Amendments introduced in the Digital Personal Data Protection Bill, 2023 and its impact on the present regulations
Author: Rashna Jehani, Tanvi Shah & Manan Bhoota
Introduction
The Digital Personal Data Protection Bill, 2023 (‘DPDP Bill 2023’) is a global standard—contemporary, future-ready, yet, simple and easy to understand. Until now the Data Protection Laws in India were not well established and emanated from mainly the Information Technology Act, 2000 and the contributions of the Bureau of Indian Standards on data privacy which don’t seem to be enough to protect personal data form the ever-growing thirst of Data Fiduciaries.
The DPDP Bill 2023 was introduced in the Parliament on the 3rd of August, 2023 was passed in the Lok Sabha on 7th August 2023. The same could be considered as a revision of the The Digital Personal Data Protection Bill, 2022. The bill moots creation of Data Protection Board of India and provides protection to the Centre, the board and its members, on “action taken in good faith”. It lays down obligations of entities handling and processing data as well as rights of individuals.
Its focus on capturing consumer rights to data protection as fundamental rights and introducing light and easy-to-comply obligations for data fiduciaries indicates a step towards balancing data protection and fostering innovation.
The DPDP Bill 2023 embodies the right of individuals to protect their data and the need to process personal data for lawful purposes. It clarifies and simplifies the rights and obligations of data principles and fiduciary/data processors within an overarching framework for consent, privacy, security, and grievance redressal. The DPDP Bill 2023 will set explicit norms for accountability and responsible data handling.
Upon the passage of the bill, there will likely be 12-18 months ‘bedding in’ period given for compliance. That said, this law will fundamentally change how businesses collect and use personal data in India.
Highlights of the Amendments:
The development comes exactly a year after the government withdrew the DPDP Bill’s predecessor, the Personal Data Protection Bill, on August 3, 2022, citing compliance-related concerns.
Following the withdrawal, the DPDP Bill 2022 was released for consultation. The government has made several changes in the 2023 version of the bill based on responses received from the consultation..
Here are a few of the amendments proposed in the DPDP Bill, 2023
1. No more “deemed consent”
Consent given by the data principal was one of the contentious issues that are included in the 2023 version of the bill. While the 2022 version of the bill includes a section (section 7) on deemed consent, the current version seemingly does away with it.
In the 2022 version, consent was deemed to have been given in a situation where someone voluntarily provides their personal data and it is reasonably expected that they would do so (like at a restaurant); for the performance of any function under any law; for compliance with a judgment or order and so on.
However, the revised draft outlines certain legitimate uses, such as the processing of personal data, when it has been voluntarily shared and it is not indicated that the person has not consented etc.
A data fiduciary also may process the data when the State permits it, and when the data principle has consented to the processing of personal data by the state and such data is available in any database maintained by the state.
However, this kind of processing ought to be accordance with the policy issued by the Central government or any other law in force. Any act of the State in interest of National Security, or to fulfil any obligation under any law in force may also be construed to be certain legitimate uses. This has broadened the scope under which consent to data processing is undertaken.
The DPDP Bill 2023 also mandates that consent for the collection of personal data must meet specific criteria, including being specific, informed, unconditional, unambiguous, and limited to the extent necessary for the specified purpose. Further, the bill provides that even where consent is obtained for a specified purpose, the consent will only be valid where the processing of personal data is necessary for such a specified purpose.
Implications: This provision has significant implications for businesses as they will now be required to obtain consent for purposes which are necessary for which it is being collected.
This clause will cause businesses to rethink how they treat user data. From the current approach of ‘more data is good’, businesses will need to see themselves as fiduciaries for data, and be mindful about how much they collect, what they use it for, and how (and for how long) they keep data.
Big tech companies in India will find conspicuous by its absence any specific acknowledgement in the law that anonymized or de-identified data would remain outside the scope of the bill. The handling of de-identified personal user data represents a clear gap that the DPDP Bill does not address.
2. Blocking powers to the Central Government
In a curious development, the new version of the DPDP Bill may give blocking powers to the Central Government, the proposed data protection regulator. The Central Government under Section 37 may issue directions for blocking access to any content hosted on a “computer resource”, “in the interests of the general public, for reasons to be recorded in writing” and upon being satisfied that the same is necessary or expedient.
This may make it more difficult for platforms to navigate the Indian techno-legal ecosystem, where concerns have already been raised regarding the existing blocking powers under IT (Blocking) Rules 2008, IT Act 2000 and so on.
A problematic provision is a clause added in the bill for blocking a computer resource which could be used for blocking websites and applications.
3. Black list V/s White list
Another major change included in the DPDP Bill 2023 is regarding the countries where data will be allowed to be transferred from India. In the earlier version, the bill had said that it will “notify countries or territories outside India to which a data fiduciary may transfer personal data”, or in other words a “white list” approach.
In contrast, in the new bill, it is expected that the Union government may, by notification, restrict the transfer of personal data by platforms to a particular country, or in other words, a “black list approach”.
The provision of a negative list approach for the cross-border transfer of personal data instead of a white list represents a significant shift in strategy. Based on this approach, the Indian government will have the ability to regulate and limit the transfer of personal data across borders based on specific criteria set by the Indian government.
Implication: DPDP Bill will not override any law that provides for a higher degree of protection for or restriction on transfer of personal data by an entity. The approach adopted by the Indian government in determining the criteria for the negative list and maintaining harmony between sectoral laws and the bill will be crucial
4. Data Protection Board and Appellate tribunal
The DPDP Bill 2023 proposes a tiered grievance redressal mechanism for individuals who will have the option to approach the Data Protection Board of India only after they have exhausted the grievance redressal process enabled by an entity. The Data Protection Board of India would be a body corporate having perpetual succession with a common seal and by the said name sue or be sued.
The board unlike the 2022 bill will not have the powers accorded to a Civil Court as provided in the Civil Procedure Code 1908 with respect to any decree or order passed by it and the Appellate Tribunal would have the said power instead.
As compared to the 2022 Bill, the Data Protection Board of India has been given a wider scope of powers including mitigation and imposing relevant penalties for defaulters under the bill for data breaches, breach in obligations by data fiduciaries, complaints made by data principle and registration of ‘consent manager’.
Instead of the High Court as mentioned by the 2022 Bill now the appeal would lie to The Telecom Dispute Settlement and Appellate Tribunal (TDSAT) may be established as an appellate body over the Data Protection Board. An order passed by the appellate tribunal under the DPDP Bill will have the same powers as if it is a decree of a civil court. The TDSAT will deal with user appeals coming from the Data Protection Board. The government expects about 90% of the grievances to be resolved at the levels below TDSAT, and hence will not be a burden on capacities. Provisions have also been made in the new bill for a speedy process of Appeal directing the Appellate Tribunal to dispose of appeals within a period of 6 months.
5. Call for information
Unlike the previous draft, under the 2023 version, the Union government may be empowered to call for information from the Data Protection Board or any data fiduciary for the “purposes of the Act”. The previous draft did not have any such provisions
The Union cabinet approved the bill last month, which included several changes, including one clause which allows the government to direct any government agency, an intermediary or platform to block or ban any information in the interest of the general public, and after giving an opportunity of being heard to that ‘data fiduciary’, or the company that is in possession of a person’s data, and is processing the same.
“Every intermediary who receives a direction issued under sub-section (1) shall be bound to comply with the same,” the bill states
The provisions on the Centre’s powers “to direct any intermediary to furnish such information lack proportionate safeguards in terms of the circumstances under which such a direction or blocking of access is issued.” The bill, also does not provide tech intermediaries with any review mechanism or appeal process.
The bill “lacks adequate legal provisions to add checks and balances to the government’s ability to direct retention and access of personal user data.
6. Penalty
The DPDP Bill 2023 envisages penalties of up to ₹250 crore per instance in the case of a data breach, lower than the ₹500 crore penalty that was proposed in the earlier draft issued in November last year.
The penalty will depend on the number of instances and hence can be multiplied by that many instances.
Section 37 will further enable the government to block a company, or impose financial penalties, in case of violations. “If any fiduciary does not stop violating the rules after two instances or being penalized twice, the government can ban or block the platform. This is critical for the protection of the users and to control large companies with deep pockets” the official added.
Further the data fiduciaries “will have to make stronger agreements with their partners or contractors because, in case of breach of data between a fiduciary and a data principal, the liability will lie with the fiduciary.”
7. Centre will decide which companies will be deemed as “significant data fiduciaries” (Section 9)
The Centre will decide which companies will be deemed as “significant data fiduciaries” based on multiple factors, such as its “risk to the rights of the data principal (users)”, “potential impact on the sovereignty and integrity of India”, “risk to electoral democracy”, “security of the State”, and more.
The significant data fiduciary will be determined by the impact that entity has on user data, rather than the scale of the entity.
However, the open-ended determining factor for classifying an entity as significant data fiduciary has been removed; however, there is less clarity regarding the threshold, and clauses have been added where the government may prescribe more obligations in future.
Section 10 of the bill, mandates a significant fiduciary to have a local office and a data protection officer (DPO), to make privacy provisions much stronger.
8. Semi-Automated and Mechanical Digital Data Processing.
It is observed that the bill’s scope has been expanded to include semi-automated and mechanical digital data processing
9. Lower age of children to 15 Years
The new bill, in a significant departure from the previous version of the draft released on 18 November 2022, introduces a provision that grants the government the authority to set a lower age for children for the purposes of the bill, which is currently set at 18 years. It includes changing the definition of children to mean those below 18 to those below 15. This lowering of age would be applicable only to those processing activities of businesses which are deemed verifiably safe by the Indian government.
A certain class of data fiduciaries or specific functions can be exempted from the additional obligations of processing children’s data, while the provisions are also extended to disabled persons who may or may not be a ‘child’.
10. Deletion of Section 43A of the Information Technology Act, 2000
Another issue with the bill is the deletion of Section 43A of the Information Technology Act, 2000, without offering a substitute to it, as the bill does not provide for compensation to be granted for data principals whose privacy has been violated and has suffered a loss.
However, the users would still be able to seek compensation through the regular legal procedure, or filing a case against the fiduciary.
11. Regressive Amendments to RTI Act
The amendments proposed to the RTI Act, 2005 (‘RTI Act’) through the DPDP Bill will severely restrict the scope of the RTI Act and adversely impact the ability of people to access information.
The DPDP Bill proposes the following amendments to the RTI Act- “44 (3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely: — “(j) information which relates to personal information;
The proposed amendment to section 8(1) (j) of RTI Act therefore seeks to exempt all personal information. It does away with the exceptions carved out within the section based on which personal information could have been disclosed. Currently, in order to deny personal information, at least one of the following grounds has to be proven- information sought has no relationship to any public activity; or information sought has no relationship to any public interest; or information sought would cause unwarranted invasion of privacy and PIO/appellate authority is satisfied that there is no larger public interest that justifies disclosure. The proposed blanket exemption is especially problematic since it does not limit the exemption from disclosure to only sensitive personal information.
Further, the proposal to amend the RTI Act through the Data Protection Bill appears to have been drafted based on an incorrect understanding of the RTI law. The draft Bill errs in interpreting the proviso to section 8(1), which states that “information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person” as being only applicable to section 8(1)(j) and not to the whole of section 8(1).
A perusal of the original gazette notification of the RTI Act shows that by virtue of its placement and indentation, it is applicable to all of section 8(1) and not merely section 8(1)(j). There are several judicial pronouncements to this effect.
It is well established that access to granular information, including personal information, is critical to empower people to undertake collective monitoring and ensure they are able to access their rights and entitlements. This principle is well recognised and has been adopted in various welfare programs and schemes.
The proposed Bill will potentially place impediments and restrictions on such public disclosures.
The amendments proposed to the Right to Information Act, 2005 through the Data Protection Bill, will fundamentally weaken the RTI Act
Neither the recognition of the Right to Privacy, nor the enactment of a data protection law, requires any amendment to the existing RTI law. Therefore, there should be no amendments to the RTI Act.
Dangers in the Digital Personal Data Protection Bill
1. Excessive powers vested in Central government
Given that the government is the biggest data repository, an effective data protection law must not give wide discretionary powers to the government.
The DPDP Bill, 2023, however, empowers the government to draft rules and notifications on a vast range of issues (S. 40). The Union government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification, potentially resulting in immense violations of citizens’ privacy (S. 17(2) and 17(3)).
With the executive vastly empowered to draft rules and notifications on a range of issues, India might end up with a law that takes away the right to seek personal information
2. Lack of independence of the Data Protection Board
It is concerning to note the lack of autonomy of the Data Protection Board, the principal authority under the DPDP Bill 2023 to enforce compliance with the provisions of legislation. Section 19 of the bill vests in the Central Government wide powers, including appointing the Chairperson and members and deciding the strength of the Board.
This lack of independence of the oversight mechanism is extremely worrying and it is imperative that such a board function without the interference of the Central Government to enable the protection of rights of people.
3. Exclusionary and outside the reach of millions of Indians
The proposal that the Board will be ‘digital by design’, including in the receipt of complaints, pronouncement of decision and other functions, will make it exclusionary and outside the reach of millions of Indians.
Feel free to reach and discuss. Send your opinion and comments on rashna@jehanilegal.com