A fourth draft of the long-awaited personal data Bill, now called the Digital Personal Data Protection Bill, 2022, has been released for public comment. This has some positive suggestions and it plugs some loopholes, making it an improvement on prior iterations. But it continues to suffer from broad provisions enabling mass surveillance. It introduces the concept of fining data-owners (“data principals”) for some offences, and imposes unrealistically high penalties upon data processors and fiduciaries. It has only about one-third the clauses of the prior versions, with the promise of a follow-up drafting of rules to more closely define the legal landscape. This makes it hard to critique since many of the key details are effectively missing.
The basic concept of a Data Protection Board to ensure compliance with the Bill is sound. But such a board would have to be a statutory institution independent of government interference. The composition of the board, selection process, terms of appointment, and removal of its chairperson and other members shall be “prescribed by the Union Government at a later stage” and the chief executive is to be a Central appointee. This doesn’t promise independence, which is crucial to the credible functioning of this proposed body.
The new draft addresses some significant prior lacunae: For example, it requires data fiduciaries to notify data principals in cases of breach. Fiduciaries must notify the board and principals whenever there is a breach, irrespective of the nature. The board may issue directions to adopt urgent measures to remedy breaches or mitigate harm. The role of the board vis-a-vis the Computer Emergency Response Team (CERT-In) will need to be defined to ensure coordination, given an overlap in function.
The Bill does drop clauses that fiduciaries would have to notify principals about any third parties with whom data may be shared, the duration of the storage, and the possibility of cross-border transfers. Fiduciaries may thus obtain consent for data collection by providing limited information.
The Bill also addresses the processing of the personal data of minors. It prohibits the tracking or behavioural monitoring of minors, or targeted advertising directed at them. However, the Union government is permitted to exempt fiduciaries from these requirements without specifying criteria or standards required for such exemptions.
An insistence on localisation has been removed and replaced with a “whitelist” provision to list nations to which fiduciaries can transfer personal data. Unfortunately the selection of permitted nations is left to the discretion of the Centre rather than defining it in terms of data protection standards. This could make selection arbitrary. An adoption of the EU principle, which mandates transfers only to nations with minimum standards of protection, was more desirable.
Data principals could be fined up to Rs 10,000 for furnishing false particulars or suppressing any material information. This is worrying, given the lack of data literacy and the fact that this legislation is supposed to protect principals. It could result in coercive data collection. Fiduciaries could be penalised up to Rs 500 crore for offences and this may be unrealistically high.
As in previous drafts, this continues to have wide-ranging, broad, and vague exemptions, which enable any government arm or entity designated by the government to collect personal data for practically any purpose. Effectively the law does not apply to the government, and this could enable mass surveillance. From first principles, any exemption sought by government agencies should be granted only if it fulfils standards of legality, necessity, and proportionality, and this draft disappoints on all those counts.
To read the full story, Subscribe Now at just Rs 249 a month