8 December 2022

India’s Digital Personal Data Protection Bill 2022 – The good, the bad and the ugly

Chaitalee Sohoni
Senior Consultant

elevenM Senior Consultant Chaitalee Sohoni outlines the key takeaways from India’s proposed privacy bill.

In recent years, with the increase in digitisation we’ve seen national level privacy legislation introduced around the world.

The digital ecosystem in India, too, is growing rapidly, with large amounts of personal data collected by the government and private sector companies. While there is legislation in India that governs data protection (for example, the Information Technology Act), its applicability and scope is narrow.

In recent years there’s been an ongoing conversation for greater regulation on data privacy and protection in India, particularly since a Supreme Court judgement in 2017 affirmed privacy as a fundamental right of Indian citizens.

On 18 November, India’s Ministry of Electronics and Information Technology (MeitY) released the Digital Personal Data Protection Bill 2022. It’s the fourth iteration of the bill and has been in the making for five years.

Below we outline some of the key takeaways and concerns with the latest draft of the bill.

Rights of individuals

In many ways, the draft Bill aligns with established global norms for privacy regulation:

  • Personal information is defined as any data about an individual who is identifiable by or in relation to such data’.
  • Personal information of individuals can only be processed for a ‘lawful purpose’ and every individual can exercise their right to know how their information is processed by organisations, including correction and erasure of their personal information.
  • Organisations are required to give a notice of collection to individuals in clear and plain English or any of the 22 languages recognised in the Indian Constitution outlining the purpose.
  • Organisations must also remove personal data associated with individuals after use, or after it is no longer required. However, there is no specified obligation to de-identify or dispose of this data securely.

In other ways, however, the Bill departs or goes further than global norms.

For example, it proposes a mechanism for addressing grievances within seven days of a complaint, which gives individuals authority to control and question how their personal information is processed, used and/or disclosed. A seven-day window to deal with a complaint is narrow compared to the standard thirty-day requirement seen in Australia and many other jurisdictions.

Additionally, prior to organisations processing personal data, consent must be obtained from data principals or owners of personal information (which they can withdraw at any time). This default reliance on consent for processing even non-sensitive information is more restrictive than GDPR or Australia privacy law (both give broad permissions for data processing without consent for an organisations ‘functions or activities’ or ‘legitimate interests’).

The draft also introduces ‘deemed consent’ where, if an individual voluntarily provides their data, it can be used for other reasons without explicit consent. In other words, once data is collected for a specific purpose, it can be used for secondary purposes without informing individuals or obtaining their express consent. Examples include for maintenance of public order, public interest, providing medical treatment during an epidemic, termination of employment and assessment of performance. The provision is broad and vague, making personal information and sensitive information highly susceptible to unauthorised disclosure and misuse.

Data Protection Board

The 2022 draft calls for the establishment of an independent regulatory body called the Data Protection Board (DPB) to preside over matters of non-compliance and levy fines.

DPB replaces the Data Protection Authority (DPA), where the appointment and management of the Chief Executive and members of board will be overseen by the central government as proposed in the 2019 bill. This continues to raise concerns of autonomy and independence of the DPB.

Data breaches

There have been several major data breaches in India recently. Examples include the Aadhar card data breach which compromised biometric information of 1.3 billion Indian citizens in 2018 and the Air India data breach in 2021 which impacted personal information of 4.5 million passengers worldwide.

The 2022 draft requires companies to:

  1. adopt reasonable safeguards to protect personal information,
  2. report data breaches to the DPB and to all affected individuals.

Failure to comply with the data breach requirements will attract fines of up to ₹250 crores. This amounts to approximately AUD $50m, comparable to the fines that can now be levied on organisations in Australia.

The prospect of hefty fines will hopefully incentive organisations to handle personal information responsibly. However a requirement to report a data breach within a 72-hour period prescribed in the previous bill has been removed from the current draft. The bill also does not provide guidance on awarding compensation to the affected individuals.

Instead, the draft bill will look to clamp down on identity theft by introducing fines of up to ₹10,000 (approx. $181 AUD) for individuals providing false information while applying for a document, service, unique identifier, proof of identity or proof of address.

Protections for children

The bill recognises the rights of children and the importance of protecting their data with a dedicated provision, which has not been explicitly addressed in other country’s privacy laws, including Australia’s.

The bill calls for obtaining ‘verifiable parental consent’ before processing a child’s personal information. But there is no direction on what verifiable parental consent means or how it could be collected and verified for authenticity by websites.

Parental consent requirements, especially for older teenagers, have been criticised in other jurisdictions, including in Australia. Children that may not have parental consent could be effectively prohibited from accessing healthcare, safe abortion, contraception, or counselling services, which could have dire consequences on their physical and mental wellbeing. The draft also prohibits processing personal information that could likely cause harm to a child such as bodily harm, distortion or theft of identity, or harassment. The previous version of the bill had a broader definition of harm – the current definition overlooks issues such as discriminatory treatment, blackmail or extortion, restriction of speech, or surveillance that is not reasonably expected.

Cross border data transfers

The bill states that personal information may be transferred outside India to countries and territories specified by the central government. These countries will be notified ‘after an assessment of such factors as it may consider necessary,’ and ‘in accordance with such terms and conditions as may be specified’.

This is a single sentence that provides no clarity on what the terms and conditions might be, how the countries could be assessed, and which countries could get a final approval – it appears to have been included to appease tech giants in India.

Exemptions for government

The government and its agencies will be exempted from complying with all provisions of the bill.

In addition to this, Section 18(4) allows government and its agencies to hold personal data about individuals for an indefinite period of time, even after it is no longer required for the purpose for which the data was collected.

These sections give the government unnecessary power to be excluded from complying with the law while also enabling increased surveillance in the country.

There are other issues not adequately addressed in the draft bill. For example, there is no reference to sensitive information, no mention of compliance requirements around marketing, and notice for collection does not need to specify disclosures to third parties or provide a privacy policy.

While the draft bill is available for public feedback until December 17, MeitY has announced that ‘No public disclosure of the submissions will be made’ – raising questions of transparency. The  Privacy Act reform process currently underway in Australia offers a vastly different comparison, with an issues paper and later discussion paper inviting hundreds of submissions that have been published. Recent amendments went through a similar public consultation period.

In conclusion, while the much-awaited 2022 draft appears to have been over-simplified from previous versions, it is still a step forward in establishing a standalone privacy law in India. We may have to wait and see if the government decides to release a fifth iteration of the bill.

Photo credit: Big G Media on Unsplash.