Tony Verghese, Partner, JSA
The Digital Personal Data Protection Bill, 2022 (DPDP Bill) released by the Government of India seeks to protect the rights of individuals, with a major emphasis on the right to privacy and constitutional fundamental rights. One of the significant changes that we can observe from the previous version of the bill is the processing of digital personal data, whether collected offline (and thereafter digitalised) or online, in a manner that does not infringe upon the rights of individuals to secure their data and with individuals having the right to exercise their fundamental rights with regard to personal data protection.
Another significant change is the removal of the categorisation of personal data. In the erstwhile bill, there were three specific categorisations – personal data, sensitive personal data and critical personal data. However, under the DPDP Bill, personal data has an overall reference, without any specific categorisation. This raises a huge concern on sensitive personal data and the manner in which they could be used, which was a highlight under the existing laws as well as the previous version of the bill. The safeguards that existed specifically for sensitive personal data may not be the same as proposed under the DPDP Bill.
Further, the inclusion of deemed consent in processing personal data, which is in addition to the express consent, provides the processing of data without an express consent. While this is a good move, considering that there was vagueness that existed on deemed consent, there is indeed still some level of ambiguity in the way deemed consent is determined as per the DPDP Bill, which can be a subject matter of interpretation, unless and until the rules provide more clarity.
An important element under the DPDP Bill is the obligation of the data fiduciary to disclose the purpose of the collection of personal data to the provider of the information and the rights of such individuals to withdraw consent provided to the data fiduciary. The cross-border transfer of personal data with the relaxation of specific requirements of data localisation will now be permitted under the DPDP Bill, with the government having an option to notify the specific list of jurisdictions where the data can be transferred.
The DPDP Bill has also proposed the creation of a Data Protection Board (DPB), which will be constituted to enforce the proposed law. Grievances could be raised with the DPB for any non-compliances and the board has the authority to levy penalties and fines. The penalties proposed are also significant, ranging from Rs 500 million up to Rs 5,000 million; however, not capped unlike what was prescribed under the erstwhile bill, which was related to the turnover of the entity in question. Apart from data fiduciaries, even the data principles could be fined for any false documentation, while providing digital personal data or even for filing any frivolous complaints. The fine that may be levied by the DPB is up to Rs 10,000.
While the erstwhile data privacy bill had been modelled around the General Data Protection Regulation, the DPDP Bill seems to have also taken into consideration several elements from the Puttaswamy judgement, the Srikrishna Committee report as well as the provisions of the erstwhile data privacy bill. However, with the reduced number of sections and the same dependent on the rules to be separately issued at the government’s discretion, there is indeed a concern on the issue of compliance by government agencies, which could be exempted due to various reasons, including security concerns. There could also be significant policing of data fiduciaries by the government, given this high level of discretion. Further, the constitution of the DPB is not statutory in nature and is subject to the discretion of the government, which has the authority to make appointments, which indeed raises a huge concern on the independence of the DPB.
From the context of sectoral compliances, there are a few conflicts with regard to the proposed DPDP Bill. For
example, the telecom sector does have restrictions on the transfer of subscriber data, which is an inherent condition under the licences and regulations that are currently prevailing. With the proposed cross-border transfer of data being relaxed under the DPDP Bill, there have been concerns raised in the telecom sector on the transfer of personal data, which includes subscriber data that could be critical to the business of the said companies, including concerns around the risk of sensitive personal data. Some of the large telecom service providers have indeed opposed this move by raising concerns around this issue and it remains to be seen if the government would consider the telecom sector’s concerns, including concerns raised by other sectors, while relooking into the DPDP Bill.
However, the hope is that India will implement the privacy law at the earliest, to align itself with global standards of privacy and enforcement.
