the Board and Data Principals whenever there is a breach, irrespective of its nature. Clause 20(3) then empowers the Board to issue directions to Data Fiduciary to adopt urgent measures to remedy personal data breach or mitigate any harm caused to Data Principals,” IFF noted. “While this is welcome, there would be an overlap between the role of the Board and the Computer Emergency Response Team, which is supposed to respond to data breaches currently,” IFF added.
2. Processing of children’s data: “Another positive in the bill is that significant hurdles have been imposed in the processing of childrens’ personal data. Clause 10(3) prohibits them from undertaking tracking or behavioural monitoring of children or targeted advertising directed at children,” IFF observed.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
• Summary: India’s Digital Personal Data Protection Bill, 2022
• Twelve Major Concerns With India’s Data Protection Bill, 2022