Highlights of the Bill
Key Issues and Analysis
PART A: HIGHLIGHTS OF THE BILL
Context
Personal data is information that relates to an identified or identifiable individual. Businesses as well as government entities process personal data for delivery of goods and services. Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations. Processing of personal data may also aid law enforcement. Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right.[1] It may subject individuals to harm such as financial loss, loss of reputation, and profiling.
Currently, India does not have a standalone law on data protection. Use of personal data is regulated under the Information Technology (IT) Act, 2000. [2] , [3] In 2017, the central government constituted a Committee of Experts on Data Protection, chaired by Justice B. N. Srikrishna, to examine issues relating to data protection in the country. The Committee submitted its report in July 2018.[4] Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019.[5] The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021.2 In August 2022, the Bill was withdrawn from Parliament. In November 2022, a Draft Bill was released for public consultation.[6] In August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament.[7]
Key Features
PART B: KEY ISSUES AND ANALYSIS
Exemptions to the State may have adverse implications for privacy
Personal data processing by the State has been given several exemptions under the Bill. As per Article 12 of the Constitution, the State includes: (i) central government, (ii) state government, (iii) local bodies, and (iv) authorities and companies set up by the government. There may be certain issues with such exemptions.
The Bill may enable unchecked data processing by the State, which may violate the right to privacy
The Supreme Court (2017) has held that any infringement of the right to privacy should be proportionate to the need for such interference.1 Exemptions for the State may lead to data collection, processing, and retention beyond what is necessary. This may not be proportionate, and may violate the fundamental right to privacy.
The Bill empowers the central government to exempt processing by government agencies from any or all provisions, in the interest of aims such as the security of the state and maintenance of public order. None of the rights of data principals and obligations of data fiduciaries (except data security) will apply in certain cases such as processing for prevention, investigation, and prosecution of offences. The Bill does not require government agencies to delete personal data, after the purpose for processing has been met. Using the above exemptions, on the ground of national security, a government agency may collect data about citizens to create a 360-degree profile for surveillance. It may utilise data retained by various government agencies for this purpose. This raises the question whether these exemptions will meet the proportionality test.
For interception of communication on grounds such as national security, the Supreme Court (1996) had mandated various safeguards including: (i) establishing necessity, (ii) purpose limitation, and (iii) storage limitation. [8] ,[9] These are similar to the obligations of data fiduciaries under the Bill, the application of which has been exempted. The Srikrishna Committee (2018) had recommended that in case of processing on grounds such as national security and prevention and prosecution of offences, obligations other than fair and reasonable processing and security safeguards should not apply.4 It observed that obligations such as storage limitation and purpose specification, if applicable, would be implemented through a separate law. India does not have any such legal framework.
In the United Kingdom, the data protection law enacted in 2018, provides similar exemptions for national security and defence.[10] However, actions such as bulk processing of personal datasets by government agencies for intelligence and law enforcement activities are regulated under the Investigatory Powers Act, 2016.[11] A warrant for such action is issued by the Secretary of State (i.e., Home Minister), which requires prior approval by a Judicial Commissioner. Necessity and proportionality for such actions must be established. Data retention beyond the period of warrant is restricted. This law also provides for parliamentary oversight.
Whether overriding consent for purposes such as benefit, subsidy, license, and certificates is appropriate
The Bill overrides consent of an individual where the State processes personal data for provision of benefit, service, license, permit, or certificate. It specifically allows use of data processed for one of these purposes for another. It also allows use of personal data already available with the State for any of these purposes. Hence, it removes purpose limitation, which is one of the key principles for protection of privacy. Purpose limitation means data should be collected for specific purposes, and should be used only for that purpose.4 The question is whether such exemptions are appropriate.
Since data taken for various purposes could be combined, this could allow profiling of citizens. On the other hand, if consent were required, individuals would have the autonomy and control over collection and sharing of their personal data.
The Bill does not regulate harm arising from processing of personal data
The Bill does not regulate risks of harms arising out of processing of personal data. The Srikrishna Committee (2018) had observed that harm is a possible consequence of personal data processing.4 Harm may include material losses such as financial loss and loss of access to benefits or services.4 It may also include identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling.4 It had recommended that harms should be regulated under a data protection law.4
The Personal Data Protection Bill, 2019 had defined harm to include: (i) mental injury, (ii) identity theft, (iii) financial loss, (iv) reputational loss, (v) discriminatory treatment, and (vi) observation or surveillance not reasonably expected by the data principal.[12] The 2019 Bill required data fiduciaries to take measures to prevent, minimise, and mitigate risks of harm.[13] These included undertaking evaluation of these risks in impact assessments and audits.13 It also granted the data principal the right to seek compensation from data fiduciary or data processor, where the data principal has suffered harm.[14] The Joint Parliamentary Committee, examining the 2019 Bill, had recommended retaining the provisions regarding harm arising from processing of personal data.2 General Data Protection Regulation (GDPR) of the European Union also regulates risks of harm and provides for compensation to the data principal in the event of harm.[15]
Right to data portability and the right to be forgotten not provided
The Bill does not provide for the right to data portability and the right to be forgotten. The 2018 Draft Bill and the 2019 Bill introduced in Parliament provided for these rights. [16] , [17] The Joint Parliamentary Committee, examining the 2019 Bill, recommended retaining these rights.2 GDPR also recognises these rights. [18] The Srikrishna Committee (2018) observed that a strong set of rights of data principals is an essential component of a data protection law.4 These rights are based on principles of autonomy, transparency, and accountability to give individuals control over their data.4
Right to data portability: The right to data portability allows data principals to obtain and transfer their data from data fiduciary for their own use, in a structured, commonly used, and machine-readable format. It gives the data principal greater control over their data. It may facilitate the migration of data from one data fiduciary to another. One possible concern has been that it may reveal trade secrets of the data fiduciary.4 The Srikrishna Committee (2018) had recommended that to the extent it is possible to provide the information without revealing such trade secrets, the right must be guaranteed.4 The Joint Parliamentary Committee had observed that trade secrets cannot be a ground to deny the right data portability, and it may only be denied on the ground of technical feasibility.2
Right to be forgotten: The right to be forgotten refers to the right of individuals to limit the disclosure of their personal data on the internet.4 The Srikrishna Committee (2018) observed that the right to be forgotten is an idea that attempts to instil the limitations of memory into an otherwise limitless digital sphere.4 However, the Committee also highlighted that this right may need to be balanced with competing rights and interests. Exercise of this right may interfere with someone else’s right to free speech and expression and the right to receive information.1 Its applicability may be decided on factors such as the sensitivity of the personal data to be restricted, the relevance of the personal data to the public, and the role of the data principal in public life.1
Adequacy of protection in case of cross-border transfer of data
The Bill provides that the central government may restrict the transfer of personal data to certain countries through a notification. This implies the transfer of personal data to all other countries without any explicit restrictions. This question is whether this mechanism will provide adequate protection.
The aim of the regulation of transfer of personal data outside India is to safeguard the privacy of Indian citizens.2 In the absence of robust data protection laws in another country, data stored there may be more vulnerable to breaches or unauthorised sharing with foreign governments as well as private entities. The 2019 Bill required that for certain categories of data, transfer to a country should be allowed only if it provides for adequate level of protection.[19] The 2022 Draft Bill took a different approach, with the central government notifying countries where any personal data may be transferred.[20] Both these mechanisms require a case-by-case evaluation of the standards in every country to which data may be transferred. The mechanism to restrict countries selectively does not require such exhaustive evaluation.
Shorter appointment term may impact independence of the Board
The Bill provides that members of the Data Protection Board of India will function as an independent body. Members will be appointed for two years and will be eligible for re-appointment. A short term with the scope for re-appointment may affect independent functioning of the Board.
Key functions of the Board are monitoring compliance, carrying out investigations, and adjudging penalties. In case of Tribunals, the Supreme Court (2019) had observed that short-term along with the provisions of re-appointment increases influence and control of the Executive.[21] Regulatory authorities with adjudicatory role such as the Central Electricity Regulatory Commission and the Competition Commission of India have a term of five years under respective Acts.[22] ,[23] In case of TRAI, the term of appointment is three years. [24] The term of appointment to SEBI is five years, specified through Rules.[25]
Additional provisions for children
Additional obligations apply to processing data of children. We discuss issues with these provisions below.
Definition of child different from other jurisdictions
While it is an accepted principle that the processing of a child’s data should be subject to greater protection, there are differences in how different jurisdictions define a child for giving consent for the processing of personal data. Under the Bill, a child has been defined as a person below 18 years of age. In USA and UK, persons above the age of 13 can give consent for the processing of personal data.[26] ,[27] GDPR of the European Union sets this age at 16, member countries may lower it up to 13.[28] The Srikrishna Committee (2018) had recommended that while determining the age of consent for children, certain factors should be considered. These include: (i) minimum age of 13 and maximum age of 18, and (ii) a single threshold for ensuring practical implementation.4 It also observed that 18 years may be too high from the perspective of the full autonomous development of a child.4 However, to be consistent with the existing legal framework, the age of consent should be 18 years.4 Under the Indian Contract Act, 1872, the minimum age to sign a contract is 18. [29]
Taking verifiable parental consent may require verification of everyone’s age on digital platforms
The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child. To comply with this provision, every data fiduciary will have to verify the age of everyone signing up for its services. It will be needed to determine whether the person is a child, and thereby obtain consent from their legal guardian. This may help avoid instances of children giving false declaration. However, this may reduce anonymity in the digital sphere.
Lack of clarity on what constitutes detrimental to well-being of a child
The Bill provides that data fiduciary will not undertake any processing which has detrimental effect on well-being of child. The Bill has not defined detrimental effect. It has also not provided any guidance for determining such effect.
Exemption from notice for consent may not be appropriate
The Bill empowers the central government to notify certain data fiduciaries or classes of data fiduciaries including startups from certain obligations. This must be done with due regard to volume and nature of personal data. One of the obligations which may be exempted is notice for consent. The requirement to seek free and informed consent will continue to apply in case of these entities. However, if there is no obligation to provide notice regarding nature of data collected and purpose of processing, it may be argued that a data principal will not be able to provide informed consent.
Drafting issue
Clause 27 (1) (e) refers to the sub-section (2) of Clause 36, however, Clause 36 does not have any sub-sections.
Key differences between various drafts of the Data Protection Law
Table 1 : Comparison of various drafts of the Data Protection Law
The Draft Personal Data Protection Bill, 2018
The Personal Data Protection Bill, 2019
Recommendations of the Joint Parliamentary Committee
The Digital Personal Data Protection Bill, 2023
Scope and Applicability
Reporting of data breaches
Exemptions from provisions of the Bill for the security of the state, public order, prevention of offences etc.
Right to Data Portability and Right to be Forgotten
Harm from processing of personal data
Regulator
Transfer of personal data outside India
Sources: The Draft Personal Data Protection Bill, 2018; The Personal Data Protection Bill, 2019 and the Digital Personal Data Protection Bill, 2023 as introduced in Lok Sabha; Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019; PRS.
[1]. Justice K.S. Puttaswamy (Retd) vs. Union of India, W.P. (Civil) No 494 of 2012, Supreme Court of India, August 24, 2017.
[4]. ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, July 2018.
[6]. The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology, November 18, 2022.
[7]. The Digital Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
[8]. Rule 419A, The Indian Telegraph Rules, 1951 issued under Section 7 (2) of the Indian Telegraph Act, 1885.