In 2017, a nine-judge bench of the Supreme Court said that the right to privacy is a fundamental right, protected under Articles 14 (Equality before law), 19 (Protection of certain rights regarding freedom of speech, etc), and 21 (Protection of life and personal liberty) of the Constitution. This verdict, also known as the Right to Privacy verdict, was passed in the landmark Justice Puttaswamy and Another vs Union of India case.
Subsequently, in 2018, the first draft of the Personal Data Protection Bill was prepared by an expert committee set up by the Ministry of Electronics and Information Technology (MeitY) and headed by Justice BN Srikrishna. The Bill, after some changes in the draft, was introduced in the Parliament in 2019 as Personal Data Protection Bill, 2019, and was referred to a Joint Parliamentary Committee (JPC) headed by Bharatiya Janata Party (BJP) MP Meenakshi Lekhi. Since some members of the JPC were then elevated as ministers, the draft was modified by a new team under chairperson PP Choudhury.
The Bill was then tabled in 2021 in the Parliament. It was deliberated and many recommendations were proposed. Subsequently, the MeitY then withdrew the Bill this year, citing that a more comprehensive legal framework will be worked upon.
Now, the MeitY has released a fresh draft of the Digital Personal Data Protection Bill, 2022, and has invited public consultation on the provisions by December 17, 2022. The draft aims to “provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” according to an explanatory note released along with it. The Bill also proposes the constitution of a Data Protection Board of India to carry on the functions mentioned.
The explanatory note issued by the Meity lists seven major principles of data economy on which the new draft is based:
1. The usage of personal data by organisations must be done in a lawful, fair, and transparent manner.
2. The use of personal data is limited to the purposes for which it was collected.
3. Data minimisation - only those aspects of personal data required for the specific purpose must be collected.
4. Reasonable effort must be made to ensure that the personal data collected is updated and accurate.
5. Personal data must not be stored in perpetuity. It must be stored for a limited duration as necessary for the purpose at hand, and not retained beyond that.
6. To prevent a personal data breach, reasonable safeguards must be taken to ensure that no unauthorised collection or processing of data occurs.
7. To ensure accountability, the person who decides the purpose and means of processing a certain kind of personal data must be held accountable for such processing.
The new Bill does away with data localisation as proposed in the previous iterations. Section 17 of the Bill states that personal data transfers outside India will take place only to countries notified by the Indian government after considering and assessing necessary factors. Earlier, all personal data was to be stored in India, and transferred as per a contract or intra-group scheme approved by the Data Protection Authority, after obtaining explicit consent from the Data Principal.
However, Section 18 lays down exceptions to this clause, wherein transfer of personal data beyond India is permissible under the following situations: to enforce any legal right or claim, in the interests of prevention, detection, investigation, or prosecution of any offence or contravention of any law; by any court, tribunal, or other body in India and is necessary for the performance of judicial and quasi-judicial functions, personal data is outside of India and processed pursuant to a contract entered into with any person outside India by any person based in India. The Union government may also by notification exempt these provisions in the interest of national sovereignty, integrity, or security.
The Data Fiduciaries, or the authority who determines the nature of the data to be collected, can now process personal data for lawful purposes. This raises the question of introducing ‘deemed consent’ from the Data Principal, or the individual to whom the data belongs or is related. This again gives wide powers to the state and authorities to process personal data without always having to obtain explicit consent.
As mentioned earlier, the new Bill gives vast powers to the Union government to retain data, and exempt personal data from the protection of the provisions of the Bill in specific circumstances. This has also been the case with the earlier iterations and has been critiqued widely since it may lead to the formation of a surveillance state and hamper the privacy of citizens.
The earlier versions of the Bill said parental consent must be obtained before processing children’s data. The new version tightens the wording and says ‘verifiable parental consent’. The parent here also includes the lawful guardian.
The present version of the Bill does not deal with non-personal data. The 2018 and 2019 versions also did not deal with such data, but the 2021 version did mention that non-personal data is also derived from personal data of various kinds, and hence, must be included in the ambit of this law.
While the 2022 Bill applies to all personal data carried out in a digital mode, including both data collected online and offline data that might be digitised for usage, it completely excludes data processed manually. In earlier versions of the Bill, the manual data processed by ‘smaller entities’ were the only ones excluded. The Bill states that these four are excluded from the purview of the Bill: non-automated processing of personal data; offline personal data; personal data processed by an individual for any personal or domestic purpose; and personal data about an individual that is contained in a record that has been in existence for at least 100 years. This exclusion provides for a lag in the protection offered to data.
The Personal Data Protection Bill has also announced the concept of ‘Consent Manager’. According to the draft Bill, a Consent Manager can be an entity that acts on behalf of the Data Principal and is accountable to it. “The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager,” is what the bill states. It also elaborates that the Consent Managers should be registered with the Data Protection Board of India established by the Union Government for the purposes of this Act.
The data protection authority is stated to be the Data Protection Board of India, which will be apparently responsible for determining what is non-compliance with the Act and imposition of penalty; as well as to perform functions assigned by the Union government. However, it is to be noted that the authority is not independent in nature as it will be the Union government that will be appointing a chairperson and listing the terms and conditions of the body and its workers.
Another salient feature added to the ‘Rights and Duties of Data Principal’ of the Personal Data Protection Bill, 2022, based on the recommendation of JPC is the right to nominate any individual, so as to exercise the rights of themself in the event of death or incapacity of the Data Principal. ‘Incapacity’ is defined as the inability to exercise rights due to unsoundness of mind or body.
This is one of the most important amendments that has been under discussion. Section 8(1)(j) has been amended to put a restriction on sharing personal information that is not of a larger public interest.
Section 8 deals with exemption from disclosure of information and the particular clause in the previous draft states that data which relates to personal information – even those that have no relationship to any public activity or interest – can be disclosed if the concerned authority (Central Public Information Officer (CPIO) or the State Public Information Officer (SPIO) or the appellate authority) finds that it satisfies the larger public interest.
However, with the amendment, the clause has been altered so as to exempt the disclosure of any personal information to any citizen. This means that there is a chance that the sought-out information might be denied, which might curb the scope of the Right to Information Act (RTI). This may become a concern, especially in situations where the personal finances or assets of individuals entangled in corruption allegations and the like come up. If this amendment is approved, it may drastically change the scope of the RTI Act, and deny personal information in crucial circumstances under a blanket restriction.
The draft of The Digital Personal Data Protection Bill, 2022, can be accessed here, and the explanatory note here. Public views, opinions, and criticism can be submitted here before December 17, 2022.
Seeking your views on draft Digital Personal Data Protection Bill, 2022.
— Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022
Link below: https://t.co/8KfrwBnoF0