The Ministry of Electronics and Information Technology (“MEITY”) has released a draft of the Digital Personal Data Protection Bill, 2022 (“The Bill”) for public consultations along with an explanatory note for each provision and the underlying principles that guide the drafting[1]. The public consultations are open till December 17, 2022[2].
While previous versions of the proposed general data protection legislation (“Previous Drafts”) drew heavily upon European Union’s GDPR[3] and were dense, voluminous documents, the Bill draws inspiration from Singapore’s Personal Data Protection Act, 2012 (“PDPA”)[4], and is a condensed, concise document.
While the Bill, taken as a whole, represents a more forgiving framework for compliance, and proposes several welcome improvements (such as the deletion of Non Personal Data), it also puts forward several concepts which have far reaching consequences.
Further to our earlier analyses of the Previous Drafts[5], notably the most recent on the Joint Parliamentary Committee Report on the Personal Data Protection Bill, 2019[6], the following is our summary of some key concepts in the Bill.
Application and Extent
The Bill seeks to regulate processing of ‘digital personal data’, i.e. personal data which is either collected online, or which, where collected offline, is digitised[7].
It excludes processing through manual means or by individuals for ‘personal or domestic purposes’. The Bill also seeks to exclude personal data “contained in a record that has been in existence for at least 100 years”.[8]
While the quoted language has origins in the PDPA, it may stand to be tightened somewhat. For instance, while a revenue or court record in India may well be more than a century old, entries on it may be recent and worthy of protection.
As with the Previous Drafts, apart from processing in India, the Bill also seeks to regulate processing of data outside India in connection to profiling[9] of, or offering goods or services to, Data Principals in India[10]. The latter criterion is broader now, with the offering no longer requiring to be ‘systematic’, and may limit the ability to rely on ‘targeting’ criteria or the intent to offer goods or services in India to seek and limit the application of the Bill. Re-introduction of this requirement may help align the Bill with global standards like the GDPR.
Personal Data
In a significant deviation from both the existing data privacy legislation in India and the Previous Drafts, all ‘personal data’, i.e. data about an individual who is identifiable by, or in relation to such data, is defined as a monolithic category[11].
Defining ‘sensitive’ subsets of key personal data such as biometric and healthcare data, which require greater protection, allow for graded consent mechanisms and penalties. While the intent to create a simple compliance regime is laudable, the current approach may lead to the unintended consequence of ‘treating unequals equally’ and having to balance between creating a higher compliance burden for less important data and protecting truly sensitive data.
Similarly, clear exclusions for the processing of anonymised information[12], and potentially, ‘bright line’ standards for such anonymization, are no longer part of the Bill. The re-introduction of a clear exclusion of information which has been de-identified or anonymised to a particular standard, may improve the ease of doing business, thereby accomplishing the objective of the Bill. It will augur well for key sectors such as healthcare where such data can help develop novel digital healthcare services, AI and potentially, even treatment methodologies.
Processing
While the Bill retains the term Data Fiduciary[13] as proposed by the Sri Krishna Committee[14] in letter, much of the spirit, and the obligations it included, have been done away with. Data Fiduciaries can now process personal data in accordance with the Bill for any purpose not expressly forbidden by law, provided it is either actually consented, or deemed to be consented to[15].
This is a significant departure from the Previous Drafts[16] (and to some degree, even current law), which require that processing be done only for the specific, clear, and lawful purposes for which data was collected and reasonable incidental purposes, in a fair and reasonable manner, ensuring privacy of the Data Principal[17].
Re-introducing key obligations like fair and reasonable processing, ensuring privacy of the Data Principal, with carve outs if necessary, can help align the Bill more closely with the principles of data minimisation and purpose limitation set out by the Supreme Court in its Puttaswamy[18] judgment.
Notice and Consent
The Bill mandates obtaining consent for processing after providing a notice in clear and plain language, “describing” the type of personal data sought to be collected and an “itemised”[19] list of the purposes of processing.[20] This is in stark contrast to the Earlier Bill and the GDPR, which prescribe a granular consent regime[21] at least for sensitive personal data.
Even more worryingly, where personal data is already being processed under consent obtained prior to the commencement of the Bill, fresh notice in the manner described above has to be obtained as soon as it is reasonably practicable.[22]
These notice requirements run the risk of doing too much and too little at the same time. While the re-consenting obligation risks inundating Data Principals with thousands of notices (a phenomenon which was also seen with the GDPR), the ability to provide an ‘itemised’ list of purposes means that entities can continue to collect ‘all or nothing’ bundled consents, thereby limiting the utility of these ‘fresh’ consents to Data Principals.
Data Principals are given an option of requiring that notice be provided in any of the 22 languages specified in the Eighth Schedule of the Constitution of India[23]. The complexities associated with translating authoritative versions of dynamic documents into all these languages may outweigh benefits to Data Principals, particularly where the underlying application or service is only available in a few of them.
Curiously, there appears to be no clear obligation to publish a privacy policy (as opposed to a collection notice) although this requirement continues to be prescribed for intermediaries under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
The Bill[24], like Previous Drafts, requires that consent should be freely provided, specific, informed, and unambiguous (through a clear affirmative action), for processing of data for the purpose specified in the notice[25], however the absence of a “granular” consent requirement along with the absence of language around purposes of processing, takes the Bill further away from the purpose limitation principle in Puttaswamy.
Withdrawal of Consent
The Bill provides Data Principals with a right to withdraw consent for processing of data as easily as the manner for consent.[26] However, such withdrawal would not affect the lawfulness of processing done prior to the withdrawal.[27] Upon withdrawal, the Data Fiduciary is required to cease processing of such personal data “within a reasonable time”, unless such processing is authorised under law.[28] The consequences of such withdrawal would be borne by the Data Principal.[29]
Curiously, while a safeguard restricts entities from collecting ‘bundled’ consents for purposes not necessary for the provision of services, this protection only seems to operate in case of concluded contracts.[30]
Deemed Consent
While Previous Drafts sought to dilute from an absolute and onerous requirement for consents through a “reasonable purpose” exception[31], the Bill relies instead on a concept of ‘deemed consent’,[32] which finds mention in the PDPA[33]. Unlike that legislation however, protections such as revocation[34], and the restriction of this consent on narrowly defied purposes[35] is absent.
Deemed consent is assumed[36] where a Data Principal voluntarily provides personal data to the Data Fiduciary and it is “reasonably expected that such data would be provided”. Instead, a more limited exception allowing usage of this data only as “reasonably expected for the purpose it was voluntarily submitted” may be more well aligned with the Puttaswamy principles.
Unlike the Previous Drafts, the Bill does not prescribe any mechanism for enactment of regulations or rules for processing on the basis of deemed consent, which may result in the abuse of this provision, especially in light of ability of Data Fiduciaries to obtain broad based consent.
Under the Previous Drafts, employment was a basis for processing only non-sensitive data, and only where consent of the Data Principal was not appropriate or would involve disproportionate effort[37]. The Bill instead proposes far broader language which, while having the benefit of being convenient for employers[38], may provide little protection to Data Principals.
Curiously, several “reasonable purpose” exceptions have been included as deemed consents, and yet subjected to an additional qualifier of public interest,[39] thereby creating a dual filter that is not only unnecessary, but also perhaps fundamentally incompatible with some of the listed items, such as credit scoring[40].
An important exception for search engines has been narrowed[41] from Previous Drafts to limit it only to processing publicly available personal data.[42]
An exception provided under Previous Drafts [43] for journalistic purposes has not found its way into the deemed consent provisions.
*Click here to read Part II of our analysis on the Bill
[2] Notice issued by MEITY, available here
[3] The European Union General Data Protection Regulation (“GDPR”)
[5] See our analysis of the 2018 Bill here, and its comparisons with the GDPR here. See our analysis of the 2019 Bill (“Earlier Bill”) here
[6] See our analysis of the JPC report here
[7] Clause 4(1), Bill
[8] Clause 4(3), Bill
[9] Now defined only for this section as “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal”.
[10] Clause 4(2), Bill
[11] Clause 2(13), Bill
[12] Clause 2(B), Earlier Bill
[13] Clause 2(5), Bill
[14] The Group of Experts on Privacy, chaired by Justice AP Shah, postulated the need for this in their report titled ‘Report of the Group of Experts on Privacy’ dated October 16, 2012, available here
[15] Clause 5, Bill.
[16] Clause 4, Earlier Bill
[17] Clause 5 and 6, Earlier Bill
[18] Justice KS Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (“Puttaswamy”).
[19] Defined to mean list of individual items, Clause 6(2), Bill
[20] Clause 6(1), Bill
[21] Clause 7, Earlier Bill
[22] Clause 6(2), Bill
[23] Clause 6(3), Bill
[24] Clause 7, Bill
[25] Clause 7(1), Bill
[26] Clause 7(4), Bill
[27] ibid
[28] Clause 7(5), Bill
[29] Clause 7(4), Bill
[30] Clause 7(8), Bill
[31] Clause 14(2), Earlier Bill
[32] Clause 8, Bill
[33] Section 15, PDPA
[34] Section 16, PDPA
[35] Section 15, PDPA
[36] Clause 8, Bill
[37] Clause 13(2), Earlier Bill
[38] Clause 8(7), Bill
[39] Clause 8(8), Bill
[40] Clause 8(8)(d), Bill
[41] Clause 14(2)(h), Earlier Bill
[42] Clause 8(8)(e), Bill
[43] Clause 36(e), Earlier Bill