The Ministry of Electronics and Information Technology (MeitY) recently released the draft of the Digital Personal Data Protection (DPDP) Bill 2022 by inviting public comments and consultations on the provisions of the updated bill. The draft bill aims to delineate the provision of personal data protection in the country in line with the increasing relevance of digital processes and tools in everyday life. From private companies (domestic and international) to state and Union governments, the use of digital technologies is increasingly becoming the mainstay of interaction with the public.
The availability of digital devices, primarily smartphones at low rates and the government’s push to take the internet to every nook and corner of the country, has effectively created a situation where access to online services has overtaken access to any other form of service or goods. Moreover, when digital service providers are no longer limited to domestic entities only, the need for regulation of private businesses and governments’ engagement with citizens and their data is becoming more important. The draft DPDP Bill aims to fill the gap between existing legislation and the need for regulation of entities dealing with large amounts of personal data of individuals.
The Bill comes on the back of an earlier draft of the data protection bill, Personal Data Protection Bill, 2019, which the government withdrew from the Lok Sabha in August 2022. This had been under review by the joint committee of the parliament which called for more than 80 amendments and at least a dozen recommendations. We take a look at the key provisions of the new bill, its relevance for India’s digital economy, and what it means for individuals and those using the personal data of individuals.
Provisions of the 2022 Bill
The draft bill changes the contours of citizen engagement with a data fiduciary. A data fiduciary is any entity that asks for, stores, and uses personal data in digital format. The Bill is based on seven core principles of personal data protection:
• Lawful and transparent usage of personal data
• Usage only for the purpose collected
• Data minimisation
• Data accuracy in collection
• Fixed duration of storing data
• Reasonable safeguards to protect stored data
• Accountability in data processing.
The Bill aims to extend the fundamental right of privacy to citizens in the digital realm, ensuring that any personal data extracted by data fiduciaries from an individual, referred to as the data principal, is collected, stored, processed, and used in a manner that is legal, done with explicit consent of data owner, and has adequate protections.
It clarifies the need for individuals to know items of personal data collected and the purpose it will be used for, apart from the scope for further processing and usage. The Bill also gives individuals the right to withdraw consent from a data fiduciary. According to the Bill, personal data includes potentially sensitive information such as phone numbers, addresses, religious beliefs, political opinions, financial records etc.
Companies are known to use the data of individuals collected during routine browsing and online usage for purposes other than originally intended. There have been instances where the original collector of data has sold it to third parties without explicit or implicit consent of the owner. Moreover, weak data protection measures by data fiduciaries have left channels open where individuals are at risk of exploitation by cyber criminals if the data is stolen or leaked. The Bill addresses these concerns by providing for rules and regulations to data fiduciaries in the maintenance and storage of data and codifies the responsibilities and liabilities of the data fiduciaries to hold them accountable.
Existing Provisions for Personal Data Protection
According to a report published in July 2022 by the Internet and Mobile Association of India (IAMAI), India has around 69.2 crore active internet users – 35.1 crore from rural India and 34.1 crore from urban India – with a projected increase in internet users to 90 crore by 2025. The expanding scope and scale of internet usage and digital transactions call for better regulation and protective measures with user interests at the forefront. Existing laws and regulations in India lack the required framework to deal with the massive scale of online transactions and data storage by different agencies, a large number of which are based outside the country. Low digital literacy levels coupled with the exponential rise in instances of cyber crime has made users vulnerable to targeted abuse and misuse of their personal data.
Existing laws regulating the online framework of the country include the Information Technology (IT) Act 2008, with certain provisions relating to personal data privacy and protection. The IT Act primarily deals with information security, not data protection. It regulates limited aspects of personal data use on IT networks within India and lacks a comprehensive framework of rules or regulations needed to protect personal data processing or transfers. Other laws that include provisions to protect individual citizens from cyber crime include the Indian Penal Code, 1860 (dealing only with cyber crime). Sectoral regulators overseeing activities of private entities include the Reserve Bank of India (RBI), Insurance and Regulatory Development Authority of India, Pension Fund Regulatory and Development Authority (PFRDA), and Securities and Exchange Board of India (SEBI), amongst other sector-specific regulations
Barring sector-specific regulators and some IT firms, other major digital platforms such as social media giants Facebook, Twitter, and Instagram, and e-commerce platforms such as Amazon and Flipkart, which store and use personal data of citizens ranging from names, phone numbers, and email IDs to financial details largely remain out of reach of the law.
Government agencies are also increasingly becoming giant storehouses of personal data with the increasing use of e-governance and digitisation of transactions. There is an obvious need for adequate regulation to ensure the protection of citizens’ sensitive data.
New and Old Provisions for Sensitive Data
The 2022 bill leaves it in the hands of the central government to formulate detailed provisions of the law, earmark ‘Significant Data Fiduciaries’ – entities dealing with high volume of personal data, exempt private entities from application of the bill purportedly for the benefit of domestic startups and exemption of government agencies on grounds of national security.
It imposes heavy penalties on businesses that undergo data breaches or fail to notify users in event of breaches. Data fiduciaries failing to take “reasonable security safeguards” to prevent personal data breaches may be fined as high as Rs 250 crores.
While the draft digital personal data protection bill intends to provide measures to safeguard citizens against misuse of their personal data, experts caution that the bill has introduced significant dilutions in regulatory provisions especially when it comes to central government’s powers. The bill opens doors for the executive to decide which private entities and government bodies will be exempt from the regulatory provisions.
The bill adds an additional layer of protection for minors, requiring consent from the parents or the guardian to access the data. It also opens doors for post-mortem privacy allowing data principals to nominate another individual to manage their data in case of death or incapacity.
Cautionary Note: Inadequate Protections?
In an environment where e-governance and digitisation of government-citizen interface is becoming the norm rather than the exemption, government entities are emerging as data fiduciaries in their own right, storing and using large amounts of personal data of individuals. With the central government acting as both the data fiduciary and the enforcer of law, there will be limited scope for transparency in personal data protection.
The previous draft provided for setting up the Data Protection Authority with a wider remit, and oversight over cross-border data flows and data audits, issuing codes of practice, research and awareness building, among other things. The current bill, on the other hand, provisions setting up a Data Protection Board as the regulator. The board’s role will be limited to enforcement and penalties, with other aspects of implementing the law left entirely up to the central government and not the specialised regulator. Moreover, the central government will have much more control over appointing members to the board, unlike the 2019 bill which set the stage for an independent regulatory body.
The bill addresses another key stakeholder concern relating to cross-border storage and transfer of data. The provisions of the previous draft which called for domestic storage of all data of Indians were considered too stringent, especially for smaller firms. The bill no longer mandates local storage of data but also does not allow the free flow of information outside the country. Provisions and limitations imposed on moving data out of the country are regulated by the central government and businesses can only transfer data to countries notified by the Indian government. According to experts, the proposed law’s data localisation provisions are now more in line with Europe’s General Data Protection Regulation (GDPR), one of the most notable data protection laws in the world. Demand for a more lenient framework in data localisation has been a key point of contention.
Need to Address Loopholes in the New Bill
In the past few years, India has witnessed several data breaches, ranging from minor incidents to mass leakages. In 2021, in the case of one of the minor breaches, COVID-19 Tests Results of 1,500 Indians were leaked online whereas during the 2018 Aadhaar data breach, records of more than 110 crore Indian citizens were compromised as criminals allegedly sold access to data at the rate of 500 rupees for 10 minutes. In a 2019 JustDial Data Breach, data of 10 Crore users was compromised whereas credit card details of 10 lakh people were put for sale during the 2021 Domino’s India data breach.
The above instances clearly point towards the need for a comprehensive personal data protection bill that holds data fiduciaries accountable for collecting and maintaining sensitive personal data. While the proposed law addresses the current gaps in legislation, some provisions of the law that leave more power in the hands of the executive are questionable given the government’s own role as a major data fiduciary. Wider public consultation should help address the loopholes and help build a robust framework of personal data protection in the country with individual concerns and fundamental right to privacy as the pivot of personal data protection laws.