ADPC- Recommendations and Comments for the Digital Personal Data Protection Bill, 2022

CHAPTER -1

Data Protection Officer

Section 2(8) of the DPDP Bill, 2022 defines Data Protection Officer as follows: “an individual appointed as such by a Significant Data Fiduciary under the provisions of this Act.

While we also noticed the general requirement of the data protection contact in entities other than Significant Data Fiduciary under Section 7(3) and Section 9(7) of the DPDP Bill, 2022. We felt the requirement of the Data Protection Officers as limited. In order to maintain consistency and to ensure privacy by design, we suggest having a mandatory requirement to appoint a Data Protection Officer with clear roles and responsibilities for all businesses processing Personal Data. This would only foster good governance.

Material Applicability

DPDP Bill, presently, does not seek to cover (i) non-personal data or anonymized data; (ii) offline personal data; (iii) nonautomated processing of personal data; (iv) personal data processed by an individual for any personal or domestic purpose; (v) and personal data about an individual that is contained in a record that has been in existence for at least 100 years.

This approach is a departure from the extant Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules), as well as data protection laws in other jurisdictions. It does not take into account the possibility that certain datasets owing to their sensitive nature may require more rigorous standards for processing, and leaves window for sector specific regulators like the Reserve Bank of India and the Securities and Exchange Board of India to come up with additional requirements.

Section 2(13) of the DPDP Bill, 2022 defines Personal Data as follows: “any data about an individual who is identifiable by or in relation to such data”. We would like to understand that as to the regards unlike the previous bill in 2019, the definition does not cover the specific definitions for “Sensitive” and “Critical” data. In various legislations of the other jurisdictions such as GDPR, where the data is segregated into 2 parts which is- Sensitive Personal Data and General Personal Data. As certain datasets are sensitive in nature, and it requires special rules for the processing of the same and higher level of protection. Therefore, including sensitive data which are subject to higher level of protection and rules of processing under the ambit of generalized definition is not viable option and therefore it needs to be segregated. Further, it is also not clear how the words “or in relation to such data” could be interpreted. We request that an explanation may be added to clarify whether “pseudonymized data” or “aggregated data” could mean Personal Data by virtue of this definition. This also brings us to question whether “anonymized” data will be covered in the scope of the definition of the personal data or as separate definition in the act as there was no mentioning of the term in the Bill.

Unlike the previous bill, “Non-Personal Data” (NPD) has been excluded from the bill which brings to the question that whether Non-Personal Data will be covered under a separate legislation or will be retained back in the act with future amendments. As NPD is a very important aspect which needs to be included and the compliance also needs to be provided.  

The bill applies only to digitise personal data any references to non-personal data remote no more categorization of personal data into sensitive or critical personal data references to take data localization list of situations where consent is deemed broadly specific no clarity yet of health data.

The JPC Bill sought to regulate both personal and non-personal data (NPD) within the same legislation.

Data breach

Section 2(14) of the DPDP Bill, 2022 provides for personal data breach as follows: “any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

We would like to point out the fact that the inclusion of the data breaches is a welcome step but certain elements or essentials which should be present in a practical data breach application like ‘unauthorized’ or ‘deliberate’ disclosure or access to personal data transmitted, stored or processed. Without the inclusion of the above elements or essentials, the scope of the definition for proving the breach becomes gets reduced and subsequently difficult.

We would also like to add on with the concept of “Data breach investigation” as an additional provision to the present bill. Recently the Australian privacy regime published Australian Privacy legislation amendment bill, 2022 which introduced the concept of data breach investigation. The empower the Information Commissioner of the Australia or the OAIC (Office of Australian Information Commissioner) to conduct a pre-emptive assessment of a business’ data breach response protocols and processes and then give notices requiring the provision of specified kinds of information and/or documents, or the answering of questions, relating to actual or suspected eligible data breaches or a business’s compliance with the data breach policy and then keep them for any period necessary to assess the business compliance with the data breach policy. The information Commissioner has power to publish information relating to such an assessment and determinations on the Commissioner’s website as well. This provision takes care of the minor breaches as well as detects the threat or breach pre-emptively which leads to less cumbersome requirements.

CHAPTER -2

Grounds of processing

Section 8 of the DPDP Bill, 2022 incorporates “deemed consent” as aground for processing of Personal Data. As Consent is the primary ground of processing of the Personal Data under the Bill. Deemed Consent does not require any consent for processing and provides for various conditions where the consent is not expressly required but deemed as provided. The term “deemed consent” apply only in situations where personal data has been voluntarily provided by Data Principals. We request you clearly segregate the grounds for deemed consent. It could also happen, Data Principals might not know the information about how, why, where and when their data was processed and again this brings us to the question of the data protections principles of transparency and accountability which are fundamental to the protection of personal data since there is no provision of notice in case of deemed consent. We also want to draw your attention towards potential abuse through “repurposing” of the consent so provided which means when data is used for a completely different purpose to what it was originally intended to be used for. This could subsequently raise the question on the principle of transparency of the data so processed.

We appreciate that the Bill provides for grounds such as “public interest” and “fair and reasonable purpose” as according to the Bill under section 8(8) and 8(9) respectively. We humbly propose to add “legitimate interest” and “contractual processing of the personal data”. The legitimate interest is a fundamental privacy principle, it ensures there is fairness and transparency in processing for the Data Principals. Contractually agreed processing is another vital process where the processing of data can be contractually agreed in case where the sensitivity and risk of the data set is high which ensures high level of security standards for the Data Principal.

Consent Managers.

We appreciate the intent behind incorporating “consent managers” which enables the Data Principals to give manage review and withdraw consent through an accessible transparent and interoperable platform. It is good to know that the consent managers specified in the Bill shall be an entity that is accountable to the Data Principal and acts on behalf of the Data Principal. It is unclear how and on what grounds will such consent manager be registered with the DPBI and remain subject to technical, operational, financial and other conditions as may be prescribed.

CHAPTER – 3

Duties of Data Principal

Section 16 of the DPDP Bill, 2022 provides for the duties of the data principal. The present duties impose duty to comply with all the provisions of all applicable law, this provision is very broad and ambiguous. It fails to protect Data Principal’s rights even in situations where there may not be a nexus between the right sought to be exercised and the non-compliance involved. Subject to penalties with the non-compliance of the duties means they can be falsely fined for the penalties.

Penalties.

We understand that the intent behind imposing penalties on Data Principals is to avoid frivolous complaints. We appreciate the intent, but we request to remove the provisions that seek to penalise Data Principals. We instead, propose to permit Data Fiduciaries to impose administrative costs on Data Principals if their request or preferences unfounded or excessive.

We would also like to draw your attention to the fact that there is no provision for any compensation to be given to Data Principals which are affected by the data breach or illegal processing by the businesses. Provisions of giving compensation can be seen in other jurisdictions where if the data subjects or data principal is affected from material or non-material damage is entitled to be compensated under various circumstances. Under EU GDPR as per Article 82 provides for right to compensation and liability which is as follows: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”. Similarly, under POPI Act of South Africa, Data subjects have a statutory right to institute a civil action for damages for interference with their personal information, whether or not there is intent or negligence on the part of the responsible party. A court may award the data subject: (i) compensation for patrimonial and non-patrimonial loss suffered; (ii) aggravated damages; (iii) interest; and (iv) costs of suit. Similarly, Under Section 1798.150 of California Consumer Privacy Act in actions brought by California consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. Also, they are entitled to non-monetary reliefs and can seek injunctive or declaratory relief, as well as any other relief the court deems proper. Some of these examples shows how crucial it is to compensate the data principals.

Such a provision would encourage people from all income groups to make an effort to enforce their rights.

CHAPTER -4

Cross border data transfers

Section 17 of the DPDP Bill, 2022 defines Transfer of personal data outside India provides as follows: “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.

The cross-border data transfer is a welcome step in the Indian data privacy regime, which means localisation norms have not been mandated and there can be easy flow of data transfers outside the India to overseas countries. We suggest that clarity be provided regarding the adequacy decisions or list of considerable countries to which data can be transferred. 

We also request you to clarify if international data transfers will be strictly prohibited for countries that are not in the lists prescribed by the government? If yes, then what would be considered as an appropriate transfer tool for those inadequate countries.   

Given that India is a technology hub, it is of utmost importance that international data transfers are allowed in the interest of business. The underlying principle must be that the Data Principal has sufficient (asunder his/ her fundamental rights) protection for his/ her right to privacy.

Exemptions

Section 18(2) of the DPDP Bill, 2022 provides for the exemption to the government and its agencies from any requirements and compliances of the bill under various grounds. However, we found these grounds too broad. 

The exemption provided to state instrumentalities are too broad and may result in problematic situations as we know the number of agencies which can undertake surveillance on our citizens. A separate law to regulate state surveillance is the need of the hour. Further, access to personal data may also be demanded by departments engaged in developmental work. Therefore, lack of independent oversight is problematic.

Another important aspect is security of data sets collected by government entities they are capability and maturity to protect the data is much lower than the private sector.

CHAPTER – 5

Data Protection Board of India

The autonomy of the DPBI which is entrusted with overseeing the protection of individual’s personal data and ensuring compliance with the provisions of the law is not reassuring. The usage of phrases ‘as it may consider necessary’ and ‘as may be prescribed’ can lead to administrative ambiguities.

It is important that the DPBI’s composition has a right balance, so that it can function independently of the different wings of state. In its current form, the DPDB is silent on these aspects. It empowers the Central Government to stipulate DPBI’s strength, composition, process of member selection, terms and conditions of appointment and removal. This is a departure from the approach that was contemplated under earlier bills. In absence of any insights on how DPBI will be constituted, there is speculation that DPBI may not be truly independent in discharge of its functions. 

Notably, however, the DPBI cannot prevent access to a premises or take custody of any equipment or item that may disrupt the day-to-day functioning of any entity during its inquiries. The JPC Bill and the 2019 Bill specified the composition of the proposed data protection authority. Under the JPC Bill, the central government could also appoint the selection committee for the data protection authority, consisting of members from the executive.

The newly introduced provisions on “voluntary undertakings” have been introduced to facilitate compliance and encourage timely admission of violations.

While the DPBI does have powers to pass regulations, they relate only to carrying out the provisions of the law. It is unclear whether the DPBI has powers to pass regulation on matters not mentioned in the law. For example, issues such as data portability, privacy by design, etc., find no place in the Bill. We sincerely hope that this will be addressed before the Bill is tabled.