By the JDCIL Editorial Team

The Supreme Court of India has recognized privacy as fundamental right in India and an important aspect of personal freedom and autonomy. In order to provide an operative framework that lays down the privacy rights of Indian citizens, and the roles and responsibilities of companies that deal with data, the Indian government has been attempting to legislate a Personal Data Protection Bill. The Digital Personal Data Protection Bill (2022) (“DPDP”) is the latest in a series of Bills put forth by the government for public consultation. 

In this report, the editorial team at JDCIL has sought to provide an in- depth analysis of the DPDP by analyzing its compatibility with India’s established privacy jurisprudence, the recommendations of the BN Srikrishna Committee Report and the Joint Parliamentary Committee. We conclude that while the value placed on privacy can vary depending on cultural, social, and political factors, it cannot be sacrificed at the altar of an amorphous state or public interest. Active efforts must be made to ensure that in a climate where data breaches are common and data has become more valuable that oil, appropriate legal safeguards are in place to ensure that data privacy of India’s citizens are secure. ​

|report_on_the_personal_data_protection_bill_2022_-_jdcil.pdf| | :- |

Download File

BACKGROUND 

The Digital Personal Data Protection Bill, 2022 (“DPDP”) is the fourth iteration of the Data Protection Bills series introduced in the Indian Parliament. Given India’s rampant growth in the field of technology in various segments such as finance, business, start-ups, medicine, and law, amongst a gamut of other fields, the significance of an enforceable data protection mechanism is more important than ever. Drafted to solidify and concretize the data protection framework within the Indian jurisdiction, the DPDP re-envisions India’s data protection framework by standing out from its previous iterations. Of the many ways in which the DPDP stands out from the Personal Data Protection Bill, 2019 (“2019 bill), the most conspicuous one is how personal data is defined. Personal data is no longer defined through a detailed categorical matrix. Personal data is one monolithic, all-encompassing category. It particularly focuses on digitized personal data.

Concerning its territorial applicability, the DPDP has enforceability within India if the personal digital data is being processed within it and has extra-territorial applicability if such processing of digital personal data is connected with data principals in India.

At its very core, the DPDP principally draws heavily from Singapore’s Data Protection Act, 2012, unlike the previous drafts which primarily used the European Union’s General Data Protection Rules (“GDPR”) as the basis for formulating India’s Data Protection framework. The current draft is also a more concise, condensed and shorter document. Many critique that the condensation of the document allows the Central Government with more discretion in decision-making where the law is not completely unambiguous.

Data Fiduciaries also enjoy a certain degree of freedom, especially when it comes to the retention of data of the data principal. The DPDP states that the data fiduciaries must cease to retain and anonymize the data it has processed when it reasonably believes that the purpose of retaining the data is complete and the data is no longer required for any legal or business purpose. It is noteworthy to mention that business purpose is not defined and left as a broad category. This would have its own positive and negative set of repercussions.

Additionally, the DPDP lays down the obligations of the data fiduciary to undertake tasks to ensure the completeness and accuracy of the data it collects and processes. The obligations of the data processors have also been included.

The rights of the data principals have been explicitly stated and the same includes (a) the right to obtain any information required on the data being processed, (b) the right to the erasure of their data or any relevant corrections to the data to ensure its accuracy, (c) the right to grievance redressal, to name a few. Children are also taken within the ambit of data principles and the consent to process their data must be taken from their legal guardian or parent.

The DPDP has included Significant Data Fiduciaries as another category of stakeholders relevant to the data protection framework. They may be notified to take actions based on the sensitivity of the data and the volume of data, any risk to India’s sovereignty, etc.

The DPDP also lays down the constitution of a Data Protection Board which would be an independent authority responsible for enforcing and penalizing any individual or legal entity that doesn’t work in compliance with the said provisions. The Board can also conduct hearings, examine relevant parties on oath, and summon parties as well. However, the Board is not authorized to take custody of any equipment. While in the 2019 Bill, the Central Government could also appoint the selection committee to the Data Protection Authority, under the DPDP, the Government can appoint the chief executive of the Board and frame the terms and conditions of the functioning of the Board.

The DPDP would have an overriding effect over all other laws that conflict with the provisions of the DPDP and may apply in addition to some of the existing sectoral laws and may supersede such laws in a few sectors such as medicine, finance, etc. which have or require data governance frameworks. Concerning penalties, the maximum cap is set at Rs. 500 Crores in each instance. While the previous 2019 Bill allowed for the flexibility of levying penalties on a case-by-case basis, the DPDP allows only for amendments to penalties by the Government and sets an upper limit or cap for the penalties.

The following report would look at the elements of the DPDP that run contrary to established principles in the right to privacy jurisprudence in India. The most important issue the report seeks to analyze is whether the 2022 DPDP will enhance or deplete the privacy rights of Indian citizens.

ANALYSIS

​I.              Scope and Application

The Information Technology Act, 2000 is the central legislation that regulates online transactions/ affairs. This covers under its purview violation of privacy that constitutes a digital offence under the act. The Right to Privacy Bill, 2011 was the first attempt under the UPA Government to address data regulation that was objected to by intelligence agencies owing to the premature architecture of the regulation proposed. Surveillance is addressed through Section 62 of the Information Technology Act, 2000 read with Information Technology Rules, 2009, however, the application has been claimed to be open-ended; enabling the government to exercise its powers without any effective restriction. The element of transparency was emphasized by the court in People’s Union for Civil Liberties v. Union of India[1]* wherein, government surveillance was addressed for the first time. However, how data is processed and the growing use of Internet Services necessitating the protection of data through special legislation was discussed by the Apex Court in Justice K. S. Puttaswamy (Retd.) & Anr. versus Union of India & Ors[2]*. This led to the formation of the Committee led by Justice BN Srikrishna[3] which laid out a set of specific regulations for the protection of data through a draft data protection bill that was formulated in subsequent years.

The proposed DPDP, like its predecessors, applies to digital personal data and its processing. Herein, such data is collected

  1. online through a data principle or
  2. offline and then digitalized.

The accuracy of such collected and processed data lies on the data fiduciary wherein, the compliance under provisions set out under the proposed bill is the responsibility of the data fiduciary and the compliance of the data principal is not relevant to such application.

The proposed Law has extra-territorial application and hence, will be applied if personal data is processed outside the country if the same is done about the activities of data principals located within the country. Furthermore, under the act, processing of any personal data that is about the attribute and behavior of a data principal is referred to as profiling and thus, sets out the categories of how data processing will be applicable.

Unlike the earlier iterations of the legislation, the types of data have not been distinguished between and apply to all sets of personal data. However, the provisions do not apply to

  1. non-automated processing of personal data and 
  2. offline personal data.

The obligation of an itemized notice under the proposed law falls on the fiduciary if data is collected for the proposed processing and hence, solidifies the consent-based mechanism the earlier legislations intended.

The proposed law provides an exemption for circumstances where personal data is processed to enforce a legal right, performed judicial or quasi-judicial function, processed in the interest of prevision of a law being contravened and where the data principal is not within the territory of India. It is pertinent to mention that such obligations under the proposed law can be exempted through a notification passed by the Central Government to allow an instrumentality of the state to derogate from the same in the interest of sovereignty and the integrity of India along with research purposes without any procedural restriction. Furthermore, even certain data fiduciaries can be exempt from the application of Section 6, Section 9, Section 10, Section 11, and Section 12 by way of a notification by the Central Government which confers a large degree of autonomy for such exemptions.

II.            Deemed Consent

In the domain of data protection, “deemed consent” refers to a situation where an individual is considered to have given their consent to the collection, storage, and use of their personal data, even if they have not explicitly provided it. This can occur in several ways, such as when an individual has not taken steps to opt out of data collection, or when they have not exercised their right to object to the processing of their data.

Deemed consent is usually used in situations where the collection and use of personal data are considered to be in the individual’s best interest, such as in the case of medical research or fraud prevention. However, deemed consent must not be used as a way to bypass obtaining explicit consent from individuals, and that other measures such as providing clear and specific information about data processing activities and providing individuals with an easy way to opt out should be implemented.

The provision on ‘deemed consent’ in the DPDP draws inspiration from Section 15 of the Personal Data Protection Act, 2012, Singapore. The DPDP provides additional criteria for deemed consent in cases concerning the broadly defined grounds of ‘public interest’ and ‘fair and reasonable’ purpose. The following are the infirmities with section 8 of the DPDP and its effects on data privacy:

  • The Personal Data Protection Bill, 2018 (“2018 bill”) made a distinction between sensitive personal data and non-sensitive personal data. For instance, under section 16 of the 2018 bill, employment was a basis for processing only non-sensitive personal data. The DPDP is couched in broader terms wherein section 8(7) gives employers the authority to process sensitive information of the data principal without express consent. In the old Bill, details such as sexual orientation, sex life, transgender status, caste, religious affiliation etc. were covered under ‘sensitive personal data’. If employers can obtain broad-based consent to process such sensitive information of their employees it may lead to unfettered workplace discrimination of gender, sexual, caste, and religious minorities.
  • The ‘public interest’ exception is couched in extremely broad terms and is incompatible with the grounds mentioned under section 8(8) of DPDP. It is unclear how the processing of information for ‘credit scoring’ is in furtherance of public interest. Credit scoring involves the collection of highly sensitive personal information including financial data and history. Collection of such data without the express consent of the principal constitutes a clear threat to their privacy. Moreover, non-disclosure of risks associated with this data, such as the fact that aggregation of such sensitive data makes the service providers targets for breaches of data security, is highly problematic.
  • It is unclear whether ‘deemed consent’ can be withdrawn by the data principal. If it can be withdrawn, then the entire purpose of certain grounds under section 8 of DPDP gets defeated. For instance, section 8(3) provides for deemed consent for the processing of data for compliance with any judgment or order issued under the law. It is odd to permit a data principal to withdraw her consent concerning the performance of legal obligations.

III.          Section 18: Consent Requirements

Section 18, DPDP exempts data fiduciaries from consent requirements and other obligations under certain specified circumstances such as for the performance of judicial functions, enforcement of legal rights and claims etc. The primary shortcomings of the provision are as follows:

  • Section 18(1)(b), DPDP exempts courts or tribunals or other judicial authorities from complying with certain provisions of the bill for processing personal data for the performance of judicial/quasi-judicial functions. With globalization and the increase in the scale of commerce, more and more disputes are being referred to arbitration, a lot of which are carried out by foreign institutions. The limited applicability of this provision may hinder the speedy resolution of disputes in foreign institutional arbitrations.
  • Section 18(2)(a), DPDP empowers the Central Government to exempt instrumentalities of the state from the application of the provisions of the Bill. Such a provision confers excessive powers on the government which are capable of being misused. Since this would amount to an infringement of the Right to Privacy, which has been read under Article 21 of the Constitution of India, it should be clarified that such exemption would be subject to the four-pronged proportionality requirement laid down in the Puttaswamy judgment.
  • Instrumentalities of the state are exempt from the application of the S. 9(6) requirement of erasing personal data after its purpose has been fulfilled as per S. 18. This allows the government to arbitrarily retain data for an indefinite period, which would amount to a violation of citizen’s privacy without any procedural safeguards.

IV.          Compliance with BN Srikrishna Committee Report

The BN Srikrishna Committee report (“report”/“committee”) looked at the current regime for data protection in three other jurisdictions, namely the EU, the US and China. It observed that the data protection regime of each jurisdiction depends particularly on the function for which the data protection law exists and more generally reflects each jurisdiction’s understanding of the relationship between the citizen and the state. For example, China frames its law with the interests of the collective as the focus, based on the privilege of the collective over the individual. In Europe on the other hand, data protection norms are founded on the need to uphold individual dignity, and the state is viewed as having a responsibility to protect such individual interests. Thus, the data protection regime in India would need to be unique based on India’s understanding of its citizen-state relationship, and its motivations for a data protection law.

The right to privacy has been held as a fundamental right in the Puttaswamy Judgement, and the regulatory framework in India must therefore reflect the right to privacy in accordance with this judgment. In light of this, the committee report states that the framework needs to be such that it protects individual autonomy and privacy, which can be achieved through the rubric of a free and fair digital economy. Further, the twin objective of the bill must be to ensure the protection of personal data while facilitating the growth of the digital economy. The report thus went on to give recommendations to achieve a free and fair digital economy.

·      Fiduciary relationship between individuals and the controller of data: 

The report says that the relationship between the individual and the service provider must be viewed as a fiduciary relationship, in light of its aspiration to build a free and fair digital economy. Freedom refers to enhancing the autonomy of individuals about their personal data in deciding its processing (this would lead to an ease of flow of personal data). While fairness refers to respecting the rights of the individual concerning her personal data, keeping in mind the existing inequality in bargaining power between individuals and entities that process such personal data (which needs to be mitigated). For this to be achieved the person to whom the data relates is the data principal- that is, the focal actor in the digital economy. The person/persons who control the data are referred to as fiduciaries to emphasize that relationship between the individual and entities with whom the individual shares her personal data is based on a fundamental expectation of trust. Thus, controllers of data have a duty of care to deal with such data fairly and responsibly for purposes reasonably expected by the principals, making them data fiduciaries. Both the 2019 bill  and the DPDP, adopt this terminology describing the stakeholders as data principal (the individual to whom the personal data relates) and data fiduciary (any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data) respectively.

·      Obligations of fiduciaries:

To prevent abuse of power by fiduciaries, the report recommended that fiduciaries should have:

  1. the obligation to process data fairly and reasonably, and
  2. the obligation to give notice to the individual at the time of collecting data to various points in the interim.

While the obligation to process data fairly and reasonably is not explicitly mentioned anywhere in the DPDP, it flows from the usage of the term data fiduciary, as explained above. Further, under the DPDP, the data principal must be provided with a notice based on which she can consent to the processing of his/ her data, however, the bill has reduced the information that is required to be provided in the notice to the data fiduciary. While previous versions of this bill required information such as rights of the principal, redressal mechanism, retention period of information, etc. to be provided, the current bill only requires the personal data being collected, and the purpose of processing the data to be disclosed. This may have been done to shorten and simplify the notice, to make it more comprehensible for data principals, however, the notice becomes less comprehensive as a result. It may be possible to use other tools such as infographics, to make a notice which is both comprehensive and comprehensible.

·      Definition of personal data:

The report/committee noted that it is important to define what constitutes personal data, defining it to include data from which an individual may be identified or identifiable, either directly or indirectly.  The committee also sought to distinguish personal data protection from the protection of sensitive personal data (data, related to intimate matters, the processing of which could result in greater harm to the individual), and provide additional protection for the processing of such data. While the DPDP adopts the definition of personal data, it does not include the concept of “sensitive personal data”. By ignoring this concept, the bill also does not include additional protections for such data. 

·      Consent-based processing:

The committee noted that informed or meaningful consent must be treated as a pre-condition for processing personal data. Further, for certain vulnerable groups, such as children, and sensitive personal data, a data protection law must sufficiently protect their interests, while considering their vulnerability, and exposure to risks online. 

In the DPDP, consent of the data principal is a precondition to the processing of data by the data fiduciary. The DPDP also imposes additional obligations for the processing of the personal data of children under section 10. Under this provision, the data fiduciary is obligated to obtain verifiable parental consent, not to undertake such processing of personal data that is likely to cause harm to a child, and not to undertake tracking or behavioural monitoring of children or targeted advertising directed at children. However, these protections are subject to the exception contained in sub-clause 4 of the provisions itself- which states that the protections shall not apply to the processing of the personal data of a child for “such purposes, as may be prescribed”.

·      Non-consensual processing:

The committee noted that it is not possible to obtain the consent of the individual in all circumstances, keeping in mind the balance that needs to be stuck between the right to privacy and other legitimate state aims, and identifies four grounds for processing data without consent: (i) where processing is relevant for the state to discharge its welfare functions, (ii) to comply with the law or with court orders in India, (iii) when necessitated by the requirement to act promptly (to save a life, for instance), and (iv) in employment contracts, in limited situations (such, as where giving the consent requires an unreasonable effort for the employer).

Similarly, the DPDP introduces the concept of deemed consent. The bill thus recognizes situations in which consent doesn’t need to be actually given by the data principle; consent will be deemed to be given.  The provisions under the bill however have a wider scope of deemed consent. Apart from the four grounds identified by the committee, consent is also deemed to be given in cases of public interest (such as prevention and detection of fraud, recovery of debt, credit scoring, etc.), and for any fair and reasonable purpose as may be prescribed. This allows the government to further prescribe situations in which consent would be waived.  Therefore, under the Bill, the need for consent, and consequently the right to privacy and autonomy is minimised in comparison to the Committee report.

·      Rights of the data principal:

The report explains that the rights of the individual are based on the principles of autonomy, self-determination, transparency, and accountability to give individuals control over their data. These rights were categorized into:

  1. the right to access, confirm and correction of data,
  2. the right to object to data processing, automated decision-making, direct marketing,
  3. right to data portability,
  4. the right to be forgotten.

Chapter III of the DPDP talks about the rights of the data principal. It includes the right to information about personal data, the right to correction and erasure of personal data, the right to grievance redressal, and the right to nominate. Thus, most of the rights prescribed in the report are recognized by the DPDP, and the additional right to nominate is also recognized. By the insertion of this right, the DPDP allows a data principal in the event of death or incapacity to nominate another individual to exercise all the rights of the data principal. It thus recognizes the right of an individual to have his personal data protected post- mortem. However, the right to be forgotten is not included. The right to portability, which could have allowed users to port or systematically transfer personal data from one data fiduciary to another data fiduciary has also not been included and this may interfere with the spirit of consumer welfare and competitiveness among data fiduciaries.

With this right to be forgotten not being included in the DPDP, the only way to erase personal data once it has been given to a data fiduciary is through the right or erasure, which only permits the erasing of personal data that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose. Whereas under the right to be forgotten, the data principal can additionally stop the processing (which includes storage) of data in case of withdrawal of consent, and if such processing was made contrary to law. Thus, the autonomy of the individual over his/her personal data is minimised in the DPDP.

The inclusion of duties of the data principal is not found in either the recommendations of the BN Krishnaswamy Committee report, or in older versions of the Bill, and flows from the idea that every right has a corresponding duty. The inclusion of these duties may simplify litigation regarding digital personal data. However, it is unclear whether the duties are enforceable and how they will be enforced.

·      Enforcement models:

The committee also recommended setting up a regulator, which would have the power to inquire into any violations of the data protection regime and take action against those responsible. The committee also recommended that the regulator may categorise certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to individuals and require them to undertake additional obligations.

Chapter 5 of the DPDP prescribes a compliance framework, provides for the formation of such an authority (data protection board) and gives it the powers to enquire into and ensure compliance with the provisions of the DPDP. The DPDP also recognizes the concept of having additional obligations for significant data fiduciaries but gives the power to notify certain fiduciaries as significant to the Central Government, rather than the regulatory authority under section 11(1). Thus, the DPDP allows the government (which may be a more involved stakeholder as a possible data fiduciary) to exercise the power rather than the relatively independent board. Furthermore, the selection and composition of the board shall be as may be prescribed, which means that it is left to the government to decide. This may result in a selection method or composition which does not allow the board to function as an independent authority.

V.            Right to Privacy

The Supreme Court in Puttaswamy has held that the right to privacy is a fundamental right flowing from the right to life and personal liberty as well as other fundamental rights securing individual liberty in the Constitution. The sphere of privacy includes a right to protect one’s identity, and this recognises the fact that all information about a person is fundamentally her own, and she is free to communicate or retain it for herself.

This right to autonomy and self-determination in respect of one’s personal data would thus form the primary value that any data protection framework serves. However, the framework would need to carefully balance the requirements of privacy coupled with other values and with the legitimate concerns of the State. Like other fundamental rights, privacy too can be restricted in well-defined circumstances. For such a restriction, three conditions need to be satisfied: first, there is a legitimate state interest in restricting the right; second, the restriction is necessary and proportionate to achieve the interest; third that the restriction is by law.[4] According to the BN Srikrishna committee report the framework of a free and fair digital economy could provide a useful reference point for achieving this balance.

The concept of deemed consent, under section 8 of DPDP is a restriction on the right to privacy, as the personal data of the data principal may be processed without consent. The DPDP sets out specific situations in which deemed consent operates, and also permits deemed consent for any fair and reasonable purpose, taking into consideration (a) whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal; (b) any public interest in processing for that purpose; and (c) the reasonable expectations of the Data Principal having regard to the context of the processing. The third condition is automatically met by all such provisions as they form part of a bill, which if passed by the Parliament would form a part of “law”. What remains to be seen is if each provision promotes a legitimate state interest and if such provision is necessary or proportional to achieve the legitimate interest. In light of these requirements, several previous drafts of data protection bills have been struck down amidst contentions of them not safeguarding the right to privacy. Thus, it is also relevant to examine the differences in protections of privacy between the current bill and the previous draft.

 The 2019 bill also lays down some exceptions to the obtaining of consent (sections 12-14) and permits the government to specify any other reasonable purpose through regulations. However, the old bill lays down more requirements for exceptions to obtaining consent and mandates that where the Authority specifies a reasonable purpose, it shall also lay down such safeguards as may be appropriate to ensure the protection of the rights of the data principal. Thus, the new bill makes it easier for the government to bypass the requirement of consent and thus permits the autonomy of individuals over their own data to be bypassed more easily. While the specific provisions for which deemed consent applies may be for other legitimate state aims and may be proportional to the achievement of that aim, the bill permits the government to create more situations in which deemed consent operates without any safeguard or guarantee that the provisions will be proportional to a legitimate state aim.

The 2019 bill provided exemption from the provisions of the act for any agency of the Government for preventing incitement to the commission of a cognisable offence relating to the (i)sovereignty and integrity of India, (ii) security of the State, (iii) friendly relations with foreign states, (iv) public order, as well as for some other purposes. It also provided for the creation of a “sandbox”, wherein certain companies would be exempted from the provisions of the act for innovation in artificial intelligence, machine learning or any other emerging technology in the public interest. Thus, personal data would not be protected by the bill in these cases. The current bill re-introduces most of these provisions under section 18, DPDP (the only major difference is the removal of the sandbox provision). The exemption provided to the government again permits the government to infringe on privacy without any safeguards for ensuring proportionality with the state aim.

An independent regulating authority to ensure compliance with the provisions of the act is essential for the protection of privacy. Under the DPDP, however, the composition of the authority is left entirely to be prescribed by the government, whereas the old bill clearly prescribed the composition, not leaving it up to the executive wing of the government. Therefore, the possibility of the enforcement authority becoming nothing more than a puppet of the executive, which will affect the ability of the law to safeguard privacy, is much higher under the DPDP.  Keeping all this in mind, it can be said that the bill delegates too much power to the government without proper guidelines. To avoid long and complex legislation, the wording in DPDP is minimal, with the phrase as “may be prescribed” being used numerous times throughout the Bill. This gives the executive branch too much control in all areas of the Bill. Thus, the executive has the power to act capriciously, and excessively, thereby infringing on the fundamental right to privacy.

VI.          Recommendations of the Joint Parliamentary Committee ​ The Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (“JPC”) tabled its report in December 2021 post an extension and contained several recommendations along with a draft of the Data Protection Bill, 2021 which comprised of certain amendments to provide for a model framework for implementation. In this section, these recommendations and the respective framework will be juxtaposed with the current proposed law to understand how the same has been incorporated.

At the outset, the usage of the word ‘digital’ that preceded the phrase ‘privacy of individuals’ was critiqued in the report to limit the scope of data privacy holistically wherein, even the nature of exemptions being circumscribed to ensure the interest and security of the State were emphasized upon to provide context to such derogations. As discussed hereinabove, the abovementioned changes can be seen as partially incorporated under Section 4, DPDP

The 2019 bill talked about the way data was to be retained by a fiduciary which was found by the JPC to be fairly limited in the way such data is to be utilized and asked to introduce terms like ‘period’ that included such usage under its purview and did away with the temporal nature of such retention. The DPDP does not stipulate a similar period for retention however, it also does not clarify the period of cessation/ destruction of data.

Section 12 of the 2021 Bill through the JPC addressed the consent of data principals being taken before any processing and has been followed in the current proposed bill. However, the consent section of the current bill remains to be vague wherein, the nature of a consent manager and consent renewal is still not explicitly provided for.

As far as exemptions are considered, the autonomy of the central government was favoured in the JPC report as well wherein, through Section 35 of the 2021 Bill, where the committee conferred a wide degree of autonomy in such derogation which became a characteristic feature of the DPDP. However, the range of additional recommendations by the DPDP was given in the form of dissent for the proposed 2021 bill as well wherein, the blanket exemptions without providing for a limit on the period of such exemption were viewed to be a significant flaw. Moreover, limiting the application to digital personal data was criticized yet again and can still be seen as an applicative challenge owing to how the current proposed law has ignored this facet.

RECOMMENDATIONS ​

  • It is necessary to bring back the distinction between ‘personal data’ and ‘sensitive personal data’ so that data fiduciaries such as employers are not able to process such sensitive information based on ‘deemed consent’. This would bring the Indian data protection regime in conformity with international standards, such as the GDPR which provides for special categories of data under Article 9.

  • At present, the entire provision about deemed consent is extremely vague and unclear, especially since consent-based grounds for processing imply that such consent can be withdrawn, which could not have been the purpose of the provision. The ‘deemed consent’ mechanism of Singapore’s Data Protection Act, 2012 has also been widely criticized. Like the GDPR, the current Bill can instead provide non-consent-based grounds for processing data wherever necessary.

  • The provisions in the bill where consent is said to be deemed moves far beyond the standards set out in Article 6 of the GDPR. The scope of public interest under section 8(8), DPDP must be narrowed and must not include things such as credit scoring and recovery of debt which have no nexus with the public interest. The DPDP can take guidance from the Australian Privacy Act, 1988, which under Part IIIA extensively deals with credit reporting and the types of information financial institutions are permitted to receive.

  • Procedural safeguards such as overriding public interest and proportionality must be specified in section 18(2)(a), DPDP.

  • The exemption under section 18(1)(b), DPDP should also be extended to foreign courts and tribunals to ease the burden of compliance on parties opting for foreign jurisdictions for dispute resolution.

  • Section 18(4), DPDP must be struck down and instrumentalities of the state too must be made subject to the requirement under section 9(6), DPDP. There is no clear reason given as to why the State is exempt from this requirement and the same is arbitrary and violates Article 14 and 21 of the Indian Constitution.

  • The GDPR, alongside the provision of a specific right to data subjects, explicitly mentions that the data controller shall facilitate the exercise of rights by the data subject, through transparent information, communication and modalities. Including such a provision in the Indian framework would go a long way in allowing data principals to effectively exercise their rights.

  • The GDPR also includes the right to be forgotten and the right to portability, which, as explained previously, are conspicuously missing from the DPDP. The GDPR also gives the data subject the right to object to the lawfulness of the processing of data by the data fiduciary and explicitly provides that the data subject shall have the right not to be subject to decisions solely based on automated processing (including profiling) which significantly affects him/her.

  • The provisions of the GDPR regarding the rights of data subjects are wordier and more complex than that of the DPDP. However, the GDPR succeeds in providing more safeguards for individuals’ data. The DPDP on the other hand has sacrificed providing adequate and detailed safeguards to data principals in the interest of short and easily readable provisions. Thus, the Indian Bill would benefit from increasing the scope of rights protected by the DPDP by adopting from both the GDPR and older versions of the bill.

[1] People’s Union for Civil Liberties v. Union of India, AIR 1997 SC 568.

[2] (2017) 10 SCC 1.

[3] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, 2018.

[4] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.