Key recommendations:
- Include scope of complaint to ensure feasibility of grievance in the redressal mechanism
- Include a compensation mechanism for aggrieved data users
- Bring definitions and safeguards for sensitive personal data back in the Bill
“If you were considering what are our priorities, keep in mind [regarding the framing of the Digital Personal Data Protection Bill, 2022 – DPDP Bill] that when you lose your basic principles, you will end up into a surveillance state. It can’t be from the other way, you have to start from the basics,” said Lalit Panda, Resident Fellow at Vidhi for Legal Policy.
Speaking at MediaNama’s ‘Reworking the Data Protection Bill’ event, Panda and fellow discussant Sreenidhi Srinivasan, lawyer at Ikigai Law, talked about the lack of purpose and collection limitation, storage limitation, transparency and the possible consequences of the revised provisions on consent. Many stakeholders joined the open house discussion to talk about the obligations of companies in light of consent managers and implied consent.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
DPDP Bill dilutes Notice provisions
Notice does not ensure Right to Information: While discussing the provisions on Notice and the Rights of Individuals, Panda pointed out that notice should not be confused with the right to information. While Data Fiduciary proactively gives a Notice when collecting data, the Data Principal has to go out of their way to exercise their right to information after learning that an entity might have their data. Further, the Data Principal will also have to go through a procedure to get information using this right.
In previous versions, provisions about transparency required proactive disclosure of data being processed. Notices also had to include information on safeguards. However, the DPDP Bill with its introduction of deemed consent makes data processing very opaque, while removing discussion of privacy safeguards.
Deemed consent throws notice out the window: Panda said that reasonable expectations as grounds for implied consent was a standard of privacy that was dismissed by Justice Rohinton Nariman in the privacy case heard by a 9-judge bench. As this provision is now made part of the statue, authorities no longer need to issue a notice to the Data Principal.
“They can’t come together because if you bring in notice into reasonable expectation there is no dividing line,” said Panda.
Does the DPDP Bill move closer to a surveillance state?
Stakeholders talked about how the processing of publicly available personal data impacts the government’s social media monitoring service or similar surveillance-related activities. While the previous versions of the Bill talked about processing of publicly available data as a possible reasonable purposes, they mandated safeguards for this purpose.
The latest DPDP Bill is modelled after the Singapore data protection law that allows for “free open, you know, processing of publicly available data,” said Panda. It may be mentioned that Singapore has an extremely sophisticated surveillance framework. Graham Greenleaf, a person who studied data privacy law, likened Singapore’s law to cheese that has more holes and considered it a “deviation from the requirement of finality as per the OECD principles.”
Can employer process any data? The Bill also appears to allows employers to process any data of the employee as long as they can prove it is being done for the purpose of employment. Stakeholders worried about the power asymmetry in an employer-employee relationship that hinders “freely given” consent.
Here, Srinivasan pointed out the Bill also “kind of deems that in [an] employment context, consent can never be meaningfully free.” The provision lists certain purposes such as “prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by an employee, verification of attendance and assessment of performance” where consent is not required. She agreed that the purposes are a lot more open-ended in the latest Bill as against its previous versions.
Confusion due to lack of purpose limitation: Under the GDPR, collection limitation ensures that an organization is fined for collecting excessive data about employees like religious or political beliefs, etc. that cannot be justified under legitimate interest. In earlier versions, employment was made as a ground separate from consent because consent cannot be sought freely in this situation. There were safeguards that ensured such requests for consent were inappropriate. In Europe, employers used ‘legitimate interests’ as a ground to process data in such situation but even there they have to meet the balancing requirement to assess harms.
Bill impacts the balance of right to free speech and erasure
Media publication may be subject to erasure: Previous versions of the Bill included both the right to erasure and the right to be forgotten. The right to erasure which is kept in the latest Bill allows deletion from storage, publication to balance free speech. However, the DPDP Bill makes it illegal for media publication to continue disclosing data that somebody wants erased. Previously, the Data Principal would have to file a complaint to the Data Protection Authority. This means that even a a researcher putting out personal data for public interest will have to remove it. Similarly, this provision will allow for censorship of news articles as well.
The only exemption mentioned for erasure is retention for a legal purpose. However, the Bill does not define “legal purpose.” The older versions contained an explicit exemption for journalists, like many other data protection laws across the world.
“Business purpose” creating more confusion than clarity: According to Srinivasan, the Bill requires companies to prove that consent is obtained appropriately. In case an individual makes a request for deletion, the company must hold on to that audit trail that proves consent in a meaningful, valid manner.
“So that’s sort of the reason I think, why legal or business purposes is included, but I don’t know what the contours of that business purpose might be,” said Srinivasan.
Another confusion was that while the part on retention mentioned “legal and business purpose,” the part on Right to Erasure only mentioned legal purpose as a purpose exemption. The Singapore law that used the same phrasing for data retention also ring-fenced business purpose to some extent. Yet the DPDP Bill not only fails to define the term, it also presents business purpose as a “use of retention.” Panda questioned why the Bill talks about separate grounds for processing data and then another grounds for retaining the same data.
Grievance redressal framed with a business mindset
Scope of grievance removed from Bill: Yakub, a stakeholder from a law firm, talked about how the 2019 version of the Bill introduced a particular scope of complaint that specified contravention of the Bill. Stakeholder discussed how this could confuse people on whether they violated the law for not dealing with a grievance.
Stakeholders demand compensation for users: Currently, the Bill only includes “duties” of users that state a data user cannot file “false, frivolous grievances, or complaints.” Doing so will lead to a fine which in fact discourages a person from filing a complaint. Previous versions called for a compensation mechanism but those have been removed from the current DPDP Bill.
“So now there’s no reason for you to actually go and file a complaint because it’s very likely that there’s a good possibility that it will be deemed as a false or frivolous grievance so it’s like this active act of ensuring the data principles don’t complain if anything,” said Tejaswitha, from the Centre for Communication Governance (CCG).
Still another stakeholder warned against a compensation mechanism stating that it would lead to more frivolous complaint.
Seemingly arbitrary exemptions for Data Fiduciaries: As per Section 18(3), the central government can exempt certain data fiduciaries, or class of data fiduciaries from certain provisions on Notice, data retention, processing of children’s data and even obligations after regarding the “volume and nature of personal data processed.”
While earlier exemptions catered to early-stage start-ups, the current Bill does not suggest any such theme. Some stakeholders even questioned why this provision was included in exemptions when it could have been included under the chapter on Obligations of Data Fiduciaries.
User duties conflict with basic rights
What is a ‘false particular’? Section 16 (3) of the DPDP Bill states that a data user had a duty not to lie or give false information or misinformation anywhere. This raises questions about pseudonyms especially in the case of the internet. Panda used the example of a person using a name that does not reflet their own to start a Twitter account.
“Strictly speaking it is not a false particular because there is no obligation to be true. Is a pseudonym false, or is it just a pseudonym? I don’t know whether it’s a question that can come up, but it’s a little bit of a stretch to say that this removes the anonymity entirely,” said Panda.
According to Srinivasan, false particulars likely refer to use of a false email id or someone else’s email ID while signing up for a platform. An alias was never true or false in the first instance, she said.
User duties do away with anonymity in privacy: Referring to Clause 16(4), Asif from Article 21 Trust argued that the duty to provide “verifiably authentic” information “kills the anonymity in privacy.” Stating that the Bill will be read with the Telecommunication Bill he said anonymity will be done away with, which has already been recognised by Supreme Court judgements, including the Puttaswamy judgement, as a part of privacy.
Implied consent applies to sensitive personal data: Although deemed consent has been introduced from earlier laws like Canada’s PIPEDA law, the original text barred the use of such consent for sensitive personal data. Previous versions of the Bill also barred implied consent for employment, as a criteria for determining penalty and significant data fiduciary.
Experts warned that this would impact user rights especially considering certain provisions in the latest Bill still reflect this sort of ghost element of categories of data, where they say nature and type of data will determine what will be exempt.
Stakeholders demanded a reintroduction of sensitive personal data, stressing that the entire purpose of the Bill is to protect privacy and personal data especially sensitive data. Doing so also affects data classification for companies and the proportional security measures.
Ambiguity in the framing and functioning of Significant Data Fiduciaries
Significant Data Fiduciaries require sensitivity definition: Regarding classification of significant data fiduciary, the Bill says it will be contingent upon volume of data and sensitivity of the data. This creates further confusion as “sensitivity has not been defined in the Bill.
Data Fiduciaries should have more responsibilities than Data Processors: Stakeholders called for higher level of obligations on data fiduciaries while data processors’ obligations should be primarily with respect to the data fiduciaries. One person reasoned that data processors have no visibility on what’s being done at the data fiduciaries end even if they have the same obligations.
The GDPR and previous versions of the Bill said data processors must only have obligations to comply with the contract with the data fiduciary and have security safeguards. The latest Bill does away with the latter putting the onus on the data fiduciary and their contract with the data processor.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- What Are The Consequences Of ‘Deemed Consent’ Provision In The Data Protection Bill? #NAMA
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA
- What Are The Shortcomings In India’s Data Protection Board In The New Draft Bill? #NAMA
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA
