One of the standout features of the draft data protection bill is the use of ‘she/her’ to define the individual instead of conventional ‘he’. Having read many legislative documents, I see this as a pleasant change, an open mindset of the Government and a respect for diversity.
In 2014, Modi Government made its intentions clear that India needs to move into the digital economy. Universal access to banking, affordable mobile to every citizen, increasingly digitized transactions and an aspirational Ayushman Bharat covering almost half of the Indian population are some key steps the government has taken towards its “digital India” goal. As part of these initiatives, individual’s information moves between the public and private domains. In addition to this, Aadhar, election, ration cards and passports are avenues where public institutions collect personal information and digitalize it. Social media and networks through the likes of Google, Facebook, Twitter and others, not only collect personal information, but also access individual choices, preferences, pictures and even their connections. Healthcare institutions collect tons of senstive personal information.
All this information is like currency which could be used or misused. The Digital Personal Data Protection Bill, 2022 (DPDP, 2022) aims to prevent misuse without impacting the legitimate use of the personal information of Indian citizens. It is important that legislation must not add another layer of bureaucracy and controls impacting the process of legitimate use of the data. Ministry of Electronics & Information Technology (Meity) has done a fine job of creating a balanced draft and is inviting inputs from all the stakeholders. Every informed citizen, civil society and policy researcher must contribute to creating a robust law which should align with India’s growth aspirations and serve its purpose for years to come.
The current draft has tried to address the issue of data localization which was a mandatory requirement in the earlier version released in 2019. Some of the (friendly) countries will be exempted from localization requirements and a list of these countries will be decided by the central government. What is unclear is the criteria to decide the exemption list of countries and how do we monitor and keep amending the exemption list. For example, Russia is a friendly country but ranks high in data breaches. A country on the exemption list today might not be there next year – what will happen to the data already parked outside India during the exemption time? By the same corollary, can an Indian company store the personal data in another friendly country but not in India? As per a NordVPN report, the highest number of the stolen data in the cybercrime market belongs to 600,000 Indians. This includes financial information and passwords. It becomes difficult to fix the accountability of the data fiduciary or a processor if it is outside the purview of Indian law enforcement authorities.
The draft Bill outlines obligations of the data fiduciary – the entity entrusted with the data and data principal – the owner of the data. The data fiduciary will have deemed consent (Section 8) when the data principal provides personal information for seeking services. Such information may include the name, mobile number and even credit card number (e.g., hotel/restaurant booking and making the payment). The data principal has no recourse on how the information is used after the services have been provided or option to withdraw the consent.
A lot of personal data is collected by hospitals and healthcare electronic devices including sensitive health information. Will this be considered deemed consent? Since the draft has removed the category of “sensitive personal information”, such data will potentially be in same category of information collected by a restaurant while booking the table.
Data Protection Board of India has been made very powerful with limited recourse for the data principal. The decision-making powers and its enforcement have been entrusted to the Board with potential risk of misuse. Section 21(13) states that “every person shall be bound by the orders of the Board. Every order made by the Board shall be enforced by it as if it was a decree made by the civil court”. Since functioning of the Board and the decision taken by it will have limited accessibility under RTI Act (amendment sought in RTI Act, 2005), it will create non-transparent decision making. The Bill also provides complete immunity to the Chairperson, members, and employees of the Board against legal recourse. In short, the proposed Bill makes the Board completely invincible. The objectivity of this decision can be questionable.
Noncompliance penalties, capped at Rs 500 crore, have been made stringent which will work as effective deterrent. The filters for the Board to determine the penalty are very subjective. For example, Section 25(2)(g) – Board will consider ‘the likely impact of the imposition of the financial penalty on the person’. This needs clarity. On the flip side, amount of Rs.500 crore or even lesser will be too heavy for the MSME sector and the start-ups.
In case the violating entity is not located in India, it will be difficult to enforce the Board’s decisions. If the data fiduciary is unable to pay the penalty, the recourse for the Board has not been defined. The Bill does not entitle the data principal any compensation. However, if the Board decides that the complaint is frivolous (Section 16) and not supported with verifiable documents, the data principal can be fined Rs.10000. As we know, data fiduciary will have access to legal resources that the data principal may not have. Hence, the current format does not encourage the data principal to come forward and report misuse.
Overall, the Bill is a good effort to balance the data protection and ease of doing business while we are becoming global integrated economy. However, in the process of simplification, we are missing critical pieces around the protection of the data. Efforts should be made to make it robust, clear, and actionable even at the cost of simplification and some delay.
Rakesh K Chitkara has led public policy practice for major US corporations including Abbott Lab, General Electric, Dow Chemical and Monsanto.