By Rimjhim Sharma* and Yash Bhatnagar**

Introduction

Ministry of Electronics and Information Technology (MeiTy) released the new draft of the Data Protection bill (Digital Data Protection Bill, 2022) on 18^th November 2022 after retracting the earlier versions of the 2019 bill and the one submitted in form of a report by the Joint Parliamentary Committee in 2021. This is another step in the government’s effort to roll out a country’s simple, comprehensible, and inclusive data protection regime. It also focuses on creating a safer environment to regulate the responsible usage of data. This piece traces the bill’s procedural history about its predecessors and analyses the fundamental changes it brings to the table while exploring the challenges it may face in its implementation.

Procedural History of the Bill

2017: Supreme Court through a landmark judgment of Puttaswamy uphold the Right to Privacy as a fundamental right enshrined in the Constitution of India.

2019: The government came up with the first draft of Personal Data Protection Bill, 2019 which addressed rights of data fiduciaries, principals, concepts like data localization and procedures on safeguarding personal data.

2021: Joint Parliamentary Committee (JPC) gave recommendations on the bill in the format of another Data Protection Bill, 2021 which also talked about bringing non-personal data in its ambit.

Both the bills were criticised for its ambiguity, verbosity and incoherence with general data protection norms. They were hence taken back by the government in the middle of the year 2022 and are now re-introduced in the form of a new draft bill.

Key Highlights of the Bill

While changes were expected from this new draft, some key highlights of the bill, which can be a game changer in the realm of the Indian Data Protection regime, are as follows:

Gender Neutral: The DPB draft presents itself as the first Indian Legislation to use gender-neutral terms to address any person. It interprets the pronouns “she” and “her” for people irrespective of their gender, a welcome change in the history of Indian Legislation, which aims to be as inclusive and citizen-friendly as possible.

Consent: Clause 7 of the bill specifies that ‘Consent’ here means an indication by the data principal signifying an agreement for their data to be processed for a specified purpose and that such consent should be free, specific, informed, and unambiguous. This solidifies the government’s stance of consent being the primary indicator by the principals to data fiduciaries on the usage of their personal data.

Deemed Consent: ‘Deemed Consent is one of the interesting concepts introduced in the bill. Thus, it applies to a scenario when consent is not expressly needed. According to the draft, this means consent is ‘deemed to be taken’ when data principals are reasonably expected to provide such information or for the performance of the function in any law.

These include services that benefit data principals, such as issuance of the certificate, license, etc. Sub-clause 8 (a) of this section mentions detection of prevention and detection of fraud, the inclusion of which was a long-held request from experts and stakeholders.

Cross–Border Transfer:  Clause 17 of the bill elucidates that the government can assess and specify where a data fiduciary may transfer the data. This will ease the work of big tech companies set up abroad as they could then move the user data in and across the country without any legislative hassle.

Usage of Children’s Data: Children’s data in the draft is defined as data of a person below the age of 18 years. It mandates data fiduciaries to obtain parental consent to process children’s data. Fiduciaries are also prohibited from employing targeted advertising to children. This simplifies the provisions of child’s data and online practices protection demanded by civil societies and think tanks across the country.

Setting up of Data Protection Board: The draft also empowers the central government through a notification to set up a Data Protection Board, which exercises powers of the Civil Procedure Code, 1908, to resolve disputes arising from data breaches and misuse of personal data pass decree upon it. This is another innovative step to foster fast-track judgments in such cases.

Penalties: Providing an arc to Section 43 of the Information Technology Act, 2000, the data fiduciaries can now face fines up to INR 250 Crores for failure to ensure “reasonable security safeguards” and up to 200 Crores for failure to report personal data breaches. While this quantum should be scrutinized according to the circumstances of such violations and the level of security failure, putting up an excessive amount of penalty sends out a message that personal and sensitive data is a matter of importance, and the government is ensuring its sanctity by putting such enormous penalties.

Major Issues around the Bill

Although the bill uses simpler language to address the concerns around data rights of principals and fiduciaries, there are some serious concerns and challenges that the bill poses:

• Issues around deemed consent

Deemed consent as a concept seems rationale and novel while elucidating a specific case where consent is implied, but it is termed in broad and vague manner. The bill in its 8^th clause talks about the same as “Consent of a Data Principal for data processing will be deemed in some instances viz. the maintenance of public order and and in public interest respectively”. The term ‘maintenance of public order’ and ‘in public interest’ are wide and can infringe on the sensitive data of the principals as mentioned in Rule of Information Technology (SPDI) Rules, 2011.

• Data Protection Board: Limitless Scope?

The power to appoint board members in chapter 5 of the bill has been vested by the government to themselves. Prateek Waghre of Internet Freedom Foundation said this questions the independence of the Board and that their ability to appoint the chief of the board is a self-proclaimed power of the Indian Government. The Dispute redressal mechanism, while being a novel step for resolving matters related to data breaches is also not explored to its extent and there is no definition or procedure on how and who will be the members of the board who will adjudicate such matters. Considering major data breaches happen in private companies or in public-private joint ventures, there is a chance of such appointed members having vested interests in proceedings of the matters, which goes against the principles of natural justice.

• High Penalties: Pro-corporate, less inclusive

By giving penalties upto almost 500 crores for data and security practices breaches, the government gives out a message of strong accountability and compliance, but does not take in consideration data and security breaches in small MSME’s or fiduciaries which are not financially well-backed. While the provision will be up for negotiation on case to case basis, in its entirety is more corporate friendly rather being inclusive to all sorts of data fiduciaries.

What Lies Ahead?

It is for the stakeholders to see how various concerns are stemming from the Data Protection Board’s powers of independent regulation and the exemptions granted to government agencies from adhering to the Bill’s principles, pan out in the near future vis-a-vis compliance of the new proposed data protection regime.

In the current times, where multiple instances of overarching State interference in institutions are a conspicuous presence, the Government must resolve to clear this air of doubt and strengthen the new data regime for India’s continued stronghold in the international sphere.

The Bill has garnered much criticism and pushback from Big Tech pertaining to the provisions of mandatory Data Localisation, and further questions have been raised as to its need in the first place. With repeated and prolonged delays, the new Bill has a tinge of a protectionist flavour which might hinder the values of a globalised marketplace.

The most prominent challenge that has come to the fore is to strike the right balance between opportunities from ‘Free Data’ and the Right to Privacy as recognised by the Puttaswamy Judgement 2017. A word of caution is to push for data localisation with care and proper scientific classifications. What is required of the policymakers now, in this regard, is to fine-tune the open-ended definitions to add more clarity for better compliance.

*Rimjhim Sharma is a 5^th year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow. She is also a member of Kautilya Society, RMLNLU Chapter.

**Yash Bhatnagar is a 3rd year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow. He is also a member of Kautilya Society, RMLNLU Chapter.