Response to the Digital Personal Data Protection Bill, 2022
To, 16 Nov 2022
Shri Ashwini Vaishnav,
Hon’ble Union Minister for Communications, IT & Railways,
Government of India
SUB: Our Comments on the draft Digital Personal Data Protection (DPDP) Bill, 2022
Dear Shri Vaishnav ji,
Greetings from DeepStrat, a New Delhi-based think tank and strategic consultancy.
At the outset, we would like to commend the government and the Ministry of Electronics and Information Technology (MEITy) for the release of the draft Digital Personal Data Protection (DPDP) Bill, 2022.
The Bill covers many key issues and is an important legislation that will have a major impact for India and its citizens and their fundamental rights. We find that the Ministry has broken new ground on several aspects and delivered a simplified law that is not only easy to understand, but also attempts to navigate competing interests.
In our comments we have kept three broad principles in mind:
- The adherence to Constitutional framework and principles
- The principles as laid down in the Puttaswamy Vs Union of India judgment
- The need for enhancing innovation and business without conflicting with points 1 and 2
Our comments are in broadly two sections. Part One is a summary of our recommendations. Part Two is the clause-by-clause recommendation along with detailed explanatory notes and empirical evidence.
We would be grateful if you could acknowledge our comments and we hope will also give serious consideration to them while drafting the final Bill for presentation to Parliament.
With warm regards,
Yours sincerely,
Yashovardhan Azad, IPS (Retd)
Chairman
DeepStrat | StratDeep Private Limited
PART ONE
SUMMARY OF OUR RECOMMENDATIONS
Section I – NOTICE AND CONSENT FRAMEWORK
-
- Clause 7 – Consent, we recommend:
- A consent manager framework along the lines of Data Empowerment and Protection Architecture may be adopted
- Alternatively, another framework for consent manager should be suggested in the text of the Bill
- Clause 8 – Deemed Consent, we recommend:
- Clear definitions of criteria for deemed consent should be specified
- Adequate safeguards for protection of data privacy should be prescribed
- A legitimate interest exception clause should be incorporated
- Clause 7 – Consent, we recommend:
Section II – RIGHTS AND OBLIGATIONS
-
- Clause 10 – Additional obligations in relation to processing of personal data of children, we recommend:
-
- Age limit of consent should be reviewed
- Graded approach towards obligations for processing children’s data should be adopted
- The definition of harm under the 2019 Bill, as approved by the Joint Parliamentary Committee should be adopted
- The criteria for exceptions should be clearly defined in the Bill
2. Clause 12 – Right to information about personal data, we recommend:
-
- Timelines should be prescribed for providing information to the Data Principals3.Cause 13 – Right to correction and erasure of personal data, we recommend:
-
- The right to be forgotten should be included in the Bill
- Alternatively, reasons should be supplied for removal of the right to be forgotten, as envisaged in the earlier iterations4.Clause 14 – Right of grievance redressal, we recommend:
-
- Necessary timelines for grievance redressal need to be prescribed in the Bil
Section III: CROSS BORDER DATA TRANSFERS AND TRUSTED GEOGRAPHIES1.Clause 17 – Transfer of personal data outside India, we recommend:
- Necessary timelines for grievance redressal need to be prescribed in the Bil
-
- Clarification on the phrases used in the clause is required
- The reciprocal obligations of cross-border data sharing agreements should be considered
- EU’s Adequacy Framework or Singapore’s standard of protection may be studied
- Other tools to facilitate cross-border transfers of data should be considered, such as:
- Adoption of an Accountability Framework
- Internal company transfers through standard contractual processes
- To ensure greater predictability for businesses, the Act and Rules should come hand in hand
Section IV: EXEMPTIONS AND STATE SURVEILLANCE
1 Clause 18 – Exemptions, we recommend:
-
- The phrase “any instrumentality of the State” needs to be circumscribed
- The provision should clearly prescribe the limits or boundaries of surveillance
- The grounds for identification of Data Fiduciaries, to whom certain provisions will not apply, should be mentioned
- The exemptions should reflect the principles of legitimacy, proportionality and legality as laid down by the Supreme Court
- We recommend a surveillance oversight mechanism that has two levels:
- Level 1 This will cover cases related to terrorism and public safety where the proposed legal sanction and oversight mechanisms can be post-facto, but within 72 hours of the sanction
- Level 2 This will cover all other cases that can attract state surveillance, where legal sanction must be obtained before carrying out surveillance, followed by the oversight mechanisms detailed below
- We recommend the following oversight principles:
- Parliamentary Oversight
- Judicial Authorisation
- Legality
- Legitimate goal
- Proportionality
- Procedural guarantees
- Internal Oversight
- Administrative and Technical safeguards
Section V: COMPLIANCE FRAMEWORK
-
- Clause 19. Data Protection Board of India, we recommend:
-
- The composition of the Board and the qualification of its Members should be specified.
- The mode of appointment and removal of Members needs to be laid down
- The terms “Digital by Design” and “Digital Office” should be explained to establish their consistency with the provisions of the Civil Procedure Code
- Zonal or State level bodies should be created to make the DPB more functional and for compliance with Schedule VII of the Constitution2.Clause 20 Functions of the Board, we recommend:
-
- The DPB should have a clearly defined mandate3.Clause 23. Alternate Dispute Resolution, we recommend:
-
- The clause should specify that mediation will be carried out in accordance with the procedure laid down in the Arbitration and Conciliation Act, 1996
- The term “other processes” for achieving ADR needs a clear definition4.Clause 29. Consistency with other laws, we recommend:
-
- The clause should specify how the Data Protection Board will harmonize its functions with other regulatory authorities5.Clause 25 – Financial Penalties we recommend:
-
- Consultations undertaken before finalizing financial penalties should be released to guide the Law Enforcement on adoption of a uniform approach for imposing penalties
- A provision for seeking compensation should be made available to the Data Principal
- Separate penalties should be provided for government offences
- Financial autonomy of the DPB can be ensured through
-
-
- Corpus funding
- Authorization to use fines collected for specified purposes
Section VI: AMENDMENTS1.Clause 30 – Amendments, we recommend:
-
-
-
- Amendment to S. 43 A IT Act, 2000 should be omitted and provision for compensation should exist in both legislations
- Amendment to S. 8(1)(j) and proviso of the RTI Act, 2005 should be omitted and disclosure of information should be continued to be allowed under the section in its existing form2. A sunset clause should be added to the Bill to have time and function based review of the provisions of the Bill by a parliamentary committee
-
PART TWO
CLAUSE-BY-CLAUSE COMMENTS ON THE DPDP BILL, 2022
Section I- NOTICE AND CONSENT FRAMEWORK
Clause 7 – Consent
Recommendations
-
-
- A consent manager framework along the lines Data Empowerment and Protection Architecture may be adopted
- Alternatively, another framework for consent manager should be suggested in the text of the Bill
-
Comments
Clause 7 of the draft Digital Data Protection Bill delves into the principal of Consent in detail. In sub clause 6 it notes that the Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. It further defines the Consent Manager as a Data Fiduciary which enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. Such an entity is accountable to the Data Principal and every Consent Manager shall be registered with the Board in such a manner and subject to such technical, operational, financial and other conditions as may be prescribed.
Since this entity will be at the very core of managing consent for the Data Principle, it may be prudent not to leave the technical standards for a later set of rules. In November 2020, the NITI Aayog, in partnership with iSPIRIT had released a draft document for discussion on the Data Empowerment and Protection Architecture (DEPA) with the object to further the notion that individuals should have control over how their personal data is used and shared. The DEPA is designed around the idea that agency over data could empower Indians with opportunities to improve their lives.
It draws on the Account Aggregator (AA) framework that had been put together by the RBI in consultation with other financial sector regulators in 2016. The AA framework has recently been nudged into becoming the preferred choice for on-boarding of consumers on any financial platform. An industry collective named Sahamati, provides the technical expertise to refine the standards that had been defined by the RBI. With a functional framework already in place, the Bill may either adopt the existing framework or clearly put out the technical and other considerations for a different one. This will ensure a high degree of policy certainty and allow businesses to align with compliance requirements of the proposed legislation with minimal disruption.
Clause 8 – Deemed Consent
Recommendations
-
-
- Clear definitions of criteria for deemed consent should be specified
- Adequate safeguards for protection of data privacy should be prescribed
- A legitimate interest exception clause should be incorporated
-
Comments
While there are some legitimate cases where consent will be deemed, some of the terms used in this clause are of very wide import. For instance, consent will be deemed for taking measures to ensure safety during “any breakdown of public order”. It can also be deemed “in public interest, including for” the seven instances listed below. The usage of “including for” means that this list is not exhaustive, and “public interest” could potentially become a tool to allow for bypassing the consent requirement in a plethora of instances. The clause ends with an open-ended phrase that it can be deemed “for any fair and reasonable purpose as may be prescribed”. This is a fairly expansive clause, which is open to many interpretations, and prone to the possibility of overuse. Limitations on it may be prescribed at a later stage, but have not been carved out through the Bill itself. We suggest that the terms used in this Bill should clearly be defined in the definition clause in order to lend the provision of deemed consent more clarity and certainty. At present, the terms are open to interpretation and wide discretion of the Executive.
It is of significance to note that in cases of deemed consent, the Data Principal will not be given notice, leaving her completely unaware about the collection, processing, and storage of her data, and potentially leaving her outside the ambit of grievance redressal. In this context, it is necessary to clearly define the scope of this section and prescribe adequate circumscribing safeguards to it.
International jurisdictions such as that of Singapore and the European Union deploy the principle of “legitimate interest exception” as the basis of determining whether data can be lawfully processed by a data fiduciary without consent. Legitimate interests refer to interests of the organization or any third party. Organizations are required to document their assessments on how they relied on this exception to process data. A test of the purpose, necessity, and balancing of interests is normally applied while making an assessment for a company to process data under this exception. Such frameworks are widely accepted and help fostering adequate privacy protection to data principals. We suggest that a legitimate interest exception clause be incorporated in the deemed consent clause. This would help achieve a fair balance of rights between individuals and corporations.
Section II – RIGHTS AND OBLIGATIONS FRAMEWORK
OBLIGATIONS OF DATA FIDUCIARIES
Clause 10 – Additional obligations in relation to processing of personal data of children
Recommendations
- Age limit of consent should be reviewed
- Graded approach towards obligations for processing children’s data should be adopted
- The definition of harm under the 2019 Bill, as approved by the Joint Parliamentary Committee should be adopted
- The criteria for exceptions should be clearly defined in the Bill
Comments
The provision affording extra protection and rights related to processing of children’s personal data has survived the many iterations of the bill. However, this Bill imposes an additional requirement upon Data Fiduciaries to obtain verifiable parental consent before processing personal data of children. The manner of obtaining such consent will be prescribed by the Executive at a later stage, therefore, what kind of verification will be required remains unclear. We recommend that this be specified to provide certainty.
With respect to the scope of this provision, a child has been defined in the Bill as an individual below the age of eighteen years [Clause 2(3), 2022 Bill].
In today’s digital world, children are exposed to and familiarized with online content very early. The age limit needs to be reviewed in this context. In EU’s GDPR, the age of consent is prescribed as 16 years, with a provision with the member states to further lower it to 13 years.
This provision requires verifiable parental consent for all children under eighteen, without accounting for differences in levels of maturity and agency at different age groups. We are of the view that all children under the age of eighteen should not be put in the same bracket. Instead, a graded approach should be the basis of applying the necessary safeguards for children of different age groups.
Notably, the 2019 and 2018 Drafts both had the same clause on definition of harm, which included mental injury, loss of reputation or humiliation, any discriminatory treatment, any subjection to blackmail or extortion, any observation or surveillance that is not reasonably expected by the data principal, etc. [Clause 3(20), 2019 Draft Bill, Clause 3(21), 2018 Draft Bill]
This Bill reduces the definition of harm to include only four kinds of harm, as opposed to the earlier ten. These are:
a. any bodily harm; or
b. distortion or theft of identity; or
c. harassment; or
d. prevention of lawful gain or causation of significant loss;
The Explanatory Note attached with the 2022 Bill suggests that children are in need of special protection, therefore no processing of data that is likely to cause harm to a child should be done. In light of this objective, the reasons for reducing the scope of the definition in this Bill remain unclear. The Bill’s objective of protecting children could be better achieved by adopting a more comprehensive definition of harm which protects children’s interests in a more holistic manner.
Lastly, steps towards protection of children’s data are appreciated, but the last sub-clause heavily dilutes these protections by allowing for exceptions as may be prescribed in Rules. The Bill does not lay down any criteria for such exceptions, which could significantly impact the scope of protections afforded to children. The criteria for exceptions should therefore be provided in the text of the Bill.
RIGHTS AND DUTIES OF DATA PRINCIPAL
Clause 12 – Right to information about personal data
Recommendation
Timelines should be prescribed for providing information to the Data Principals.
Comments
This clause will be useful to ensure transparency and accountability of Data Fiduciaries. However, there are no defined timelines for provision of such information in the Bill. Data Fiduciaries will need to have the necessary mechanisms in place to comply with such requests. The clause should specify the timelines to offer predictability to businesses, investments and facilitate compliance.
Cause 13 – Right to correction and erasure of personal data
Recommendations
- The right to be forgotten should be included in the Bill
- Alternatively, reasons should be supplied for removal of the right to be forgotten, as envisaged in the earlier iterations
Comments
Data Principals have been given the right to correction and erasure of their data, without any rider. The 2019 Draft had a provision under Clause 18 for the Data Fiduciaries to decline such requests. This has been done away with, which is a welcome move. Notably, however, the right to be forgotten which was present in the 2018, 2019 and 2021 Drafts has not featured in this Bill and no explanation has been provided for its removal. The reasons for deciding to do away with the right to be forgotten, especially since the Bill is based on the principles of purpose limitation and data minimization, would be appreciated to better understand the government’s position on this clause.
Clause 14 – Right of grievance redressal
Recommendation
Necessary timelines for grievance redressal need to be prescribed in the Bill
Comments
Data Fiduciaries need to have a readily available means of registering grievances of Data Principals. If the Data Principal is not satisfied with the response of the Data Fiduciary or receives no response within seven days, she can register a complaint with the Board.
No timelines have been put in place for grievance redressal, which is a departure from the 2018, 2019 and 2021 drafts of the Bill. To ensure compliance by Data Fiduciaries, the Act will have to prescribe the necessary timelines. Effective compliance can also be achieved by implementing this clause in a phased manner.
Additionally, all unsatisfied Data Principals having recourse to the Board may result in overburdening of the Board, considering the quantum of complaints that may be received in a populous country like India. Therefore, we suggest the creation of state level boards in our comments under the chapter on Compliance Framework.
Section III: CROSS BORDER DATA TRANSFERS AND TRUSTED GEOGRAPHIES
Clause 17 – Transfer of personal data outside India
Recommendations
- Clarification on the following phrases is required:
- “such countries or territories outside India”
- “after an assessment of such factors as it may consider necessary”
- “in accordance with such terms and conditions as may be specified”
- The reciprocal obligations of cross-border data sharing agreements should be considered
- EU’s Adequacy Framework or Singapore’s standard of protection may be studied
- Other tools to facilitate cross-border transfers of data may be considered, such as:
- Adoption of an Accountability Framework
- Internal company transfers through standard contractual processes
- To ensure greater predictability for the businesses, the Act and Rules should come hand in hand
Comments
The Union Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Assuaging the many concerns about data localization in the previous versions of the Bill, this Bill has done away with the requirement of data localization. The Union Government has been empowered to notify countries to which data can be transferred, based on an assessment of “such factors as it may consider necessary”.
The departure from data localization is a positive step towards ease of doing business in India. The problem with this clause is not in what it provides, but in what it lacks to provide. One of the biggest risks for a business in a country is the uncertainties in the policy and legal framework. The following clarifications on this clause would be useful to help align businesses with the policy objectives of the government:
- The phrase “such countries or territories outside India” should be elaborated. In the absence of any definitions to suggest the scope of this phrase, it would be a good exercise to bring more clarity to this provision. A question that warrants consideration here is whether the territories where data can be transferred refer to land only or they can also be at sea?
- “After an assessment of such factors as it may consider necessary” is a phrase which offers little certainty on what the criteria would be adopted for such assessment. Whether these factors will be limited to the objective of this Bill or will other factors also play a role in such decision making? How is the assessment going to ensure that data principals are afforded the same degree of rights and protection, and effective grievance redressal in the third country where their data is transferred to? The criteria for assessment should be specified in the Bill.
- “In accordance with such terms and conditions as may be specified” – While the Bill itself does not contain these terms and conditions, there have been news reports which indicate that this clause will be operationalized through bilateral or multi-lateral agreements with other territories. The terms and conditions of data transfer will be reflected through such agreements. Before this Bill is passed, a deliberation on what terms and conditions should be pre-requisite for entering into agreements should be undertaken. These terms and conditions should be prescribed in the Bill to ensure that digital rights of digital citizens would be protected even when the data is transferred based on an agreement entered with a country at a later stage.
While formulating our principles on cross-border data flow, reciprocal obligations of agreements entered with international jurisdictions should be considered. For context, other jurisdictions such as Singapore and the EU have strict standards for transfers of data from their territory to another. Singapore’s Personal Data Protection Act prohibits organizations from transferring personal data outside Singapore unless such country or territory provides a standard of protection comparable to Singapore.
The GDPR allows data transfers to a third country or international organization only if they ensure an adequate level of protection [Article 45, para 1, GDPR]. Consequently, European Union uses adequacy decisions of the European Commission as the basis of transfer of personal data from the EU to third countries. The European Commission has been entrusted to pass adequacy decisions which confirm with binding effect that a third country’s level of data protection is “essentially equivalent” to that of the EU. The result of an adequacy decision is free flow of data from European Economic Area to a third country. This exercise involves an analysis of the content of law applicable in the third country and the means of ensuring its effective implantation. Some of the General Data Protection Principles taken into account while making this analysis are listed below:
- Content Principles
- Grounds for processing data must be lawful, fair, and legitimate
- The legitimate bases must be stated in a sufficiently clear manner
- Purpose limitation
- Data proportionality
- Data retention principle
- Security and confidentiality principle
- Grounds for processing data must be lawful, fair, and legitimate
- Procedural and Enforcement Mechanism
- Competent independent supervisory authority
- Such body should function with complete independence and impartiality
- Competent independent supervisory authority
- Essential guarantees in third countries for law enforcement and national security access to limit inferences to fundamental rights
- Processing based on clear, precise and accessible rules
- Demonstrated necessity and proportionality with regards to legitimate objectives
- Processing subject to independent oversight
Apart from bi-lateral agreements, the following tools could be considered by the Indian government to allow cross-border flow of data, while maintaining adequate protection safeguards and enabling ease of doing business:
- Adoption of an Accountability Framework: The bill could adopt an Accountability Framework designed on the lines of the Asia-Pacific Economic Co-operation (APEC) Cross-Border Privacy Rules (CBPR) System. The CBPR is a government-backed data privacy certification that companies can join to demonstrate compliance with internationally recognized data privacy protections. Through the CBPR System, certified companies and governments work together to ensure that when personal information moves across borders, it is protected in accordance with the standards prescribed by the system’s program requirements and is enforceable across participating jurisdictions. The system is based on the following tenets:
- Enforceable standards
Accountability
- Risk-based protections
- Consumer-friendly complaint handling
- Consumer empowerment
- Consistent protections
- Cross-border enforcement cooperation
- Internal company transfers – Globally, legislation allows internal company transfers through standard contractual processes. Our law can recognize such transfers across borders through these processes without having the businesses rely on bilateral agreements at a national level. This would avoid the possibility of political relations between two nation-states impacting the businesses’ internal operations.
To ensure greater predictability for the businesses, we suggest that the Rules and legislation should come hand in hand. Not everything should be left to be brought in through rules at a later, undefined stage. Certainty in our data protection regime would enable compliance and could potentially unlock digital growth for India at a global scale.
Section IV: EXEMPTIONS AND STATE SURVEILLANCE
Clause 18 – Exemptions
Recommendations
- The phrase “any instrumentality of the State” needs to be circumscribed
- The provision should clearly prescribe the limits or boundaries of surveillance
- The grounds for identification of Data Fiduciaries, to whom certain provisions will not apply, should be mentioned
- The exemptions should reflect the principles of legitimacy, proportionality and legality as laid down by the Supreme Court
- We recommend a surveillance sanction and oversight mechanism that has two levels:
- Level 1 This will cover cases related to terrorism and public safety where the proposed legal sanction and oversight mechanisms can be post-facto, but within 72 hours of the sanction
- Level 2 This will cover all other cases that can attract state surveillance, where legal sanction must be obtained before carrying out surveillance, followed by the oversight mechanisms as detailed below
- We recommend a surveillance oversight mechanism based on the following principles:
- Parliamentary Oversight
- Judicial Authorisation
Legality
-
- Legitimate goal
- Proportionality
- Procedural guarantees
- Internal Oversight
- Administrative and Technical safeguards
Comments
The Fundamental Rights, including the right to privacy fall under part III of the Constitution of India, which are applicable against the ‘State’ as defined in Article 12. It defines State to include the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India. Through various judicial precedents, we now have a broad set of parameters evolved by the Supreme Court to determine whether a particular body falls under “other authorities” and could thus be considered “State”. The definition of State has thus been broadly interpreted by the judiciary, and fundamental rights are enforceable against all the bodies that fall within its ambit.
In this constitutional context, when the Bill exempts “any instrumentality of the State” without defining ‘instrumentality’, it renders this provision open to broad exemptions. Additionally, such instrumentalities of state could be given blanket exemptions from the applicability of the “entire Act”. Exemptions with such a broad sweep to the State could prove to be dangerous to the very scheme of Fundamental Rights enshrined in the Constitution. These exemptions to any instrumentality of the State have been replicated in essence from Clause 35 of the 2019 Draft. This has left unaddressed the many concerns raised in the earlier iteration about excessive surveillance by the government. Therefore, we suggest that the term “any instrumentality of the State” be defined.
The terms that set the boundaries for surveillance are not well defined and understood. Nearly every action can misuse these terms to circumvent the necessity and proportionality threshold as laid down by the Hon’ble Supreme Court and thus, make the surveillance order legal.
This is especially true for the term “National Security” or security of the State (most used for targeted surveillance) “public order” and “investigation” of a crime. Besides, India lacks a national security strategy that could clarify the definition of national security and the government’s objective in ordering surveillance. We suggest that the terms that set the boundaries for surveillance be defined in this clause.
Until now, a pre-independent and colonial Indian Telegraph Act and S. 69 of the Information Technology Act regulate surveillance. While the Union is empowered to pass a legislation to form a Central Bureau of Intelligence as per Item no, 8 of List I of Schedule VII, it has not exercised this power to lend any statutory backing to the Intelligence Bureau (IB), Research and Analysis Wing (R&AW) and the National Technical Research Organisation (NTRO). As a result, the IB, R&AW and NTRO are created through gazette notifications. The constitutionality of the creation of IB through an executive order has been in question in Intelligence Bureau Housing Society v. R.N. Kulkarni.
In the United Kingdom, the Security Service (equivalent of the IB, popularly known as MI-5) was created using the Security Service Act, 1989 and their Secret Intelligence Services (equivalent to R&AW) was brought under the Intelligence Services Act.
The Supreme Court has, in its earlier rulings, held that an executive action cannot interfere with rights of a citizen without a valid statutory legislation. The Apex Court gave the mandate to an independent committee to review the surveillance architecture of India in light of right to privacy, which highlights the importance of having a parliamentary or judicial oversight mechanism over surveillance.
In the absence of any specific post-constitution legislation on surveillance, the wide Exemptions to the state would not bode well for the privacy rights of the citizens. The clause on Exemptions should be reworked in light of the existing surveillance architecture to provide for more safeguards to the digital privacy rights of the citizens.
Sub-clause 3 of Clause 18 also gives the Union Government the power to notify certain Data Fiduciaries to whom certain provisions will not apply. This provides the Executive with the last say in who protects the fundamental rights of the citizens and who is allowed to infringe it. Our recommendation is that the grounds for identification of Data Fiduciaries, to whom certain provisions will not apply, need to be mentioned in the Bill.
Once privacy has been enshrined as a fundamental right, it should become subject to Article 21 of the Constitution of India, which means it cannot be infringed except according to procedure established by law. The JPC had noted that these exemptions should be subject to procedure that is just, fair, reasonable, and proportionate. The 2022 Draft makes no mention of the procedure to be followed in cases of exemptions. The government cannot take a pre-eminent position in safeguarding the right to privacy as per their interpretations of events when this right has now been constitutionally guaranteed.
It is also important to note that purpose limitation, stated in the explanatory note as being one of the cornerstones of this Draft, does not apply to the State or any instrumentality of the State. This means the government can retain data for as long as it wishes. These wide-ranging exemptions dilute the scope of rights and duties enumerated in the previous chapters to a great extent.
Ultimately, this clause will have to stand the tests for infringement of privacy laid down in the Justice K.S. Puttaswamy v. Union of India. The exemptions should reflect the principles of legitimacy, proportionality and legality laid down by the Supreme Court in the case. In fact, the 2018 Draft afforded the strongest protections against government access to data. The 2019 Draft watered them down to a great extent but still had some safeguards. The Joint Parliamentary Committee had recommended that such exemptions should be just, fair and reasonable, but this draft misses the opportunity to address these suggestions. A look at the GDPR shows that they have exemptions, but they are much narrower in scope. Their framework is oriented towards providing maximum privacy to their digital citizens. The objective of the Bill states that it seeks to balance the right of individuals to protect their personal data and the need to process personal data for lawful purposes. The Exemption clause in its current form tips the scale heavily towards greater processing of data by the State.
Our recommendations on the surveillance oversight mechanism:
It is understood that some exigencies such as those falling under the Security of the State could be extremely time and information sensitive, while others may not be of an equally critical nature. Therefore, we suggest the adoption of a two-level oversight mechanism:
- Level 1 This will cover cases related to terrorism and public safety where the proposed legal sanction and oversight mechanisms can be post-facto, but within 72 hours of the sanction
- Level 2 This will cover all other cases that can attract state surveillance, where legal sanction must be obtained before carrying out surveillance, followed by the oversight mechanisms as detailed below.
There should be a body that must be empowered to oversee the legal enforcement agencies and intelligence agencies’ operations. This body must have oversight on the policies, administration and operations of various agencies subjected to secrecy. But, for this to operationalise Clause 18 of the 2022 Draft must be amended as it empowers the government to exempt its agencies from the purview of the Bill. The approach taken in the Law Enforcement Directive (“LED”) in the EU deals with the processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR. Although it is in the form of a directive, it has been embedded in domestic legislation across Europe. The LED regime only applies in cases where the data controller is a ‘competent authority’, and the processing is done for ‘law enforcement purposes.
In short, a combination of specific legislation that speaks of the manner in which large scale data collection and analysis for legitimate purposes of Law enforcement, along with an empowered Data Protection Body can serve as effective oversight mechanisms.
The following principles on surveillance oversight should be applied:
Parliamentary Oversight:
- A Multi-Party parliamentary standing committee should oversee the law enforcement agencies and intelligence agencies’ operations. A mechanism followed by the UK should advise the model because India inherited and emulated the Westminster model of parliamentary government. The UK has the Intelligence and Security Committee of Parliament formed under the Intelligence Services Act 1994 (reinforced by Justice and Security Act, 2013) to oversee the policies, expenditure, administration and operations of various intelligence agencies subjected to secrecy.
- It has been argued that Members of Parliament should not have access to such information. However, in advanced democracies such as the UK, the Prime Minister retains control over who will be part of the Committee, provided they are drawn from other parties besides his/her own.
In addition to this, the parliamentarian must be granted access to information held by intelligence and law enforcement agencies without restricting any information under the ambit of preserving national security. A similar mechanism is followed by the United States, where US Congress monitors the law enforcement agencies and intelligence agencies, and there are no statutory restrictions on information access.
Judicial Authorisation:
1. It would safeguard the right to privacy of the individuals from unwanted state surveillance as the Supreme Court recognised privacy as a negative content.
2. Judicial authorisation could be spilt into two areas.
- For prevention and investigation of criminal offences (warrant of interception from the concerned court, with expiring time duration and archiving of intercepted contents and submission to the court) and
- A special authority (to be created), and for intelligence purposes that can be on the lines of the UK Investigative Powers Commissioner
3. It would bring about a separation of powers to check and oversee the executive actions, which could at times hamper the democratic safeguards due to malicious motives.
4. The State agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court in Level 2 cases and post-facto in Level 1 cases before intruding into the private communications between individuals. Various jurisdictions follow this mechanism and India must pick inferences from those to devise a more nuanced judicial authorisation system.
5. The court warrant must assess the constitutional validity of the request for surveillance through four prerequisites (as follows) for infringing upon an individual’s privacy and personal liberty discussed in Puttaswamy Judgement I.
- Legality: Existence of a law by Parliament (which was also emphasised by the Supreme Court in the Maneka Gandhi case of 1978)
- Legitimate goal: The intelligence and law enforcement agencies must prove the legitimate aim for conducting surveillance with proper justification.
- Proportionality: The request must show that surveillance is necessary to achieve the aim. In addition, the request must prove the rational nexus between the objects and the means adopted to achieve them – in terms of
(a) the amount of data required to be tapped or retrieved (b) tools used for surveillance (for which it is important to equip judges with technical expertise).
- Procedural guarantees: The state abuse and misuse must be minimal by having concrete procedural safeguards followed by the state agencies, including the below discussed safeguards.
Administrative Oversight:
1. In addition to the external oversight proposed that has been proposed above, we recommend having a review committee model. The constituted authority should be answerable to the parliamentary committee and the Parliament in general.
2. In addition, the authority must audit and review the practices and safeguards followed by the agencies.
3. Besides, the authority should be empowered to take complaints related to unauthorised disclosure of classified or sensitive national security information, illegal surveillance activity, administrative misconduct etc. For instance, in the United States, under the U.S. Code, the office of the Inspector General of the Intelligence Community is in place to oversee programs and activities within the purview of the Director of National Intelligence (DNI).
Internal Oversight:
1. We propose that every law enforcement and intelligence agency must have an independent Inspector General who will scrutinise the surveillance request before it reaches the court for approval.
2. Many jurisdictions follow a similar kind of model. For instance, in the UK every law enforcement agency has independent officials to scrutinise surveillance requests.
3. Independent Inspector Generals must also audit and review the practices and safeguards followed by respective agencies and be answerable to the Parliamentary committee and the Parliament in general.
Safeguards
Technical safeguards: Various technical safeguards must be established to protect the privacy of individuals following some of the universal principles such as:
- Data minimisation: The data collected through means of surveillance should not exceed the purpose for which it was collected and should not be held/stored post the completion of the purpose.
- Proportionality: The data required through surveillance must have a rationale connection with the object of the investigation, such that data demanded is absolutely necessary. The UK also propagates this principle through its Investigatory Power Act, 2016 (previously Regulation of Investigatory Powers Act, 2000), which mandates that data demanded by the intelligence agencies must be necessary and proportionate.
- Purpose limitation: The information received through surveillance must be processed only for the case/investigation it was accrued. The investigating agency must initiate a new request to use the same evidence in other cases/investigations. Besides, usage of evidence for anything other than law enforcement must be prohibited.
- Privacy by design: The processing of evidence by law enforcement agencies and intelligence agencies should be privacy-friendly and doesn’t trade-off privacy at the cost of other State interests such as national security, public order etc. It should use Privacy Enhancing Technologies to ensure that unnecessary personal details are not exposed. The access control must be designed to be adequately granular, with audit trails, to enforce privacy and accountability.
- Fair and lawful processing: The data acquired through surveillance must be processed fairly and lawfully such that unintended consequences like discrimination, historic disposition, oppression do not translate into the action.
- Training: The personnel engaged in surveillance, including supervisory officials, must attend trainings on privacy and ethics annually, to ensure that the right culture is built and nurtured.
- Data provenance: Law enforcement agencies and intelligence agencies must have legal and technical measures to differentiate citizens from foreign nationals within the bulk of data gathered through the surveillance. By identifying the provenance of the data it should be treated differently.
- Data security: The data collected through surveillance should be encrypted at rest to ensure the safety of the information stored.
- Data deletion: The data collected through surveillance must not be retained longer than necessary, which is followed by intelligence agencies in the UK under Investigatory Powers Act, 2016. At the laps of data retention mandate by regulations, the information gathered through surveillance by law enforcement and intelligence agencies must be destroyed.
- Data disclosure: When a crime or security threat is not established from the data collection and processing exercise, the agencies must inform the individuals about the surveillance and reveal the data collected (after a period) to them.
Administrative safeguards
Every legal enforcement agency and intelligence agency must have privacy/ethics officers within their agencies to ensure day-to-day operations are not violating ethicality and privacy. The officer should also provide advice and guidance to the officials on matters related to privacy and ethicality. Many countries, including the US, UK and Germany, follow this system, for instance, in the US, the Office of Privacy and Civil Liberties is formed within the CIA, NSA etc.
Section V: COMPLIANCE FRAMEWORK
Clause 19. Data Protection Board of India
Recommendations
- The composition of the Board and the qualification of its Members should be specified.
- The mode of appointment and removal of Members needs to be laid down.
- The terms “Digital by Design” and “Digital Office” should be explained to achieve consistency with the provisions of the Civil Procedure Code.
- Zonal or State level bodies should be created to make the DPB more functional and for compliance with Schedule VII of the Constitution
Comments
The first observation in this clause is that a Data Protection Board (hereinafter, “DPB”) has replaced the earlier Data Protection Authority, as envisaged in the 2018 and 2019 Drafts. No explanation for such change has been provided. This change in terminology indicates a departure from the internationally recognized nomenclature i.e., “Authority”. Justice Srikrishna Committee’s recommendations and accompanied Draft proposed the creation of an independent body called the Data Protection Authority. Favoured measures for maintaining the independence of the body such as fixed tenure, disclosure of conflicts, post-retirement safeguards and
restrictions on future employment, and financial independence were provided for in the 2018 Draft. The composition of the Board and qualifications of members were specified. The composition of the Selection Committee which would appoint the Board was also specified and contained a fair balance of members from the judiciary, the executive, civil society, and industry representatives.
The 2019 Draft also had the above broad provisions of the 2018 Draft but with lesser measures to ensure independence of the Authority. The JPC sought to attribute such independence to the Authority by recommending a few changes. Notably, it said that it should be specified that one member of the Authority be an expert in the field of law. It also said that the Selection Committee in the 2019 Draft comprised all Secretary level bureaucrats, and recommended that the Committee be composed of technical, legal and academic experts to make it more inclusive, robust and independent. These suggestions of the JPC are not reflected in the current 2022 Draft.
The Data Protection Board proposed in this Bill is just a bare structure, scheduled to be defined later by the Union Government. Leaving critical details about the composition, qualifications, terms of service, removal, etc. to be decided by the Union will affect the independence of the Board.
Independence of the Board can be assessed by checking the following specifications:
- Appointment of members, qualifications, their removal, and the terms of service
- Financial autonomy of the Board
- Criteria for selection of the Board and Composition of the Selection Committee.
Secondly, when clause 19 is read with clause 20(1), phrases such as “the functions of the Board shall be digital by design” and “digital office” offer little clarity. Since the Board will be functioning as per the procedure of the Code of Civil Procedure, 1908 (‘CPC’), clarity is required on how will it harmonize its processes with the already existing procedures for inquiry, summoning, examination of witnesses, collection of evidences, etc. under the CPC. How will the objective of being a digital office be achieved in the existing procedural framework? Further clarity is required on this.
Thirdly, it was strongly urged in the dissent note by Dr. Amar Patnaik, member of the JPC, that setting up of State level Data Protection Authorities would be the more appropriate framework from a constitutional, legal, administrative and jurisdictional point of view. This suggestion was made due to two primary reasons:
- It would be reflective of the true spirit of federalism between the Centre and the States
- Public order, health, education, etc., are fall under the State List of the Seventh schedule, so a state level body will be better suited to handle the complaints related to consent and data breaches occurring within its territorial jurisdiction.
State level bodies were created under the Right to Information and Consumer Protection Acts for supplementing the central level bodies in effective and efficient implementation of those Acts. During implementation of GDPR in Europe it was observed that the authorities established were overburdened, despite there being multiple levels of authorities.
The 2022 Bill only envisages one centralized Data Protection Board. We are of the view that an institutional design with zonal or state level bodies will be more ideal as per our constitutional principles and will also be more functional. Therefore, our recommendation would be to implement a federal framework to the architecture of the Data Protection Board.
Clause 20 Functions of the Board
Recommendation
The DPB should have a clearly defined mandate.
Comments
Details relating to the functions of the Board are not present in this Bill. Functions which were prescribed in the earlier iterations like promoting awareness about data protection, monitoring technological developments and commercial practices, advising Central Government, State Government and any other authority on measures required to be taken to promote protection of personal data and ensuring consistency of application and enforcement of this Act, etc. are not present in the 2022 Bill. Further, the power to determine functions is given to the Central Government through the form of delegated legislation.
Our suggestion is that the mandate of the Board should be clearly defined. It cannot be open-ended and needs to be circumscribed.
Clause 23. Alternate Dispute Resolution
Recommendations
- The clause should specify that mediation will be carried out in accordance with the procedure laid down in the Arbitration and Conciliation Act, 1996
- The term “other processes” for achieving ADR needs a clear definition
Comments
If the Board is of the opinion that any complaint may more appropriately be resolved by mediation or other process of dispute resolution, the Board may direct the concerned parties to attempt resolution of the dispute through mediation by a body or group of persons designated by the Board or such other process as the Board may consider fit.
This is an important clause but raises two broad issues:
- The phrase “Mediation by a body or group of persons designated by the Board” leaves appointment of mediators by the Board, without specifying considerations for such appointment. This could potentially affect the independence of the ADR process.
- What are the “other processes” that the Board may achieve Alternate Dispute Resolution through? This needs to be clarified in the text of the Bill.
We suggest that mediation be carried out in accordance with the procedure laid down in the Arbitration and Conciliation Act, 1996. The 1996 Act provides for a just, fair and reasonable procedure for achieving Alternate Dispute Resolution. Secondly, the term “other processes” that could be used to achieve ADR needs to be clearly defined.
Clause 29. Consistency with other laws
Recommendations
- The clause should specify how the Data Protection Board will harmonize its functions with other regulatory authorities
Comments
The implications of this Bill will cut across sectors, but the Bill does not clarify how the Data Protection Board will interact with other regulatory bodies. There are other authorities established under other legislations with corresponding jurisdictions, such as under the Information Technology Act, 2000, the IT Secretary is the designated authority for adjudicating disputes. It needs to be clarified within Clause 29 how the functions and jurisdiction of the Data Protection Board would be harmonized with other regulatory bodies that also work at the intersection of digital personal data and related rights.
Clause 25 – Financial Penalties
Recommendations
- Consultations undertaken before finalizing financial penalties should be released to guide the Law Enforcement on adoption of a uniform approach for imposing penalties
- A provision for seeking compensation should be made available to the Data Principal
- Separate penalties should be provided for government offences
- Financial autonomy of the DPB can be ensured through
Corpus funding
-
- Authorization to use fines collected for specified purposes
Comments
We have three comments on this provision. First, it is unclear how the maximum ceiling of INR 500 crore been arrived at? The rationale for fixing this ceiling does not become clear from reading the Bill or the Explanatory note attached to it. We suggest that consultations on financial penalties be released to guide the Law Enforcement on adoption of a uniform approach for imposing penalties and to prevent erring on the side of imposing higher penalties.
Second, the provisions on penalties and compensation have been reduced from an entire chapter in the previous iterations to just one clause. While the quest for brevity is appreciated, the reduced scope affects some key rights of the Data Principal. There is no provision for Data Principals to seek compensation from a Data Fiduciary for the harm suffered by her. The earlier three iterations all had a provision for compensation. Unlike the previous drafts, this Bill also does not have specific penalties for the government offences, and puts them in the same boat as other Data Fiduciaries. Indian law generally imposes greater liability for government offences due to greater accountability and trust reposed in government bodies. The same ideology has not been reflected here. To afford adequate protections towards the right of citizens to their digital personal data, adequate compensation and penalty provisions should be added to the Bill.
India is a signatory to the Universal Declaration on Human Rights (UDHR). Article 12 of the UDHR states, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Tested against this backdrop, the Bill should have a more nuanced chapter incorporating the elements suggested above, the penalties and compensations should be more adequately defined, and these provisions should pass the scrutiny of the Parliament to guard against excessive state action.
Third, financial autonomy of the Data Protection Board is paramount for certain critical factors for its success, such as:
For its independence
- For having its own human resource framework for attracting the suitable talent
This can be ensured through appropriate corpus funding and by authorizing the DPB to use the fines collected for specified purposes, as is seen to be done by SEBI.
Section VI: AMENDMENTS
Clause 30 – Amendments
Recommendations
- Amendment to S. 43 A IT Act, 2000 should be omitted and provision for compensation should continue to exist.
- Amendment to S. 8(1)(j) and proviso of the RTI Act, 2005 should be omitted and disclosure of information should be continued to be allowed under the section in its existing form.
Comments
Section 43A of the Information Technology Act, 2000, which provides for compensation in cases of failure to protect data will be omitted once this bill becomes an Act. In effect, there will be no scope for claiming compensation from the affected persons. We are of the view that provisions related to compensation should exist in the IT legislation to ensure adequate grievance redressal.
One notable amendment will be made to the Right to Information Act, 2005, a legislation that empowers citizens to demand information on the working of the government. Section 8(1)(j) is an exemption to the State from disclosing personal information which has no relationship to any public activity or interest, or which would be an unwarranted invasion of privacy. At present, this exemption is subject to two riders, which mandate disclosure of personal information in two cases:
- When larger public interest justifies the disclosure of such information
- Information which cannot be denied to the Parliament, or a State Legislature shall not be denied to any person.
The amendment proposed in this Bill would mean there would be no obligation at all to give to citizens such information which is of a personal nature. Thus, information related to public functions could be denied on the ground that it is personal in nature even if larger public interest justifies disclosure of such information or that information is such as cannot be denied to the Parliament or State Legislature.
The right to information flows from the fundamental right under Article 19(1)(a) of the Constitution. The State cannot make any law which is in violation of the fundamental rights. The amendment to S. 8(1)(j) of the RTI Act goes against this constitutional principle. The overriding export of this Bill would be fatal to the fabric of the RTI Act and be violative of Article 19(1)(a).
If this Bill were to have an overriding effect over the RTI Act, it would have major consequences for the principles of transparency and accountability of public authorities in India. For instance, this Bill defines a person to include an individual, a Hindu Undivided Family, etc. Can each of these persons refuse information on the grounds that it has personal attributes?
Currently, a citizen has the right to seek information contained in file notings and no information would be complete without note-sheets having file notings. This amendment will allow refusal to provide notings on the ground that it contains personal information. Such refusal would mean that the citizens will get censored information, bereft of the reasons that a public official took to arrive at a decision. This would impact any meaningful exercise of the RTI.
This would also have a heavy impact on journalists who actively use the tool of RTI to report many important issues of public interest. Refusal under the existing S. 8(1)(j) already accounts for the highest (approximately 35%) cases of refusal of information. The amendment would make the exemption clause under Section 8 of RTI Act very broad and would significantly curtail the right to information of citizens.
In this context, we propose a review of this amendment. The following reasoning may be adopted to omit the amendment to the RTI Act and retain its S. 8(1)(j) in its current form.
The Bill has a deemed consent clause which presumes the consent of citizens for processing their personal data in certain cases, but somehow the same clause does not seem to apply to public officials. Citizens’ consent can be deemed under clause 8 in cases for any fair and reasonable purpose based on the following grounds:
- whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal
- any public interest in processing for that purpose
- the reasonable expectations of the Data Principal having regard to the context of the processing.
Disclosure of personal information under S. 8(1)(j) of the RTI Act and its proviso, meets the above criteria because:
- There exists a legitimate interest – the objective of the RTI Act is to promote transparency and accountability in the working of the public authorities and preserving the paramountcy of the democratic ideal.
- S. 8(1)(j) in its existing form only allows such disclosure if larger public interest justifies it.
- It serves the principle of reasonable expectations because the principle of informed citizenry affords the right to seek information of public officials which serve the larger public interest.
Our view, therefore, is that this Bill and Section 8(1)(j) of the RTI Act can both co-exist and there is no need for this amendment. While digital personal information of public officials will be protected under this Bill, only such personal information which justifies the criteria of public interest or is mandatory to be provided to the Parliament or State Legislatures, can be disclosed. We suggest that Clause 30(2) under the Amendments be omitted, or a careful rewording be considered so that it does not result in dilution of the purpose of the RTI Act.
The Lack of a Sunset Clause
Recommendation
A sunset clause should be added to the Bill to have time and function based review of the provisions of the Bill by a parliamentary committee
Comments
The bill does not make provisions for time/function-based review of any of its provisions. In a dynamic and constantly changing environment such as technology regulation, the risk of legislations becoming obsolete at a fast pace is always present. The IT Act and subsequent issuance of rules to meet with the evolving landscape of social media intermediaries which were non-existent when the act was passed is a telling example of this scenario.
The Bill should incorporate time based (three-year technical review/five-year legal review) for a set of or all of the provisions by a parliamentary committee. This will ensure that advances in technology are factored into the legislation at an appropriate time. A function-based review may be mandated for certain provisions that are related to transfer of personal data outside of Indian borders on a case-by-case basis.
ENDNOTE
DeepStrat wishes to acknowledge the experts, stakeholders and partners who generously contributed their views and expertise to our comments on the DPDP Bill, 2022.
Our comments on the DPDP Bill 2022 were contributed by the following authors:
1. Mr. Yashovardhan Azad, IPS (Retd), Chairman, DeepStrat
2. Mr. Amitabh Mathur, IPS (retd), Co-Founder, DeepStrat
3. Ambassador Pinak Ranjan Chakravarty, IFS (Retd), Co-Founder, DeepStrat
4. Mr. Nandkumar Saravade, IPS (Retd). Co-Founder, DeepStrat
5. Mr. Saurabh Chandra, IAS (Retd), Co-Founder, DeepStrat
6. Ambassador Amar Sinha (Retd), Co-Founder, DeepStrat
7. Vice Admiral Shekhar Kumar Sinha, (Retd), Co-Founder, DeepStrat
8. Mr. Saikat Datta, CEO & Co-Founder, DeepStrat
9. Mr. Anand Venkatanarayanan, Co-Founder, DeepStrat
10. Ms. Shachi Solanki, Programme Associate, DeepStrat
11. Mr. Ranjeet Rane, Consultant, DeepStrat