CCG comments on the DPDP Bill 2022: 5 points to note

Recommendations:

• Take a graded approach for parental consent while keeping children’s best interests in mind.
• Clarify the rationale for allowing data processing through deemed consent.
• Allow for notice to be a mandatory obligation for all data processing under deemed consent barring where it would be “absolutely impossible.”
• Any processing of personal data based on deemed consent should follow the test of necessity and proportionality.
• The entire provision on duties, i.e. Clause 16, should be deleted.
• Bring back data portability and the right against direct marketing.
• Create a Selection Committee to ensure the independence of the DPBI.

For better or worse, the public reaction to the revised Digital Personal Data Protection (DPDP) Bill 2022 has been lukewarm at best. Thankfully, entities heartily invested in ensuring people’s right to privacy continue to analyse, criticise and advise improvements to such Bills. After IFF and SFLC, MediaNama now looks at the National Law University’s Centre For Communication Governance’s (CCG) comments on and suggestions for the DPDP Bill.

A few tweaks to fix the obligations of companies

Bring back core privacy principles: Another suggestion was to incorporate other universally recognised data protection principles like the core privacy principles developed by the Organisation for Economic Co-operation and Development (OECD). This means the inclusion of purpose limitation, storage limitation, and accountability within the general obligations of all data fiduciaries.

“The addition of these principles would ensure fair and lawful data processing after consent is provided,” said the report.

CCG also suggested that the provisions for Data Fiduciaries to have appropriate technical and organisational measures be made “privacy friendly”, incorporating privacy by design and default policy requirements along with procedural guidelines.

Bring back additional details in notice: Clause 6 of the DPDP Bill significantly dilutes provisions for the Notice meant to be sent to a Data Principal. CCG recommended the notice should specify additional details for the user “based on data retention, updated notifications, [and] information regarding sharing of personal data with any third party.” They suggested that a specific notice on top of the general notice should be given to the Data Principals to ensure their ‘informed’ consent.

And speaking of consent…

Clearly define parameters for Consent: As per experts, consent under Clause 7 should be clearly defined as articulated in previous iterations of the Bill. The report said, “Reliance solely on consent to allow data processing could be insufficient due to information asymmetry in favour of the data fiduciary. “

Deemed consent should be based on specific safeguards: The provisions on grounds for deemed consent should specify how it will function in practice. For example, which obligations of the Data Fiduciary apply in deemed consent situations and how? The previous versions of the Bill had provisions that said the obligation of notice would be exempt from non-consensual data processing.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Think of the children, not for the children

Best interests first: CCG pointed out that the principle ensuring any processing of children’s data is done in the best interests of the child has been mandated by the United Nations Convention on Child Rights. Despite India adopting this convention, the principle is missing from the Bill. As such, any decisions regarding children should be bound by it. Further, the Bill should provide for instances where data fiduciaries can allow self-verification of the child’s age for services that have no risk of harm.

Graded approach to parental consent: CCG recommended a graded approach to parental consent that is needed for a child to access internet services. Such an approach will call for parental consent depending on the potential risk associated with the services and allow children to exercise agency and autonomy while ensuring their protection.

“The objective of the law should be to balance the right of the child to access the internet with their data protection interests. So, we recommend that the mechanism for verifying parental consent should ensure that it follows the principles of collection limitation and purpose limitation,” said CCG.

Strengthen user rights

User duties dilute user rights: User duties mentioned in Clause 16 place the onus on the Data Principal to provide correct information to the Data Fiduciary. CCG suggested doing away with these duties since imposing penalties on users for not abiding by these duties “disincentivises Data Principals” from seeking redressal or invoking their rights.

Wider application of Data Principal’s rights: CCG advised the Bill should ensure that the right to erasure includes seeking discontinuation of processing of data by withdrawing consent for its collection, use or disclosure.

“This should be based on certain safeguards whereby an independent authority established under the Bill would balance the implementation of this right with the right to freedom of speech and expression and the right to information,” said CCG.

Further, it suggested that the DPDP Bill bring back data portability and the right against direct marketing to ensure a Data Principal’s autonomy over their personal data.

Ensure the independence of the DPBI

The DPDP Bill replaces the Data Protection Board of India (DPBI) with the Data Protection Authority from the older versions. However, unlike previous versions, the DPBI is no longer a regulator and has not been designed as a quasi-judicial body which could have significant implications for safeguarding user rights, said the CCG. As such, it suggested that a Selection Committee with adequate judicial representation appoint members to ensure the independence of the DPBI.

“The DPBI is envisaged to be digital by design, whereby most functions will be carried out digitally… the ‘digital by design’ framework must be optional and not mandatory, so as to account for the digital access gap,” said the report.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

• State Surveillance, Reduced Obligations, And Eight Other Issues With The 2022 Data Protection Bill: IFF
• Graded Approach To Children’s Data, Nine Other Expectations From The DPDP Bill 2022: SFLC
• How The Data Protection Bill Restricts Children’s Access To The Internet #NAMA
• Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA