India on November 18 released the Digital Personal Data Protection Bill, 2022 [PDF, summary, guide], the fourth iteration of its draft data protection law. The simplified 24-page Bill has already received a barrage of criticism for removing or diluting many of the previously proposed provisions that provided better safeguards to privacy and introducing new ones that will do more harm.
The DPDPB has shrunk previous drafts of data protection proposals from 90+ to 30 clauses. As per the explanatory memorandum this is to achieve simplicity in drafting, however has made the present version bereft of first principles at several places (eg. Clause 17). 2/n pic.twitter.com/5NGIzVY2bl
— Internet Freedom Foundation (IFF) (@internetfreedom) November 18, 2022
While claiming to be shorter and using simpler language than the previous draft bill, its actually deletes entire data protection rights that the earlier draft proposed. It uses weaker, pro-corporate language around consent. And even wider carve-outs for govt agencies, LEAs.
— Raman Chima (@tame_wildcard) November 18, 2022
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What are the key issues with the Bill?
1. The “as may be prescribed” Bill: Many provisions in the Bill have a clause saying “as may be prescribed” or its equivalence. Privacy activists have criticised this because this essentially gives the central government the power to issue Rules and directions later on to clarify these provisions. “For the 30 clauses, we have noticed the phrase, ‘as may be prescribed’ mentioned 18 times, often without any legislative guidance. This creates vague, unguided power for the Union Government to frame rules,” the Internet Freedom Foundation (IFF) noted.
The Bill should be called “As May Be Prescribed By Govt Bill” we have seen what the Executive in India does through Rules and this cleverly gives all powers to be legislated through a subordinate legislation not the actual act. #DataProtectionBill
— Mishi Choudhary (@MishiChoudhary) November 18, 2022
2. Issues around deemed consent: The Bill introduces “deemed consent” as grounds for processing personal data in addition to explicit consent. Deemed consent has been criticised because the criteria for what constitutes deemed consent is broad and vague, allowing the processing of personal data without consent for a variety of reasons.
Clauses 8(6), (7), & (8) state that consent of a Data Principal will be “deemed” in certain situations including for the maintenance of public order, purposes related to employment & in public interest, opening the door to wide & vague interpretation. 6/n pic.twitter.com/oLmLvONIHZ
— Internet Freedom Foundation (IFF) (@internetfreedom) November 18, 2022
5) One ground confuses implied consent with reasonable expectations instead of requiring implied voluntariness.
6) Various reasonable purposes required to be prescribed with safeguards now directly made into grounds. Most significantly: publicly available data.— Lalit Panda (@somesortofpanda) November 18, 2022
Clarifying no.5:
The sub-clause talks of voluntary provision and attached legality to reasonable expectations of provision. It should refer to implied consent for *purpose of usage*. The illustration does not change the effect of the provision’s language. pic.twitter.com/97bax4GacN— Lalit Panda (@somesortofpanda) November 18, 2022
Deemed Consent in the new data protection bill is exactly like voluntary Aadhaar, except it becomes mandatory
— Srinivas Kodali (@digitaldutta) November 18, 2022
3. A weak Data Protection Board: The 2022 Bill replaces the Data Protection Authority with a body called the Data Protection Board of India, which will be appointed by the central government. The rules the Board and its members must follow will largely be dictated by the central government, thus leading to questions about its independence and effectiveness.
“There is a considerable dilution of the regulatory body, now a proposed Data Protection Board. It lacks autonomy and independence, and will be created and appointed on conditions, ‘as may be prescribed’. Can such a board reasonably enforce compliance from public authorities?” – IFF
Imagine an "independent regulator" whose governing body's composition is completely decided by the Govt. Appointments of the chair & members solely by the Govt. The Govt can even directly appoint the DPB's chief exec, managing day-to-day affairs. + change service rules anytime
— Raman Chima (@tame_wildcard) November 18, 2022
“… I fear it may just become another body where the government obliges its cronies with post-retirement appointments and posts”: @salmanwaris on the data protection board
— Deepsekhar Choudhury (@deepsekharc) November 18, 2022
4. Government and law enforcement can exempt themselves even more easily than before:
- Like previous versions, the 2022 Bill also allows the government to exempt any of its entities from certain or all provisions of the Bill on grounds such as national security, public order, etc.
- The Bill also does away with the 2021 provisions which require the government to have a “just, fair, reasonable and proportionate” procedure before allowing exemption and the 2018 provision which required exemption to be “authorised by law.”
- Additionally, the government is allowed to retain personal data for an unlimited amount of time.
- Furthermore, there is an automatic exemption for processing of personal data for the prevention, investigation, etc, of crime, without the need for the government to issue any notification.
“The bill does not consider the harm that could be caused to a data principal by surveillance.” — Prasanth Sugathan, Legal Director, SFLC.IN
"End result is that govt agencies could collect personal information without being subject to standard privacy obligations like obtaining an individual’s consent, or providing individuals with rights to access, correct, or delete their data, among others," Singh of @ikigailaw
— Deepsekhar Choudhury (@deepsekharc) November 18, 2022
5. Companies don’t have to inform users much about what they do with personal data:
- The notice to be shown to users is only required to state what personal data will be collected and for what purpose, unlike previous Bills, which required companies to state how long they will store data and of if they will share it with third parties.
- Additionally, notice is only required to be shown to users when obtaining consent, not deemed consent.
- Fiduciaries are also not required to publish privacy policies on their site as required by previous Bills.
6. Why are there penalties on users: The 2022 Bill allows the Data Protection Board to levy a penalty of up to ₹10,000 if a user fails to perform their duties as listed in the Bill. “It defies reason how penalties are being now placed on users […] This is disturbingly similar to the penalties proposed under the Telecom Bill for supplying for incorrect information by subscribers,” IFF noted.
7. Which countries can personal data be transferred to: The Bill does away with the restrictions on the transfer of sensitive and critical personal data, and even such categorisations. Instead, all personal data can be transferred outside to countries or territories approved by the government. But what countries will be approved and based on what factors remains unclear.
8. Government can exempt a class of fiduciaries, but who: One of the provisions allows the government to notify a class of data fiduciaries, based on the volume and nature of personal data they process, that will be exempted from certain provisions of the Bill. While this appears to be a provision that can be used to classify small data fiduciaries and exempt them from onerous obligations, there is nothing in the Bill to ensure that. “Clause 18(3) creates arbitrary power for Government to exempt data fiduciaries (not only small entities). How? Who? Why? Silence,” IFF tweeted.
9. No safeguards for sensitive and critical personal data: The earlier Bill had sensitive and critical personal data as subsets of personal data that were subject to more safeguards. This Bill does away with such classifications. “This could be a problem as the harm that could be posed by breach of sensitive personal data is much higher,” Prasanth Sugathan, Legal Director, SFLC.IN remarked.
10. Core principles listed in the explanatory note have not been reflected in the actual Bill: The explanatory note released by the IT Ministry claims that the DPDP Bill, 2022 is based on principles of purpose limitation, data minimisation, storage limitation, etc; but these principles are not really reflected in the actual Bill. “The explanatory note gives a detailed list of principles that the bill has tried to incorporate. However, this is not legally binding,” Sugathan points out.
Flagging concerns in the new Data Protection Bill here:
1) It further removes explicit mention of purpose specification and limitation. These are core obligations. Worth repeating that *grounds* of processing are not the same as *purposes*!
2) Safeguards for sensitive PD removed!— Lalit Panda (@somesortofpanda) November 18, 2022
11. Violations of “voluntary agreements” merely attract fines: The Bill allows the Data Protection Board to accept voluntary undertakings from entities that are being investigated for misconduct. However, a violation of the undertaking merely attracts a fine, which is being criticised as pointless.
[For context, the US's Federal Trade Commission regularly uses consent decrees to push oversight & long term accountability on firms, incl tech cos. But the FTC can go ahead and seek wide remedies and enforcement actions if such consent decrees are breached. Not just fines.]
— Raman Chima (@tame_wildcard) November 18, 2022
12. Age of consent still at 18: When processing personal data of users under the age of 18, data fiduciaries are required to obtain “verifiable” consent from the parents. The 18-year-old threshold has been criticised for being too high, and not in line with international standards. Numerous stakeholders have raised concerns about how this threshold can be detrimental to children, rather than protecting them. You can read more about these concerns here, here, here, and here.
Note (1 December, 2:25 PM): Updated to correct that Rules may be formed only by centre not the Board.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read
