The Ministry of Electronics and Information Technology (MeitY) has published a draft version of the Digital Personal Data Protection Bill, 2022 (hereinafter the Bill) for public comments to be submitted by January 2, 2023. The current draft of the personal data protection bill marks the fourth version, one which comes after over five years since the Puttaswamy decision asked the government to frame a “robust regime for data protection” that balances “individual interests and legitimate concerns of the state”. The Court also declared that privacy is a fundamental right under Article 21, and any impingement on the right needed to be through a law with a procedure that is just, fair, and reasonable. IT for Change's critique is rooted in these principles. The key areas of our submission are outlined below:
- The Bill has diluted the constitutional basis of personal data protection. The normative moorings of the 2019 version in the fundamental right to privacy and accountability of data fiduciaries for unauthorized and harmful processing are missing in the current Bill.
- The chapter on Data Fiduciaries lacks rigor in laying out the obligations of data fiduciaries to ensure lawfulness, fairness and transparency of personal data processing – principles that are foundational to robust personal data protection legislation. By reducing storage limitation to the obligation of data fiduciaries to remove identifiers from personal data sets (after the initial business or legal purpose of data processing is met), the Bill fails to preserve the rights of data principals from the reuse of anonymized personal data.
- The introduction of the concept of ‘Deemed consent’ as a basis for processing personal data gives state agencies sweeping powers to process personal data without any necessity and proportionality safeguards.
- The Bill has an extremely limited conceptualization of the rights of the data principal. The right of data access (as outlined in Section 12) does not mandate an obligation on the data fiduciary to provide the information sought in a clear and concise manner that is comprehensible to a reasonable person. Section 13(2)(d) provides a qualified right to erasure that does not guarantee the right to be forgotten. The critical right of data portability has been omitted as has been the right to raise objections to non-consensual processing on the basis of public interest/legitimate interest grounds. These gaps result in a failure to safeguard the full spectrum of rights for data principals.
- The Bill enables the Central Government to notify countries where personal data can be transferred by data fiduciaries, leaving the question of the terms and conditions of such transfer and the criteria that must guide the selection of countries unspecified. First, the restrictions on cross-border data transfers of Sensitive Personal Data in the 2019 version has been done away with, opening up a Pandora’s Box of risks to privacy. Second, there are no clear criteria for determining the selection of countries to which personal data may be transferred.
- The Data Protection Board of India in the Bill (Board) has only been created in name. All its powers, composition, and management have been left to rule-making by the Central Government, which defeats the purpose of the Bill. The role of the Board has been relegated to a post-facto quasi-adjudicatory body, with the mandate to determine non-compliance of this law and impose penalty and perform any other activity that the Central Government may assign, instead of a full-fledged regulator.
Read our full submission here.