Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
The Indian government on August 3, 2023, introduced the Digital Personal Data Protection (DPDP) Bill, 2023 in the parliament. While it’s much needed for the country to have a data protection law protecting the right to privacy of citizens, rather than giving companies and the government a free pass to collect and process the personal data of citizens in any manner they wish, the bill, as it stands, raises several concerns that should be addressed before it’s passed:
1. The government’s broad powers to exempt itself, demand information from companies, and retain data for an unlimited period can result in mass surveillance: The DPDP Bill allows the government to issue a notification to exempt any of its agencies from the Bill on grounds like the security of the State, maintenance of public order. etc. In other words, any exempted agency of the government can collect and process the personal data of citizens without following any of the safeguards prescribed in the DPDP Bill and for any purpose they want. Additionally, Section 36 allows the government to demand personal data from private companies “for purposes of this Act,” which is not a phrase that is elaborated. Both these provisions, combined with the fact that the government can retain personal data for an unlimited period regardless of whether the purpose for which it was collected has been served, means that the government has a carte blanche to carry out mass surveillance. Furthermore, there is an automatic exemption for processing personal data for the prevention, investigation, etc., of crime, without the need for the government to issue any notification.
2. Free pass for scraping of publicly shared personal data: Clause 3(c)(ii) of the Bill states it shall not apply to personal data that is made publicly available by the user. As an example, the Bill illustrated that if an individual, while blogging her views, has publicly made available her personal data on social media, then processing of that data won’t come under the purview of the data protection law. This allows companies to process publicly available personal data without any consent or without adhering to any other provisions of the Bill. For example, AI services like OpenAI’s ChatGPT and Google Bard will be able to scrape publicly available personal data from the internet to train their models. This also raises possibilities of facial recognition tools using publicly available profile photos to train their systems.
3. Definition of child as someone under the age of 18 creates access issues for children and a compliance burden for companies: The DPDP Bill has additional obligations for companies processing data of children, defined as anyone under the age of 18. Importantly, it requires such companies to get “verifiable consent” from parents before processing children’s data. This not only takes away agency from teenagers by restricting their ability to access websites without parental consent but also puts companies in a tough spot as they will have to carry out some form of age verification (which itself would require collecting personal data such as government-issued IDs) of all their users to ensure that they are not collecting personal data of any children without parental consent. The Bill allows for some companies to be exempt or have a lower age threshold if they process children’s data in a way that is “verifiably safe.” But it is not clear what fits this criteria and it creates two different standards for companies processing children’s data. A seventeen-year old and an eight-year old should not be treated the same and a graded approach should be adopted by the Bill.
4. The government’s power to block content goes beyond the already controversial Section 69A of the IT Act: Under Section 37, the government can block access to websites or content on advice from the Data Protection Board in case of repeated offences by the entity or in the “interests of the general public.” This broad phrasing goes beyond the already controversial powers of the government to block content under section 69A of the Information Technology Act of 2000. Additionally, the powers of a Data Protection Board to advice on blocking “content” is problematic given that the Board is entrusted with issues related to data protection and “content” is a broader ambit that other regulations such as the IT Act already deal with.
5. The “as may be prescribed” Bill: The phrase “as may be prescribed” appears at least 26 times in the 20-page bill leaving a lot to delegated legislation. This allows the government to notify rules later on to clarify these provisions. Such rules don’t go through the same parliamentary rigour as the bill itself, because of which these rules can be overbroad and go beyond the scope of the parent legislation, as is being argued about the IT Rules of 2021, which was issued under the IT Act of 2000.
6. Weakens the RTI Act by giving the government more reasons to deny information: The DPDP Bill amends the RTI Act of 2005 to state that the government is not obliged to disclose information that relates to personal information. Earlier this could be overridden in case of larger public interest. By making this amendment, the Bill weakens the RTI Act as the government has one more broad ground to deny information requested. “A new era of corruption will be introduced as personal data like assets and liabilities, education qualifications of corrupt officials, won’t be sought under RTI Act,” MP Adhir Chowdhury pointed out in the parliament.
7. No consent is required for sharing data with others: When obtaining consent, a company does not have to disclose who all the data will be shared with and for what purposes.
8. The notice informs users very little about what happens with their personal data: The notice to be shown to users when obtaining consent is only required to state what personal data will be collected and for what purpose, unlike previous iterations of the bill, which required companies to state how long they will store data, if they will share it with third parties, where the data was collected from, details on any cross-border transfer of the data, etc. Additionally, companies are not required to publish privacy policies on their site as required by previous iterations of the bill.
9. No clarity on what safeguards companies have to implement to protect from data breaches: The DPDP Bill requires companies to take “reasonable security safeguards” to prevent personal data breaches and failure to do so can attract the highest band of penalty of up to Rs 250 crores. But there is no clarity on what measures should be taken and what constitutes as “reasonable” safeguards.
10. No compensation for victims of personal data breaches: While the Data Protection Board can impose a penalty of up to Rs 250 crores on an entity for a personal data breach, none of this goes towards the user, who is the victim of the data breach. Additionally, the Bill removes section 43A of the IT Act, 2000, which provided for such compensation.
11. The Data Protection Board will be a puppet of the government: The Chairperson and Members of the Data Protection Board will be appointed by the Central Government on terms specified by the government, raising questions about the Board’s independence from the government. For instance, if the Board has to investigate a misuse of personal data of the government, there will be a conflict of interest because the government is essentially the judge, jury, and executioner of its non-compliance.
12. Penalties for users for failing to fulfil duties: The DPDP Bill allows the Data Protection Board to levy a penalty of up to ₹10,000 if a user fails to perform their duties as listed in the Bill. One of the duties, for example, is that users should not register false or frivolous grievances or complaints with a Data Fiduciary or the Data Protection Board. This provision could deter users from filing complaints in the first place in fear of a fine. A bill that’s about protecting the right to privacy of users should not be levying any penalties on users.
13. Exemptions for the use of personal data for debt recovery need safeguards: There are some exemptions granted to personal data processed for debt recovery. For example, if a person takes a loan from a bank and defaults on their monthly instalment, the bank may process the personal data of the individual to ascertain their financial information and assets and liabilities. Without any safeguards, this can be problematic as we frequently see instances of fake loan apps engaging in unethical recovery practices by accessing contact lists and photo libraries of borrowers and blackmailing them using this personal data.
14. No safeguards for sensitive and critical personal data: Certain types of data such as health, biometric or finanical personal data merit stricter conditions for processing and storing. Earlier iterations of the bill had sensitive and critical personal data as subsets of personal data that were subject to additional safeguards. Such classifications don’t exist in this bill.
15. Does not apply to anonymised data: The law will not apply to anonymised personal data, which could be a problem because not only can anonymised data be deanonymised but it can also be layered on top of personal data to draw inferences of individuals.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
- Summary: India’s Digital Personal Data Protection (DPDP) Bill, 2023
- How India’s Digital Personal Data Protection Bill Impacts Children’s Privacy And Access
- India’s Digital Personal Data Protection Bill, 2023 Gives The Government Powers To Exempt Itself From The Bill, Block Content, And More
- Twelve Major Concerns With India’s Data Protection Bill, 2022