DIGITAL PERSONAL DATA PROTECTION BILL, 2022- EXAMINED ON THE ANVIL OF FUNDAMENTAL RIGHT TO PRIVACY
Ojaitra Arora*1, Dr. Arvind Kumar Singh*2, Devansh Tripathi*3
*1,2,3AmityUniversity,Lucknow,India.
DOI:https://www.doi.org/10.56726/IRJMETS36246
ABSTRACT
With the global expansion of technology-driven companies, data privacy is an essential issue that must be addressed. Nations, throughout the globe, have enacted legislation to protect the rights of data principals (individualsto whom personal data belongs)andtheliabilitiesofdata fiduciaries(institutionsthatdecidethe methodsandgroundsofdataprocessingandcontrolstorage).TheGeneralDataProtectionRegulation(GDPR) of the European Union is the dominating framework with extensive measures to protect data privacy. It has affected the development of data privacy laws in over 100 countries in order to protect the interests of their consumers. In 2017, the landmark K.S. Puttaswamy judgement recognised privacy as a FundamentalRight in Indiaandemphasisedontheneedfordataprivacyinthisdigitalera.Thishasacceleratedthecreationofmuchneeded dataprivacy regulationsin India. In 2017, the Ministry of Electronics and Information Technology formed an expert committee led by Justice BN Srikrishna, to deliberate ona data protection framework for India. While being influenced by the GDPR, India has eventually established its own route to data protection through the Digital Personal Data Protection Bill of 2022. Though it still has certain gaps, when fully implemented,itwouldbringIndiauptospeedwithothernations’dataprivacylegislations Thisarticlewilltest thePDPB’sprovisionsontheanviloftheRighttoPrivacytodetermineiftheypassconstitutionalmuster.
Keywords: Data Privacy, K.S. Puttaswamy, Excessive Legislative Delegation, Deemed Consent, Cross-Border DataTransfer
I. INTRODUCTION
Personal Data Protection Bills: Features and Evolution
The human loss and tragedy of the COVID-19 pandemic made for a highly uncertain economy. This pandemic was a global challenge that required a global response. The Digital Economy in India has witnessed monumental growth over the years yet, until now, setting up a competent legislative framework to address data privacy issues has been patchy throughout. Though the Information Technology Act, 2000 (the ‘IT Act , 2000’), along with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 functioned as a temporary means to ensure some degree of data privacy,muchmorewasrequired.
The government then, had to appoint an expert committee which was headed by the former Supreme Court judgeJusticeB.N.Srikrishna whotookuptheresponsibilitytodraftaPersonalDataProtectionBillthat would “ensure growth of the digital economy while keeping personal data of citizens secure and protected”. [1] The JusticeBNSrikrishnaCommitteesubmitteditsreportalongwiththeDraftPersonalDataProtectionBill,2018. The Bill proposed different rights to data principals viz. seeking access to data which is stored with the data fiduciary, seeking correction, the right to be notified on the nature and purpose of data processing, etc. and calledforthecreationofaNationalLevelDataProtectionAuthority.
After receiving various stakeholder inputs, the Draft Personal Data Protection Bill, 2018 was amended to becomeThePersonalDataProtectionBill,2019 andwastabledin theParliament.The2019Billexpandedthe scopeofpersonaldataandalsoprovidedtherighttoremovepersonaldata,whichisnolongerrequiredtobe processed by data fiduciaries for the intended purposes, to data principals. This bill also provided for the changeinthecompositionoftheselectioncommitteeresponsibleforappointingthechairpersonandmembers oftheDataProtectionAuthorityofIndia
The bill was forwarded to a Joint Parliamentary Committee for further consideration and input from the stakeholders. The Joint Parliamentary Committeehad submitted its reportwith 81 modifications to the 2019
bill.TheCommittee’sReportincludedadraftbilltitledthe‘DataProtectionBill,2021’(thetitlewasamendedto excludetheterm“Personal”).TheCommitteemadethefollowingmainrecommendations:
Non-Personal data should also be included in the scope of the Data Privacy Bill since it is difficult to discern betweenpersonalandnon-personaldata.
Thedatafiduciarymustimmediatelynotify,withoutanydiscretion,totheDataProtectionAuthorityaboutany databreachwithin72hoursofbecomingawareoftheconcernedbreach.
TheCentralGovernmenthasbeengiventheauthoritytoexcludespecificagenciesfromthebill’sobligationsin the interests of India’s Sovereignty and Integrity, State Security, Friendly Relations with the Foreign States or Public Order and to avoid Cognizable Offences pertaining to any of these. The measures adopted by these Agenciesmustbejust,fairandreasonable.
TheConstitutionoftheSelectionCommittee,whichissetupforthepurposeofappointmentoftheChairperson andmembersoftheDataProtectionAuthorityofIndia,shouldbeamended toincludetheAttorneyGeneralof India,anIndependentExpertofDataProtectionandDirectorsofanyIITsandIIMS.
The provision of wider powers vested upon the government in the amended version of the bill was heavily criticizedevenbythemembersoftheJointParliamentaryCommitteeitself.
Thedataprivacybillwaswithdrawnduetooppositionfromvariousfactionsofsocietyandtheneedforfurther deliberations. One major reason cited was the bill’s detrimental impact on start-ups owing to increased regulatorycompliance.
Also, numerous tech firms have spoken out against the data localisation clause in the data privacy bill. Data Localisation bound the companies to compulsorily keep a copy of critical personal data within India. It also barredcompaniesfromexportingsensitivepersonaldata.
DataLocalisation(storingofdataonaphysicaldevicewithinacountry) providesCountriesmorecontrolover dataandsecurityagainstidentitythefts,databreaches,etc.Itprovidesadditionalauthoritytothecountries.It also enhances accountability and enforcement of the State Laws against tech giants. The importance of Data LocalisationinIndiawasalsoemphasizedintheJointParliamentaryCommitteeReport. However, technology giants oppose the same since it would result in additional expenditure owing to the establishment of localised data collection centres. Data localisation may raise service costs and service efficiency.
The Digital Personal Data Protection Bill, 2022
The Government has recently released theDigital Personal Data Protection Bill, 2022 (the DPDP Bill) This, hopefully, will lay the foundation stone for a strong data protection law in the world’s largest democracy and willputanendtoaseriesofextensionsprovidedtotheJPC.ThenumberofclausesintheBillhasbeenreduced to30.Unlikeitspredecessors,thenewBill,excludespersonaldatastoredinphysicalformat.Furthermore,the Bill doesn’t classify personal data into sensitive and critical personal data (The Personal Data Protection Bill, 2019hadthisclassificationandhadmorerestrictionssurroundingthesame).[2]
The new Bill endows the government with wider powers The Bill consists of various provisions for the issuance of subordinate legislation. Only with the corresponding subordinate legislations to be enacted under theBill,willtheBillbegivenalargersenseandpracticalimpact.
II. EXPLANATION OF TERMS LIKE DATA PRINCIPAL, DATA FIDUCIARY, DEEMED CONSENT, ETC.
A Data Principal is an individual to whom the personal data being processed relates. Notably, if such private individualisa'child'(viz.undertheageofeighteenyears),theterm'DataPrincipal'includesthechild’sparents orlegalguardian(s).
A 'Data Fiduciary' is an institution that is not currently recognized or discussed under the extant Indian law. Under the DPDP Bill, the concept of a 'Data Fiduciary' refers to a person- including a natural person (such as anyindividual)aswellasanartificialorjuristicperson(suchasa corporation,firmoranyotherentity)–who individually or collectively (with other individuals) 'determines the purpose and means of processing'of personaldataofDataPrinciples.
TheBill statesthat Data Fiduciariesmay processan individual'spersonal data,onlyfor lawful purposes;with the consent (or 'deemed' consent) of such individual; and in accordance with the DPDP Bill and other applicablelaws.Itexpresslystatesthat'consent'(inrelationtoaDataPrincipal)impliesconsentwhichisgiven freely;is explicitand isinformed.Suchconsentmust be absoluteand unambiguous. TheBill alsoprovidesfor thenotionof'deemedconsent'incertaincases(whereconsentofaDataPrincipalisdeemed'necessary').
III. DIGITAL PERSONAL DATA PROTECTION BILL, 2022 (MAJOR FEATURES) Scope of the Bill
The DPDP Bill applies to and covers any 'digital personal data' processed within India. In the DPDP Bill, the term‘data’isdefinedasthe‘representationofinformation,facts,concepts,opinionsorinstructionsinamanner suitable for communication, interpretation or processing by humans or by automated means’ ; whereas the term ‘personal data’ is defined as‘any data about an individual who is identifiable by or in relation to such data’. [3] Under the DPDP Bill, the term ‘digital personal data’ refers to data gathered offline and later digitizedaswellasdatacollectedonlinebya‘DataPrincipal’
ItisimportanttonotethattheBill’sterritorialscopeisnotlimitedtoIndiabutappliestodigitalpersonaldata processedoutsideIndia,ifsuchprocessingisperformedforthepurposeof:
Profiling or processing personal data specifically to‘analyse or predict aspects concerning the behaviour, attributesorinterests’ofanindividualinIndia;
OfferinggoodsorservicestoindividualsinIndia.[4]
Nevertheless,theDPDPBillremovesfromitsscopethepersonaldatawhichisprocessed‘offline’.Italsoclearly excludesfromitspurview,thedataprocessedforanypersonalordomesticpurposebyanindividual;personal datastoredinarecordthathasbeeninexistenceforat-least100years;and/orthe'non-automatedprocessing' (ormanualprocessing)ofpersonaldata.
Consent vs. Deemed Consent
To seek consent, it is required that Data Fiduciaries must send a notice to relevant Data Principals interaliaoutlining what data is intended to be gathered. Furthermore, in accordance with such notice, an explicit request must be made to the relevant person to seek their consent. The Data Fiduciaries are preliminarily obligatedtoappointaDataProtectionOfficerandaConsentManagerforthispurpose.
Fundamentally, a Data Principal can not only provide consent, but also withdraw consent supplied to a Data Fiduciary through the Consent Manager. To that end, a Consent Manager is required to offer a Data Principal withatransparentplatformfor‘giving,managing,reviewingorwithdrawing’his/herconsent.DataFiduciaries are held accountable for ensuring that the personal data of Data Principals is no longer processed if the respectiveDataPrincipal’sconsentiswithdrawn.
However,theDPDPBill alsoincludesa provision for ‘deemedconsent’ incertaincircumstances.Thisincludes situations in which a Data Principal is reasonably expected to voluntarily provide his/her personal data to a Data Fiduciary (for any lawful function such as to availing any beneficial services, or obtaining a license, certificate,permitetc.);wheresuchdataisrequiredforcompliancewithjudicialorders,employmentpurposes; public interest; and other fair and reasonable purposes. Surprisingly, the DPDP Bill does not clearly allow for theassessment,management,orrevocationoftheDataPrincipal’sdeemedconsent
Right to correction and erasure vs the right be forgotten
In its current version, the Bill has diluted the data principal's Right to be Forgotten While provision 13 of Chapter 3 of the Bill grants a data principal the Right to Correction and Erasure of personal data, it restricts their ability to exercise that right. The Bill does not specify how a data principal should approach a data fiduciary for erasure of their data. Furthermore, the Bill stipulates that upon receiving such a request from a dataprincipal,thedatafiduciary mustremoveanydatathatisnolongerrequiredforthepurposeforwhichit wasprocessedunlesssuchretentionisrequiredforlegalreasons
Thecompletionofsucherasureiscontingentonthefactthatthedataisnolongerrequiredforthepurposefor which it was collected, which means that the data principal must waive their right to any service/good that wouldrequirethedatafiduciaryto retainsuchdata,inordertoclaimsucharight.Furthermore,itisspecified
inSection16oftheBillthattheDataPrincipalshouldonlyprovideinformation thatisprovablygenuinewhile exercisingtherighttocorrectionorerasureundertheBill.
Voluntary undertaking
TheBillincludestheconceptofvoluntaryundertaking,whichcanberequiredtosubmitbyanypersonwhoisa partytoanyissue(beforetheDataProtectionBoard)concerningcompliancewiththeprovisionsoftheBillto undergoorabstainfromundergoingaspecificactionwithinaspecifiedtimeframe.
While it might be assumed that 'voluntary undertakings' could aid in the Board's rapid disposal of disputes (and could possibly protect theaccusedfrom severe fines under the Bill), the inclusion of this notion raises severalconcernssuchas-
Theclausedoesnotprovideanyobjectiveboundariesonwhatwouldconstituteasanacceptablevoluntary undertaking, leaving opportunity for uncertainty on what the Board may consider when approving such voluntaryundertakings.ThetermsoftheBillfurthershowthattheproceedings(beforetheBoard)would be barred upon the adoption of the undertaking. As a result, it is critical that the proposed legislation stipulates a set of objective criteria that must be included in a voluntary undertakingin order for it to qualifyasanacceptableactivity.
The clause allows for the voluntary undertaking to be considered and then accepted "at any stage" of the action. Accepting a voluntary undertaking from an accused party (which would result in a stay of proceedings)atapreliminarystageintheproceedingscouldmeanthattheBoardwouldgiverelieftothe accused in situations where the accused could have faced a higher degree of financial penalty ifthe proceedings hadbeen completed before the Board. The practical application of the clause may raise concerns about the fairness of the mechanismfor awarding relief to an accused party (by a voluntary undertaking) without assessingthe precise violation of the intended legislation's provisions. It may be argued that voluntary undertakings are presented (and brought up for consideration by the Board) only aftertheproceedingsinaspecificissuehaveconcluded.
Finally, the provision requires that the undertaking be publicised (by the party which has assentedto providea voluntary undertaking). It does not, however, specify the particular manner and channel via which the undertakingwill be publicised. The government should guarantee that a copy of the voluntary undertaking(asapprovedbytheBoard)ispublishedtotheBoard'sonlineplatform,alongsidetheorderin therelevantproceedings,sothatmembersofthepublicmayeasilyaccessit.
Compliance Framework
The DPDP Bill calls for the establishment of a regulatory body known as the ‘Data Protection Board of India’ (DPB) As per the Bill, the Board’s primary function is to evaluate non-compliance with provisions of this Act and impose penalties in accordance with the provisions of this Act. The Bill further stipulates that the composition, strength, incidental qualifications, selection procedure, terms of appointment, dismissal of chairpersonandothermembersshallbespecifiedlater(i.e.potentiallyundertheRuleswhichwillbepublished oncetheBillispassedintheparliament).[5]Moreover,theBillstatesthattheBoard’sChiefExecutivewouldbe appointed by the Central Government and the government would also determine the terms and conditions of service. The Board’s powers are equivalent to that of a Civil Court and it has exclusive original jurisdiction to heardisputesundertheproposedlegislation;thattheBoardhasbeengivensignificantpowerstoimposefines tothetuneofINR500croreandsoon
Transfer of personal data outside India
InChapter4oftheDPDPBill,theCentralGovernmentisrequiredtonotifythecountriesorterritoriesoutside India to which a Data Fiduciary may possibly transfer personal data. The clause further specifies that the Government will later notify the terms and conditions under which such transfer would be permitted. The DPDPBillfailstodefineaboundaryalongwithfactorsthatmaybeconsideredfornotifyingcountries.
IV. THE BILL AND THE GROWTH OF PRIVACY REGULATION
The Digital Personal Data Protection Bill, 2022 follows a historical line of privacy jurisprudence in India that has been impacted by both global developments and the country’s own constitutional jurisprudence. Despite
the fact that the Right to Privacy is not explicitly mentioned by the Constitution, the Indian courts have held thatitexistsundertheRighttoLifeguaranteedunderArticle21oftheIndianConstitution
The Supreme Court in K.S. Puttaswamy vs. Union of India [6] ruled that the right to privacy is a basic fundamental right thatflowsfrom theRight to Lifeand Personal Libertyas well as other constitutional rights securingtheindividuallibertyofaperson Additionally,individualdignitywasalsorecognizedasafoundation fortheright.Privacyitselfisbelievedtohave2facets-anegativeaspectthatincludestheRighttobeletAlone and a positive aspect that includes the Right to Self-Development. [7] The right to safeguard one's identity is included in the realm of privacy. This right acknowledges the fact that that all information about a person is essentiallytheirown,andtheyarefreetotransmitorretainitforthemselves [8]Thus,thecoreandessenceof informational privacy is the right to autonomy and self-determination over one‘s personal data. Without a doubt,thismustbethecorepurposeofanydataprotectionsystem
Thus, privacy, like other fundamental rights, too can be limited under specific circumstances. The following threeconditionsneedtobesatisfiedforsuchalimitation-
Theremustbealegitimatestateinterestinrestrictingtheright
Therestrictionmustbenecessary,reasonableandproportionatetoachievetheinterest
Therestrictionmustbelegal.[9]
AsitisaboveestablishedfromPuttaswamy,twoaspectsarecritical-first,anydataprotectionframeworkmust serve the core value of privacy; second, such a framework must not disregard other values, particularly collective values. The normative framework of a free and fair digital economy might provide a valuable referencepointforbalancingthesevaluesinaspecificscenario.Todeterminewhetherinaspecificcase,aright to privacy exists, and would prevail over any legitimate interests of the state would depend on the Court’s evaluationonhowthedemandsofafreeandfairdigitaleconomy maybeeffectivelypreserved.Itcanhappen by finding the restriction justified, or alternatively, completely upholding the right or by applying one or the otherpartially Thevirtuesoffreedomandfairnessconstitutethenormativecontextforthisexercise.Afterall, freedom and fairness are the foundations of our constitutional system, the raison d'être of our independence movement.
Now, the most important elementthat is inextricably linked with the Right to Privacy is the notion of Data Protection.Sinceaperson'sphysicalpresenceandexistencearenowsabotagedbyhispresenceontheInternet, Social Media,andE-space, data protectionhas become equallynecessaryand critical. The technologyandlaw arenotindependent fromeachotherandthis slopewillsurelywitnessanactive increaseinfuture.According toaStudy,theadvancetimeoflawwill undoubtedly bebasedcompletelyonArtificialIntelligence(AI),which would bring more new obstacles and hurdles in the way of Right to Privacy and Data Protection in India and alsothroughout the World.Technologycanencroachourprivacyandinducemisstepsinourlife,for example, investigating authorities,for the purposeof law,can resurrectall ourdeletedchats, messages,and recordings fromsavedbackup,whichisknownas‘DigitalFootprint’ofanytime,anditisregardedastheexactcopyofthe individualontheservers
V. PROBLEMS WITH CONSENT AS A CORNERSTONE OF DATA PROTECTION
While the Bill generally requires that personal data be processed only with the data principal's clear and unequivocalconsent,S.8statesthatundersomeinstances,suchconsentmaybe"deemed."
ThisclauseisbasedonS.15ofPersonalDataProtectionActofSingapore,which acknowledgesthattheremay beinstanceswhendata processingisreasonablynecessarywithout expressconsent.However,thePDPBgoes much farther, allowing for deemed consent in S. 8(8)on the basis of a broadly defined ground of "public interest." . The term "public interest" has been defined underS. 2(18) as including Indian sovereignty, state security, public order, and so on. Nevertheless, Section 8(8) allows for deemed consent in credit scoring situations, which is totally incompatible with even the most liberal notion of public interest. Credit scoring entailsgatheringextremelysensitivepersonalinformationsuchasfinancialdataandhistory.Thecollectionof such data without the principal's express consent poses an obvious threat to their privacy. Puttaswamy has explicitly said that a legislation encroaching on the right to privacy must be ‘narrow tailored’ i.e., formulated restrictively in order to accomplish its stated objective. The object of the Bill being to enact a data protection
regimewhichbalancestheimportanceofconsentandlargerpublicinterest,needlesslybroadeningtheambitof publicinteresttoincludeunrelatedgroundsisuncalledfor.[10]
The Supreme Court in the case ofPuttaswamyalso emphasised the importance of the principle of nondiscriminationofdataprotection,whichstatesthatdatacollectingandprocessingmustnotdiscriminateonthe basis of race, ethnicity, religion, or other similar factors. Unlike its predecessor, the new Bill does not distinguish between non-sensitive and sensitive personal data.For example, under Section 16 of the previous Bill, Employmentwasacriterionforprocessingonlynon-sensitivepersonaldata.TherevisedBilliswrittenin broaderterms,whereinS.8(7)authorisesemployerstoprocesssensitivedataofthedataprinciplewithoutthe dataprincipal'sexpressconsent. Detailssuchascaste,transgenderstatus,sexualorientation,sexlife,religious affiliation, and so on were classified under 'sensitive personal data' inthe previous Bill. Employers who can obtain versatile consent from their employees to process such sensitive information, might engage in unfetteredworkplacediscriminationagainstcaste,gender,sexual,andreligiousminorities.
VI. THE AMPLIFIED POWER OF THE STATE AND THE DILUTION OF PRIVACY
Section18(2)(a)enablestheCentralGovernmenttoexcludestateinstrumentalitiesfromtheBill'sprovisions.It shouldbenotedthatthisisablanketexemptionwithnoproceduralsafeguards.ManekaGandhiproposedthat a transgression of Article 21 must follow a ‘fair, just, and reasonable’ procedure. [11] Puttaswamy further addedthecriteriaofproportionality.Theproportionalitytest,whichhasbeenformalisedbydecisionssuchas Anuradha Bhasin vs. Union of India [12],hasfourprongs-
a) thelawinfringingonprivacymusthavealegitimategoal
b) itmusthavearationalnexuswiththesaidgoal
c) theremustnotbealessrestrictivebutequallyeffectivealternative,and
d) itmustnothaveadisproportionateimpactontheright-holder.[13]
The government can exempt state instrumentalities under Section 18 (2)(a) on grounds similar to those enumerated in Article 19 (2), which is clearly a farlower threshold than the proportionality review. Additionally, this provision breaches the above-mentionedprongs '(b),' '(c),' and '(d)' of the proportionality test. It is not repudiatedthat there may be a mandatory and compelling state interest in granting the governmentanexemptionintheinterestsofnationalsecurity.Yet,ablanketexemptionfromallclausesofthe Bill is excessive. The state is already entitled to handle data principal'spersonal data without theirexplicit consentin advancement of public interest under S. 8. This provision should be adequate to allow the state to opposeillegalactivitieswithouthavingalargeproceduralburden,i.e.,itisalesserrestrictivebutnonetheless effective tool. Exonerating the state from general duties bears no rational nexus to the object of preventing publicdisorderormaintainingnationalsecurityunderS.9,whichincludestakingrationalprecautionsagainst data breaches, or S. 10, which provides for the protection of children in relation to data processing. It is an excessivemeasure,whichextendsgovernmentalauthorityatthepriceofpersonalprivacy.
As per S. 18 (4), instrumentalities of state are alsoexcluded from the necessity of purpose limitation, i.e., deletingpersonaldataonceitsneedhasbeenmet.Thistoo,lacksanyproceduralsafeguardsandauthorizesthe governmenttoarbitrarilyholdontodataforanindefinitetimeperiod.Thisisasimpleviolationoftherightto be forgotten (“RTBF”) of the data principal. While the jurisprudential acknowledgementof RTBF as a discreteright is murky, judgements such as Vasunathan v. Registrar General [14] (delivered well before Puttaswamy)haveadmittedthesignificanceofthesame.Theimportanceoftheautonomyofthedataprincipal is the basis of thisright. In Puttaswamy, Justice Kaulexplained- “People change and an individual should be able to determine the path of his life and not be stuck only on a path of which he/she treaded initially. An individualshouldhavethecapacitytochangehis/herbeliefsandevolveasaperson.Individualsshouldnotlive in fear that the views they expressed will forever be associated with them and thus refrain from expressing themselves.”[15]Thus,itreiteratesthatasfaraspracticable,anindividualshouldbeabletocontroltheuseof theirdatatoprotecttheirdignityandliberty
Undoubtedly, there should be exceptionsto this entitlement in light of third parties' legitimate interests.This could include interests based on some other fundamental rights (such as the use of data for journalistic purposes) or the government's interests in defending the state's security. Certainly, all types of third-party usersmighthavelegitimateinterestsinusingsuchdata,butthismustbedecidedcasebycase.InGoogleSpain
Case[16],theEuropeanCourtofJusticeoutlinednumerousaspectsthatthecourtmayevaluatewhenbalancing RTBFwiththelegitimateinterestsofthirdparties.Givingthegovernmentanarbitraryandblanketexemption is not permitted. The bill has established a distinctionbetween the government and private entities that lackanintelligibledifferentiaanda rational nexus tothebill'sclaimedobjective.Thisisaclearbreachofboth Article 14 and the proportionality test. While it has been frequently stated that regulations governing data retention must be expressly justified, no clear explanation has been provided as to why the state is exempt from the storage limitation requirement. According to Clause 20 of the Bill's Explanatory Note, “a clear grounds-based description of exemptions has been incorporated in the Bill”. Yet, such ‘clear grounds-based descriptions’ are totally absentin S. 18. (4). [17] It is difficult to ascertainif this provision seeks to fulfil a legitimatestategoalorarequiredpurpose.Inabsenceofalegitimategoal,itishardtodeterminewhetherthe proportionality standards have been met.Even in Puttaswamy-II, the court invalidateda rule that permitted the UIDAI to keep specific transaction data for five years. The bench highlighted the provision's excessive characterandacknowledgedthatitharmedcitizens’RTBF.
VII. CRITICISMS OF THE BILL
In terms of the handling of children's personal data, the DPDP Bill, 2022 follows the approach of earlier editions. Oneimportantconcernisthattheageofdigital consent,ortheageatwhicha personcanconsentto theprocessingoftheirpersonaldata,remainsat18.Thisimpliesthatprocessingpersonaldataofchildrenand adolescentsundertheageof18wouldrequiretheapprovaloftheparentguardian. Inpractise,thismeansthat parentalpermissionwouldbenecessaryeverytimetheywanttousetheinternet.Thisisproblematicforthree reasons. Firstly, the high barrier of 18 years ignores growing ability since it fails to recognise that a toddler's consent differs from that of a teenager. Second, it would result in uneven access to the internet, and lastly, needing parental approval would impede child's independent growth since parents may not want their children exposed to opposing perspectives. These limitations violate India's obligations under the Convention ontheRightsoftheChild.
OneofthemostnotabledifferencesbetweentheDPDPBill,2022andthepreviousbills,hasbeeninthecontext of cross-border data transfers. The 2019Billestablished a three-tiered classification system for moving personal data across borders.Nevertheless,thedraft bill failstogiveanyguidelines orcriteria forthe Central Governmenttoconsiderwhenissuingthisnotification.ThecriteriaarelefttotheUnionGovernmentitselftobe identifiedunderitsrulemakingauthority.
The UnionGovernment has therule-making powerin about 14 of the 22 provisions of the DPDP Bill. This is problematic for a number of reasons. First, the state formsone of the country's largest data fiduciaries. It handles the personal information of millions in order to provide services and privileges, for law enforcement,grantpermits,licences,andofficialIDs.Asaresult,itiscritical thattheinstitutiondevelopingthe regulations be independent of the government in order to ensure fair protection of data principals' interests. The delegation of these powers to the Union government, which would itselfbe subject to these regulations, poses a conflict of interest. Similarly, it can adopt regulations on data breach requirements, data protection impact assessments, data audits, and information that can be sought from a data fiduciary, all of which the government will be subject to in its capacity as a data fiduciary. Moreover, the DPDP Bill, 2022 lacks proper legislativedirectionfordevelopingtheseregulations. Thisraisestheissueofexcessivelegislativedelegation. Inthemanneritconceptualisespenalties,theDPDPBill,2022departsfromthe2019Bill.Firstly,thepenalties that can be levied, with a threshold of 500 crore, are substantially larger in scale than those set for in the 2019Bill. Secondly, unlike theBill of 2019, the DPDP Bill of 2022 does not introduce any new offences. Subsequently,ina potentiallydisempoweringstep,theDPDPBill,2022does notallowdata principalstoseek compensation from data fiduciaries for losses suffered as a result of illegal processing. Fourth, in an unprecedentedandmaybeuniquestepamongdataprotectionlegislations,theDPDPBill,2022imposesduties on data principals. If they do to comply, they may face fines of up to Rs.10,000. Some of these duties include exercising rights in accordance with "the provisions of all applicable laws" and not filing "false or frivolous" complaints with the DPB or thedata fiduciary. [18] Provisions like these may hamper data principals from utilizingtheirrightsforfearofpenalties.
VIII. RECOMMENDATIONS
Theconcerns,issuesandcriticismsraisedabove,pointtotheneedforamoremodestandrealisticapproachto data protection and the harms caused by the abuse of personal data. Since the legislation views privacy as an endand the proposed structure is all-encompassing, preventiveand highly controlled, in doing so, it considerably improves the state's ability to control enterprises that gather data and providesthe state with moretoolsformonitoring. Theefficacyofpreservingprivacythroughthislegislativeframework hasapparent constraints. Instead, the framework should preciselyand carefullyfocus on issues which could be addressed meaningfullybylegislation.
Althoughthere are several legislations and constitutional provisions in India that govern the Right to Privacy andDataProtection,thereisnosingleenactedlawthatdealswiththeprotectionoftherighttoprivacy,making itsimplementationandguaranteeinadequateincomparisontootherInternationalCountries.
The bill does not effectively safeguard users from specific injuries or damages that may occur. The emphasis should be on preventing injuryto people and society as a result of a breach of data privacy, such as discriminationongroundsprotectedbytheconstitution,identitytheftandmanipulation,fraud,financial theft, and risks to the nation’s sovereignty andintegrity. This emphasis on injury avoidance must also be used to reframeandredraftthelawsoninjuriesanddamage. Responsibilitiesfor enterprisesthatdonotprocessdata intensely or handle sensitive personal data should be decreased in proportion to the dangers posed by their activities. One such elimination might be the removal of the requirement that firms manually process data in ordertoqualifyfortheexemptions.
The DPB and the Government should make decisions in a highly collaborative manner. Because of the bill's cross-sectoralapplication,thisisfarmorecrucialinthissituationthanforotherregulators. Theintersectionof data breach-related regulations with recent orders given by the Indian Computer Emergency Response Team (CERT-In), the intersection of data localisation requirements with sectoral laws, missing definitions of terminology like “digital” and “offline” to determine application, and so on will need to be straightenedout. A road plan for deployment would also have provided more clarity to the industry, allowing it to ramp up preparations.
IX. CONCLUSION
TheDigitalPersonalDataProtectionBill,2022isalong-awaitedandmuch-neededpieceoflegislationthataims to replace India's present obsolete, legacyand inadequate data protection regime. While it claims to create a consent-basedsystemforpersonaldataprocessing,thegovernmenthaseffectivelygivenitselfablankcheckto disregard the bill's safeguards. The vast powers granted to the government, along with the elimination of the distinction between sensitive and non-sensitive data, may result in unfair targeting of gender, sexual, and religious minorities. The bill is replete with capricious measures that violate the Puttaswamy decision. If the government is serious about meeting international data protection requirements, the shortcomings outlined abovemustbeaddressed.
The suggested legal framework for preserving people’ privacy must be adjusted to the reality of the Indian economy and regulatory landscape. It is critical to have a practical approach to data protection. The measure greatlystrengthensthestatewithouteffectivelypreservingprivacybydefiningprivacyasanaimratherthana means to defend other essential social purposes that are particular to India's political economy. A realistic evaluation of the costs and advantages of data security for India is required to design a more accurate and realisticregulatoryframework.
Nevertheless, the Bill is a gravely flawed, yet an ambitious attempt that beckons a new era in the data protection space in India. The government appears to have made a sincere effort to clarify the law. A clear, balanced, and forward-thinking law will undoubtedly help the sector expand its boundaries. This can be a stimulus for the robust expansion of start-ups and unicornsin India, unleashing the digital economy,and freeing them from the burden of cumbersome compliances. With a comparatively simpler process for crossborderdatatransmission,theproposedbillseekstowidenfloodgatesforincreasedinternationalinvestment.It has the potential to create jobs, raise user understanding about their privacy, and hold data fiduciaries and processorsaccountable.
X. REFERENCES
[1] MinistryofElectronicsandInformationTechnology(MEITY), https://www.meity.gov.in/white-paperdata-protection-framework-india-public-comments-invited(lastvisitedMar25,2022)
[2] Medianama, https://www.medianama.com/2022/12/223-genesis-evolution-india-data-protectionregime-views/(lastvisitedMar25,2022)
[3] TheDigitalPersonalDataProtectionBill,2022,S2,2022(India)
[4] Id.atS4
[5] Mondaq, https://www.mondaq.com/india/data-protection/1267190/analysis-of-the-digital-personaldata-protection-bill-2022(lastvisitedMar26,2022)
[6] JusticeK.S.Puttaswamyvs.UnionofIndia,AIR2017SC4161
[7] Aditya Verma, Right to Privacy, CIC REPORT (Mar 23, 2022, 9:29 PM), https://cic.gov.in/sites/default/files/Right%20to%20Privacy%20and%20RTI%20by%20Aditya%20 Verma%20%20%281%29%20%281%29.pdf
[8] Ibid.
[9] Wordpress, https://indconlawphil.wordpress.com/2023/01/02/guest-post-the-personal-dataprotection-bill-and-the-right-to-privacy/(lastvisitedMar.26,2022)
[10] Wordpress, https://indconlawphil.wordpress.com/2023/01/02/guest-post-the-personal-dataprotection-bill-and-the-right-to-privacy/(lastvisitedMar.26,2022)
[11] AnuradhaBhasinvs.UnionofIndia,AIR2020SC1308
[12] The Wire, https://thewire.in/rights/data-protection-bill-arbitrary-provisions-right-to-privacy (last visitedMar.26,2022)
[13] Vasunathanv.RegistrarGeneral,2017SCCOnLineKar424
[14] Wordpress, https://indconlawphil.wordpress.com/2023/01/02/guest-post-the-personal-dataprotection-bill-and-the-right-to-privacy/(lastvisitedMar.26,2022)
[15] GoogleSpainSL,GoogleInc.v.AgenciaEspañoladeProteccióndeDatosandMarioCostejaGonzález,C131/12
[16] TheDigitalPersonalDataProtectionBill,2022,S18,2022(India)
[17] Id.atS16