The right to privacy is a fundamental right as pronounced by Supreme Court of India in Puttaswamy Case, way back in year 2017 and urgent need was there to protect personal data as an essential facet of informational privacy and hence Personal data Protection Bill was introduced in parliament in 2018 and its modified version in year 2018.However, in 2022, i.e., after 4 years of its introduction in parliament, the government announced to withdraw the said bill and as of now the growth of the digital economy had expanded leap and bounds and the use of data is seen as a critical means of communication between persons. There is urgent need to protect this Data and more particularly personal data and hence Indian Government has again introduced Digital Personal Data Protection Bill 2022 and which is presently available for suggestions and comments for its final introduction in Parliament.
As a student of cyberspace and follower of Data Privacy bill and staunch supporter of My Data My Right campaign, I wish to make public my observations as regards to comparisons of old version and new version of Data Privacy bill and hence this analysis.
Unlike the PDPB 2019 which comprised of 98 Chapters and hence dealt in depth with all the relevant provisions, the present DPDPB seems to be COMPRESSED version and prepared hurriedly having only 30 chapters in it and leaving large vacuum for interpretations either by Data Privacy Board or Courts and this compression in turn will take long time to define many such blank spaces and there will be large uncertainty regarding finality of the disputes. This I foresee as a major hurdle for Rights of Data Principal.
The purpose and focus of this DPDPB Act is, to provide for the processing of digital personal data for lawful purpose whereas PDPB19 aimed to provide for protection of the Fundamental right to privacy of individuals relating to their personal data and protection of the rights of individuals whose personal data was to be processed. The intentions of both the Acts, according to me are different. Any law, for its jurisprudential understanding, is studied through its objective. I find a large U-turn in the objectives of both the bills. As explained above, PDPB2019 was more focused towards protection of Fundamental Right whereas DPDPB22 is more data processing centric and hence more concerned about how data can be utilised by data processors in lawful manner. With complete understanding that India is country of Digital Illiterates and still compelling these digital illiterates to be more vigilant about their digital rights is too much an ask and it should have been worded the other way. The Data Processors should have been saddled with more responsibility and mandated to follow reasonable security practises for Personal data protection. This basic approach shift is visible while comparing the various provisions and hence in my view the present version needs few changes.
The draft needs to be applauded for its good work also. The very first definition as regards to “automated “has expanded its scope from earlier version covering any equipment to expand it to any digital process capable of operating and hence will cover vide range of activities now.
Another interesting difference is in defining Data Fiduciary. Earlier “data fiduciary” meant any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data whereas in new definition “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Now person in legal sense means any individual, corporation, limited liability company, partnership, joint venture, association, joint-stock company, trust, unincorporated organization or government or any agency or political subdivision thereof. So, the applicability of law remains same but clever use of word may make it difficult to understand non-legal persons, whether Government is covered under definition of Data Fiduciary and this should be avoided.
Definition of Harm is also diluted. Previously Harm covered loss of reputation or humiliation; any discriminatory treatment; any subjection to blackmail or extortion; any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled or any observation or surveillance that is not reasonably expected by the data principal. But present definition of harm has left a vacuum by not specifically including these words while defining what consists of harm and hence a lot depends upon wisdom of authorities from whom compensation for harm can be claimed.
While defining important definition of “personal data”, the DPDPB defined it as any data about an individual who is identifiable by or in relation to such data. This definition is too short as compared to PDPB 19 definition which read as “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
Identifiability of person by indirect means is missing in present bill and this will again give upper hand for Data fiduciaries and Data processors who by indirectly identifiable means like profiling etc. based on various information/characteristics available with them, can identify a person to near perfection.
Another major suggestion in the DPDPB is that this act will be applicable only where (a) such personal data is collected from Data Principals online; and (b) such personal data collected offline, is digitized. So, when personal Data is collected offline and the defence would be we have not digitalised the same or not processed the same through automated means but deployed physical modes/methods for its processing or profiling and then DPDPB will not be applicable and the data collector will escape for the clutches of the act. This will set very unhealthy trend and there could be gross misuse of the data collected through physical mode or rather everyone will simultaneously and hence this provision needs a relook.
As regards rights of Data Principal, one very significant and welcome move the DPDPB has introduced is regarding Right to nominate. According to this, A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act. This may be compared to will of a person to decide who will hold his Data related rights after his death.
The new DPDPB makes passing references about Data Protection Officer, Data Auditor and Data Protection Impact Assessment and regarding their roles, responsibilities, procedures etc. mentions that as may be prescribed. It is observed that this as may be prescribed in never prescribed unless courts give some directions and thereafter such prescriptions follow. It would have been better if DPDPB have elaborated in depth regarding these three Important authorities to be constituted under new regime as was elaborated in depth in PDPB 19.
The DPDPB has offered total new concept of Data Protection Board of India whereas in previous versions it was Data Protection Authority which would be Apex Authority as far as Data Protection regime in India is concerned. Again, the constitution and other details are not elaborated in proposed bill and as may be prescribed plays the important role.
Provisions of Alternate Dispute Resolution can be considered as a welcome move but considering the overall impact of ADR in domains of judiciary and scarcity of Resources who understands the Harm and are able to carry out Data Breach Impact Assessment, only time will tell its utility.
The Voluntary Undertaking provisions can be seen as Absolute Power available with the Board to compromise certain selective matters and there could be questions raised in future when these powers would be used by the board. There has to be standard code of practice while availing these powers and the present bill has to specify the same.
Non-inclusion of provisions for offences and defining offences may be a welcome move for significant Data fiduciaries but it takes away the desired deterrent impact and makes these provisions, softer. Unless law has deterrent impact, people will not be having fear about the same and the era where Data is compared with Oil, many of us feel that only monetary penalties will not create the desired impact.
By removing appellate tribunal and making High Court as court of appeals, I feel the procedure of litigation will be unnecessarily prolonged and Justice will be delayed. Taking a clue from failure of functioning of Adjudication Mechanism across India, available in Information Technology Act, I think some corrections like Functioning of Board shall be in Digital Design etc are most welcome. It would have been more appropriate if some timeline would have provided for the entire compliance framework functioning.
Adv Dr Mahendra Limaye is Cyber Legal and Data Privacy Consultant