The Digital Personal Data Protection Bill, 2022, released on Friday, is a mix of hits and misses, with more failures than successes, and would require several iterations before becoming practical, experts say.
A large majority of digital rights activists said the bill did not appear to help protect people, but ensured that the government retains all power without any checks and balances – an issue that has been raised since the publication of the first version of the bill in 2018, they said.
“Some of the problems (in the revised bill) have existed since the first draft came out, but there is no improvement,” said Namrata Maheshwari, policy adviser for Asia-Pacific at the organization at Access Now digital rights nonprofit. The Hindu. “In fact, I think those issues have been compounded. For example, the extent of exemptions and discretionary powers available to the government…” she added.
She pointed out that the government has been given the power to exempt not only government agencies, but any entity that collects user data, from having to comply with the provisions of this bill when it is enacted.
Technology lawyer Mishi Choudhary said the bill should be titled “As may be prescribed by government bill” because there are many remaining rules. “Rules that the executive in India is used to exploiting to extend its powers… There is no right to compensation for individuals in the event of a data breach. They have no right to data portability.
“The Data Protection Board is toothless because most powers are given to the executive to prescribe rules,” she said.
“People need to engage in this process and tell the government now that they need protection of people in a simple way where they are not exploited or targeted by business or government. for their data and they have a simple grievance mechanism.
Ms Maheshwari also noted that throughout the law there had been the use of open language such as ‘as required’ or ‘as required’. “The problem is the extent of things the government will have regulatory power over, like the grievance redress system or the operation of India’s data protection board,” she said.
Kazim Rizvi, founder of The Dialogue, a technology policy think tank, said narrowing the scope of the data protection regime to protecting personal data is a welcome move as it resonates with the concerns of various stakeholders. . “By clearing the genesis of the data protection regime by focusing only on personal data, non-personal data could now be used to unlock social and economic value for the benefit of citizens, businesses and communities in India with appropriate safeguards in place,” he said. , adding that relaxing data localization provisions to inform countries to which data may flow, could help India unlock the comparative advantage of accessing innovative technology solutions from around the world, which in turn helps domestic businesses.
“Furthermore, the free flow of data will help startups gain access to cost-effective technologies and storage solutions, as our research shows. Moreover, allowing data transfers will also ensure that India is not isolated from the global value chain, helping companies to remain resilient in production and supply chain management and fostering collaboration across abroad,” Mr. Rizvi said.
Ms Maheshwari also said another issue is the independence of the data protection authority which is now called the Data Protection Board of India. “Here, the central government retains the power to appoint the president and the power to prescribe the guidelines and rules for the appointment, terms and conditions and even the functioning of the body. One of the most fundamental elements of an independent data protection authority around the world is that it must be independent, but that is not the case here.
She added that a key difference between the two bills is that the new one removes the sensitive data category. The point of creating this categorization is that data trustees have to meet certain higher obligations and duties because they are dealing with more sensitive information. “I think removing that categorization is problematic because then it puts all kinds of data in one basket.”
Expressing hope that this time the bill will be enacted, Prasanth Sugathan, Legal Director, SFLC.IN said the bill is a mix of hits and misses. “The bill does not take into account the harm that could be caused to a data controller by surveillance. The explanatory note gives a detailed list of the principles that the bill has attempted to incorporate. However, this is not legally binding.
Similarly, Manish Sehgal, Partner, Deloitte India, added that the bill’s exemptions for central and state agencies, as well as the exclusion of personal data stored and/or processed in a non-digital format (original/handwritten/ paper) may constitute a gap in the protection of personal data and guarantee confidentiality in its entirety.
“Under the bill, data controllers are responsible for providing authentic, verifiable personal data while exercising their rights. Interestingly, the bill also proposed a penalty of ₹10,000/- for failing to meet the obligations expected of a Data Principal, which is not a common trend. However, this is likely to promote the authenticity of master data requests and limit illegitimate requests,” Sehgal said.
Abhishek Malhotra, Managing Partner, TMT Law Practice, said: “The bill watered down the purpose of a privacy and data protection framework. It seems to give a simpler framework for people to seamlessly adopt. Unfortunately, however, the scope and applicability provisions have also been reduced and limited to places where the collection is online or digitized and where Indians are targeted for profiling.
He added that the qualified title adding “Digital” to the bill, does not add any value to the nature of the legislation, but just seems to be one shot among a multitude of “digital India” policies and legislations that the government intends to deploy. .
“A welcome aspect is that in addition to the rights of data controllers prescribed in the bill, there is an explicit mention of the duties that the Digital Nagrik will have to observe. This will probably provide welcome reinforcements to the heavy obligations of data fiduciaries “, did he declare.
Amit Jaju, senior managing director of Ankura Consulting Group (India), added that the bill was far from final and would require several iterations before becoming practical. “However, this time it’s much more streamlined, non-personal data is kept out of the way, and the focus is more on financial penalties than a criminal conviction. Not making data location a requirement will make it difficult to detect and investigate non-conformities and violations.This is the biggest shortcoming in the latest draft and is in contradiction with other regulatory requirements such as those of the RBI and Cert-In .