In striking a balance between the citizens’ rights over data and the entities’ duties with regards to data usage and processing, the bill has tried to address issues pertaining to data protection, compliance, right to erasure, cross-border flow, as well as strengthened penal provisions to enforce the rules.
As the knowledge economy takes over the world, data has become the new oil. Data is increasingly being viewed as a resource to be held and controlled in the era of Industrial Revolution 4.0, and the entity that exercises this control over data is likely to enjoy immense geopolitical and economic dominance in time to come.
Against this backdrop, countries around the globe have reworked their data protection legislations. In a similar vein, the Ministry of Electronics and Information Technology (MEITY) released the revamped Draft Digital Personal Data Protection Bill on Friday, and has invited public comments on the same until December 17. Here we look at what the new bill has to offer, how it differs from its previous versions, and what key loopholes remain unaddressed:
The government withdrew the Draft Personal Data Protection Bill of 2019 in August this year, after it drew immense criticism from stakeholders. The bill was drafted by the Justice B.N Srikrishna committee in 2019 and was presented in the Lok Sabha in 2019. Amid heavy protests, the bill was referred to a Joint Parliamentary Committee (JPC) for scrutiny, and with the COVID19 pandemic disrupting proceedings, the JPC presented a revised draft only in December 2021.
Citing “extensive changes” in the revised draft, the government withdrew the 2019 bill. It had primarily been critiqued for its stringent data localisation norms for storage and processing, with tech stakeholders highlighting the excessive compliance burdens it placed on them. It also drew flak for falling short on protecting the right to privacy for data principals (users), recognised under Article 21 of the Constitution after the K.S Puttaswamy judgment.
In fact, the recent 2022 version of the bill is the fourth iteration of India’s data protection legislation. One significant difference this time is that the bill only covers under its ambit “personal data” of citizens, unlike the previous drafts.
While introducing the bill, the MEITY said in a statement, “The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.” In attempting to strike a balance between the citizens’ rights over data and the private/government entities’ duties with regards to data usage and processing, the bill has addressed issues pertaining to data protection, compliance, right to erasure, cross-border flow, as well as strengthened penal provisions to enforce the rules.
First and foremost, the bill provides for the establishment of a Data Protection Board by the central government, as well as mandates businesses (data fiduciaries) of a “significant size” to appoint Data Protection Officers and independent data auditors to ensure compliance with the law. In this regard, it also holds companies responsible for not storing user data that no longer serves a business purpose, with special safeguards with respect to personal data of minors.
To strengthen data protection mechanisms, the bill also provides for the right to erasure or “to be forgotten” wherein the data principal shall have the right to have their personal data corrected or even deleted.
Third, in a significant turnaround, the 2022 draft bill lists out provisions for cross-border flow of data by relaxing the data localisation rules of the 2019 draft. To this end, the storage and transfer of data will now be permissible in “trusted” jurisdictions, which would be defined by the government from time to time.
Further, in dealing with data, the central government shall have the power to exempt any or all of its agencies from adhering to provisions of the Bill in the interest of “sovereignty and integrity of India, security of the state, friendly relations with foreign states, and maintenance of public order or preventing incitement to any cognisable offense.” Likewise, the government shall also hold the power to exclude certain enterprises from Bill’s restrictions based on the volume of users and personal data handling.
Finally, the draft has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners, ranging from Rs 50 crores to Rs 500 crores for data breaches. Additionally, it also provides for fines of Rs 10,000 for consumers who submit false documents or raise bogus complaints.
The new bill, MEITY asserts, has been brought about keeping in line with global best practices. Besides the fact that the new bill has a significantly lesser number of clauses — 30, as compared to 90 in the 2019 bill, it covers only personal data that is stored digitally and in essence, excludes all manually processed data.
Further, the Data Protection Board will now be appointed by the central government instead of the proposed Data Protection Authority, which was recognised as a statutory body under the 2019 Bill.
Third, the new bill significantly relaxes the data localisation norms recommended by the Srikrishna committee in the 2019 bill. In fact, India has fervently pressed for locally storing and processing data over the years, with the Draft E-Commerce Policy mandating data localisation for companies such as Flipkart, Amazon etc. and the Reserve Bank of India mandating storage of users’ payment data within the country. In fact, Prime Minister Narendra Modi cited poor data localisation framework as one of the key reasons for walking out of the Regional Comprehensive Economic Partnership (RCEP) deal in 2019.
The new bill has revised penalties upwards from Rs 4 crores to Rs 50 crores and eliminated the possibility of any criminal convictions in case of violations.
Besides, the new draft also hit the headlines for being the first ever legislation to use the pronouns 'she' and 'her' to refer to all individuals, as against the use of ‘he’, ‘him’ and ‘his.’
Experts have highlighted that the revised bill grants overarching powers to the central government for appointment of data protection officials. This has been pointed out as a serious threat to the independence of the Board, due to inadequate checks and balances. However, Minister of State for Electronics and IT Rajeev Chandrasekhar defended the Board, and told Indian Express that “It carries the same rank as a civil court and its decisions will be appealable to a High Court. This…is enough of an incentive or disincentive for the board to work transparently. Simply saying that it would be appointed by a third party will not guarantee its adequate performance.”
The union government also enjoys blanket powers in granting exemptions to agencies under it, which has been construed as a threat to the right to privacy of citizens. Clauses such as “public order” and “national security” can be ambiguously deployed and misused to deny consent-based data collection and processing. The government has in turn tried to justify these powers and said that “national and public interest is at times greater than the interest of an individual.”
Moreover, analysts have argued that relaxing data localisation requirements will make it difficult to detect and investigate non-compliance and breaches in a foreign jurisdiction, making Indian citizens' data vulnerable.
Furthermore, the penalties introduced for companies are not based on the size of the firm. As opposed to a penalty of 4% of the annual turnover envisioned in the 2019 draft, the firms will now be liable to a maximum penalty of Rs 500 crore. In the absence of any criminal proceedings, this may put a price on citizens’ privacy, where data breaches can be bought and sold by giant firms.
Countries such as China and the European Union are known to have strict data protection laws. The EU’s landmark General Data Protection Regulation (GDPR) recognises the users’ right to privacy and right to protection of personal data as a fundamental right of citizens.
Furthermore, the rules under the law apply equally to both private and government entities. Some have even described the law as “stringent,” but it has served as the benchmark for data protection regulations across the world.
Likewise, China’s Personal Information Protection Law (PIPL) is regarded as a parallel of the EU’s law and grants users an express right to access, store, correct, and delete personal data collected by businesses.
Cross border flow of data is also strictly regulated wherein transferring any “important” data for storage or processing outside the country requires a thorough assessment and approval from the Cyberspace Administration of China (CAC).
It also imposes strict penalties to ensure compliance ranging from 5% annual turnover of firms found violating procedures as fine, to suspension of operations until they “demonstrate compliance.”