The Digital Personal Data Protection Bill, 2023, likely the revised version of the DPDP Bill 2022, has been cleared by the Union Cabinet to be tabled before Parliament in the monsoon session. The Bill is yet to appear in the public domain.
It remains to be seen whether the various concerns raised during the consultations held by the MeitY have been addressed.
The 2023 Bill will grant rights to individuals or “data principals” including the right to seek information, correction, erasure, and grievance redressal. Notably, it provides for the establishment of the Data Protection Board (DPB) by the Centre to adjudicate non-compliance and contraventions. It is likely to retain data fiduciary obligations such as the requirement to give prior notice, implement security obligations, maintain accuracy and delete personal data upon completion of the purpose for which it was collected.
This Bill shall apply to the processing of digital personal data within India and outside only if the goods and services being offered are from India and the data collected is digitised. While this provides some relief to companies with cross-border data flows, unless the 2023 Bill includes grounds other than adequacy to enable cross-border data flows, it will leave much to be desired.
Similar to the 2022 iteration, the 2023 Bill is likely to revolve around informed consent, that is, personal data can be processed only if an individual has consented to it. It introduced the concept of “deemed consent”. Consent of individuals will be deemed to have been given in certain situations such as disaster management, medical emergency, breakdown of public order, employment, corporate espionage, intellectual property rights and voluntary sharing of personal data. These situations would’ve effectively operated as blanket exemptions, concerns around which were flagged during the consultations.
As a rule, both the knowledge and consent of an individual are required for the processing of personal data. Under the “deemed consent” fiction, personal data can be processed without the knowledge and consent of the individual concerned. This can be problematic for data principals if there is no requirement of providing post-processing notice.
Without the knowledge that certain categories of personal data have been processed, an individual cannot effectively exercise the rights the revised draft will confer. There are also concerns around considering voluntary data sharing as deemed consent where individuals share their personal data without understanding the consequences. Without post-processing notice requirements, individuals may be subjected to surveillance or monitoring without their knowledge.
The EU General Data Protection Regulation (GDPR) does not provide for “deemed consent”. Instead, it states that in the absence of the data subject’s consent, processing of personal data will be lawful only if it is “necessary” for certain specified reasons, such as contractual performance, legal compliance, public interest, etc. Singapore’s Personal Data Protection Act, 2012 and Canada’s Personal Information Protection and Electronic Documents (PIPED) Act, 2000 also recognise deemed/implied consent.
While deemed consent is not a novel concept, the exemptions the 2022 Bill proposed have a broad scope and require curtailing. Hopefully, the 2023 Bill will have a significantly narrower scope allowing organisations to conduct business while safeguarding data principals’ rights.
There were some concerns about the 2022 Bill not conferring the right to data portability to data principals. This was first recommended by the Srikrishna Committee in 2018 based on the principles of data autonomy, transparency, and accountability. This right was iterated in the 2018 draft, the 2019 draft and the Joint Parliamentary Committee recommendations. While in theory, it may be arguable that data portability is necessary from the perspective of data principals’ interests, in practice, it may not be so. Much of the personal data stored by organisations is replicable and can be shared again by data principals.
We also need to be mindful of how businesses and market dynamics work in India. For example, a customer wishing to open an account in a bank can share their personal data and open an account. Porting data from another bank will not be of much consequence. It may be significant in a country like the US where loan disbursement depends on FICO scores to a large extent, but the Indian retail banking system works quite differently.
Another area of concern has been the Centre’s role in the establishment and composition of the DPB, which is likely to affect its independent functioning. The DPB will be responsible for the oversight of data fiduciaries, non-compliance and violation of data protection laws, and imposition of penalties. It shall function as the regulatory body and will be conferred with quasi-judicial powers similar to that of the CCI, SEBI, TRAI, etc. The differentiating component here is that there is a selection committee which is absent in the case of DPB.
While we wait for the 2023 Bill to be made public, one only hopes that it will lead to minimal business disruption while at the same time adequately preserving the rights of data principals.
The writers are advocates