Deepstrat

STRATDEEP PVT LTD
To, 16 Nov 2022

Shri Ashwini Vaishnav,
Hon’ble Union Minister for Communications, IT & Railways,
Government of India
SUB: Our Comments on the draft Digital Personal Data Protection (DPDP) Bill, 2022
Dear Shri Vaishnav ji,
Greetings from DeepStrat, a New Delhi-based think tank and strategic consultancy.
At the outset, we would like to commend the government and the Ministry of Electronics
and Information Technology (MEITy) for the release of the draft Digital Personal Data
Protection (DPDP) Bill, 2022.
The Bill covers many key issues and is an important legislation that will have a major impact
for India and its citizens and their fundamental rights. We find that the Ministry has broken
new ground on several aspects and delivered a simplified law that is not only easy to
understand, but also attempts to navigate competing interests.
In our comments we have kept three broad principles in mind:
1. The adherence to Constitutional framework and principles
2. The principles as laid down in the Puttaswamy Vs Union of India judgment
3. The need for enhancing innovation and business without conflicting with points 1
and 2
Our comments are in broadly two sections. Part One is a summary of our recommendations.
Part Two is the clause-by-clause recommendation along with detailed explanatory notes
and empirical evidence.
We would be grateful if you could acknowledge our comments and we hope will also give
serious consideration to them while drafting the final Bill for presentation to Parliament.
With warm regards,
Yours sincerely,
YASHOVAR Digitally signed by
YASHOVARDHAN AZAD
DHAN AZAD Date: 2022.12.16

21:22:01 +05'30'
Yashovardhan Azad, IPS (Retd)
Chairman
DeepStrat | StratDeep Private Limited
Email: yasho@deepstrat.in
Cell: +91.9810017106
1
https://deepstrat.in | contact@deepstrat.in | +91-11-26717356
CIN: U74996DL2022PTC406180; REGD ADD: M-18, SECOND FLOOR, SAKET, NEW DELHI, PIN-110017, INDIA
STRATDEEP PVT LTD
PART ONE
SUMMARY OF OUR RECOMMENDATIONS
1. Section I – NOTICE AND CONSENT FRAMEWORK

1.1. Clause 7 – Consent we recommend:
• A consent manager framework along the lines of Data Empowerment and
Protection Architecture may be adopted
• Alternatively, another framework for consent manager should be suggested in
the text of the Bill
1.2. Clause 8 – Deemed Consent
• Clear definitions of criteria for deemed consent should be specified
• Adequate safeguards for protection of data privacy should be prescribed
• A legitimate interest exception clause should be incorporated
2. Section II – RIGHTS AND OBLIGATIONS

2.1 Clause 10 - Additional obligations in relation to processing of personal data of children,
we recommend:
• Age limit of consent should be reviewed
• Graded approach towards obligations for processing children’s data should be
adopted
• The definition of harm under the 2019 Bill, as approved by the Joint
Parliamentary Committee should be adopted
• The criteria for exceptions should be clearly defined in the Bill
2.2 Clause 12 - Right to information about personal data, we recommend:
• Timelines should be prescribed for providing information to the Data Principals
2.3 Cause 13 - Right to correction and erasure of personal data, we recommend:
• The right to be forgotten should be included in the Bill
• Alternatively, reasons should be supplied for removal of the right to be forgotten,
as envisaged in the earlier iterations
2.4 Clause 14 - Right of grievance redressal, we recommend:
• Necessary timelines for grievance redressal need to be prescribed in the Bill
3. Section III: CROSS BORDER DATA TRANSFERS AND TRUSTED GEOGRAPHIES

3.1 Clause 17 - Transfer of personal data outside India, we recommend:
• Clarification on the phrases used in the clause is required
• The reciprocal obligations of cross-border data sharing agreements should be
considered
o EU’s Adequacy Framework or Singapore’s standard of protection may be
studied
2
STRATDEEP PVT LTD
• Other tools to facilitate cross-border transfers of data should be considered, such
as:
o Adoption of an Accountability Framework
o Internal company transfers through standard contractual processes
• To ensure greater predictability for businesses, the Act and Rules should come
hand in hand
4. Section IV: EXEMPTIONS AND STATE SURVEILLANCE

4.1 Clause 18 – Exemptions, we recommend:
• The phrase “any instrumentality of the State” needs to be circumscribed

• The provision should clearly prescribe the limits or boundaries of surveillance
• The grounds for identification of Data Fiduciaries, to whom certain provisions will
not apply, should be mentioned
• The exemptions should reflect the principles of legitimacy, proportionality and
legality as laid down by the Supreme Court
• We recommend a surveillance oversight mechanism that has two levels:
o Level 1 This will cover cases related to terrorism and public safety where
the proposed legal sanction and oversight mechanisms can be post-facto,
but within 72 hours of the sanction
o Level 2 This will cover all other cases that can attract state surveillance,
where legal sanction must be obtained before carrying out surveillance,
followed by the oversight mechanisms detailed below
• We recommend the following oversight principles:
o Parliamentary Oversight
o Judicial Authorisation
o Legality
o Legitimate goal
o Proportionality
o Procedural guarantees
o Internal Oversight
o Administrative and Technical safeguards
5. Section V: COMPLIANCE FRAMEWORK

5.1 Clause 19. Data Protection Board of India, we recommend:
• The composition of the Board and the qualification of its Members should be
specified.
• The mode of appointment and removal of Members needs to be laid down
• The terms “Digital by Design” and “Digital Office” should be explained to
establish their consistency with the provisions of the Civil Procedure Code
3
STRATDEEP PVT LTD
• Zonal or State level bodies should be created to make the DPB more functional
and for compliance with Schedule VII of the Constitution
5.2 Clause 20 Functions of the Board, we recommend:
• The DPB should have a clearly defined mandate
5.3 Clause 23. Alternate Dispute Resolution, we recommend:
• The clause should specify that mediation will be carried out in accordance with the
procedure laid down in the Arbitration and Conciliation Act, 1996
• The term “other processes” for achieving ADR needs a clear definition
5.4 Clause 29. Consistency with other laws, we recommend:
• The clause should specify how the Data Protection Board will harmonize its
functions with other regulatory authorities
5.5 Clause 25 - Financial Penalties we recommend:
• Consultations undertaken before finalizing financial penalties should be released
to guide the Law Enforcement on adoption of a uniform approach for imposing
penalties
• A provision for seeking compensation should be made available to the Data
Principal
• Separate penalties should be provided for government offences
• Financial autonomy of the DPB can be ensured through
o Corpus funding
o Authorization to use fines collected for specified purposes
6. Section VI: AMENDMENTS

6.1 Clause 30 – Amendments, we recommend:
• Amendment to S. 43 A IT Act, 2000 should be omitted and provision for
compensation should exist in both legislations
• Amendment to S. 8(1)(j) and proviso of the RTI Act, 2005 should be omitted and
disclosure of information should be continued to be allowed under the section in
its existing form
6.2 A sunset clause should be added to the Bill to have time and function based review of
the provisions of the Bill by a parliamentary committee
4
STRATDEEP PVT LTD
PART TWO
CLAUSE-BY-CLAUSE COMMENTS ON THE DPDP BILL, 2022
Section I- NOTICE AND CONSENT FRAMEWORK
Clause 7 - Consent
Recommendations
• A consent manager framework along the lines Data Empowerment and

Protection Architecture may be adopted
• Alternatively, another framework for consent manager should be suggested in
the text of the Bill
Comments
Clause 7 of the draft Digital Data Protection Bill delves into the principal of Consent in detail.
In sub clause 6 it notes that the Data Principal may give, manage, review or withdraw her
consent to the Data Fiduciary through a Consent Manager. It further defines the Consent
Manager as a Data Fiduciary which enables a Data Principal to give, manage, review and
withdraw her consent through an accessible, transparent and interoperable platform. Such
an entity is accountable to the Data Principal and every Consent Manager and shall be
registered with the Board in such a manner and subject to such technical, operational,
financial and other conditions as may be prescribed.
Since this entity will be at the very core of managing consent for the Data Principle, it may be
prudent not to leave the technical standards for a later set of rules. In November 2020, the
NITI Aayog, in partnership with iSPIRIT1 had released a draft document for discussion on the
Data Empowerment and Protection Architecture2 (DEPA) with the object to further the notion
that individuals should have control over how their personal data is used and shared. The
DEPA is designed around the idea that agency over data could empower Indians with
opportunities to improve their lives.
It draws on the Account Aggregator3 (AA) framework that had been put together by the RBI
in consultation with other financial sector regulators in 2016. The AA framework has recently
been nudged into becoming the preferred choice for on-boarding of consumers on any
1
https://ispirt.in/
2
https://www.niti.gov.in/sites/default/files/2020-09/DEPA-Executive%20-Summary-revised.pdf
3
https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10598
5
STRATDEEP PVT LTD
financial platform. An industry collective named Sahamati4,
provides the technical expertise
to refine the standards that had been defined by the RBI. With a functional framework already
in place, the DPDP bill may either adopt the existing framework or clearly put out the technical
and other considerations for a different one. This will ensure a high degree of policy certainty
and allow businesses to align with compliance requirements of the proposed legislation with
minimal disruption.
Clause 8 - Deemed Consent
Recommendations
• Clear definitions of criteria for deemed consent should be specified

• Adequate safeguards for protection of data privacy should be prescribed
• A legitimate interest exception clause should be incorporated
Comments
While there are some legitimate cases where consent will be deemed, some of the terms used
in this clause are of very wide import. For instance, consent will be deemed for taking
measures to ensure safety during “any breakdown of public order”. It can also be deemed “in
public interest, including for” the seven instances listed below. The usage of “including for”
means that this list is not exhaustive, and “public interest” could potentially become a tool to
allow for bypassing the consent requirement in a plethora of instances. The clause ends with
an open-ended phrase that it can be deemed “for any fair and reasonable purpose as may be
prescribed”. This is a fairly expansive clause, which is open to many interpretations, and prone
to the possibility of overuse. Limitations on it may be prescribed at a later stage, but have not
been carved out through the bill itself. We suggest that the terms used in this Bill should
clearly be defined in the definition clause in order to lend the provision of deemed consent
more clarity and certainty. At present, the terms are open to interpretation and wide
discretion of the Executive.
It is of significance to note that in cases of deemed consent, the Data Principal will not be
given notice, leaving her completely unaware about the collection, processing, and storage of
her data, and potentially leaving her outside the ambit of grievance redressal. In this context,
it is necessary to clearly define the scope of this section and prescribe adequate
circumscribing safeguards to it.
International jurisdictions such as that of Singapore and the European Union 5 deploy the
principle of “legitimate interest exception” as the basis to determine whether data can be
lawfully processed by a data fiduciary without consent. Legitimate interests refer to interests
of the organization or any third party. Organizations are required to document their
4
https://sahamati.org.in/
5
Article 6(1)(f) of the GDPR, https://gdpr-info.eu/art-6-gdpr/
6
STRATDEEP PVT LTD
assessments on how they relied on this exception to process data.6
A test of the purpose,
necessity, and balancing of interests is normally applied while making an assessment for a
company to process data under this exception.7 Such frameworks are widely accepted and
help fostering adequate privacy protection to data principals. We suggest that a legitimate
interest exception clause be incorporated in the deemed consent clause. This would help
achieve a fair balance of rights between individuals and corporations.
Section II – RIGHTS AND OBLIGATIONS FRAMEWORK
OBLIGATIONS OF DATA FIDUCIARIES
Clause 10 - Additional obligations in relation to processing of personal data of children
Recommendations
• Age limit of consent should be reviewed

• Graded approach towards obligations for processing children’s data should be
adopted
• The definition of harm under the 2019 Bill, as approved by the Joint
Parliamentary Committee should be adopted
• The criteria for exceptions should be clearly defined in the Bill
Comments
The provision affording extra protection and rights related to processing of children’s
personal data has survived the many iterations of the bill. However, this Bill requires Data
Fiduciaries to obtain verifiable parental consent before processing personal data of children.
The manner of obtaining such consent will be prescribed by the Executive at a later stage,
therefore, what kind of verification will be required remains unclear and should be specified.
Firstly, a child has been defined in the Bill as an individual below the age of eighteen years.8
In today’s digital world, children are exposed to and familiarized with online content very
early. The age limit needs to be reviewed in this context. In EU’s GDPR, the age of consent is
prescribed as 16 years, with a provision with the member states to further lower it to 13
years.9
Secondly, this provision requires verifiable parental consent for all children under eighteen,
without accounting for differences in levels of maturity and agency at different age groups.
We are of the view that all children under the age of eighteen should not be put in the same
6
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Annex-C--
Assessment-Checklist-for-Legitimate-Interests-Exception-1-Feb-2021.ashx?la=en
7
https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/
8
Clause 2(3), 2022 Bill
9
Article 8, GDPR, https://gdpr-info.eu/art-8-
gdpr/#:~:text=Where%20the%20child%20is%20below,parental%20responsibility%20over%20the%20child.&te
xt=Member%20States%20may%20provide%20by,is%20not%20below%2013%20years.
7
STRATDEEP PVT LTD
bracket. Instead, a graded approach should be the basis of applying the necessary safeguards
for children of different age groups.
Thirdly, the 2019 and 2018 Drafts both had the same clause on definition of harm, which
included mental injury, loss of reputation or humiliation, any discriminatory treatment, any
subjection to blackmail or extortion, any observation or surveillance that is not reasonably
expected by the data principal, etc.10
This Bill reduces the definition of harm to include only four kinds of harm, as opposed to the
earlier ten. These are:
a. any bodily harm; or

b. distortion or theft of identity; or
c. harassment; or
d. prevention of lawful gain or causation of significant loss;
The Explanatory Note11 attached with the 2022 Bill suggests that children are in need of
special protection, therefore no processing of data that is likely to cause harm to a child
should be done. In light of this objective, the reasons for reducing the scope of the definition
in this Bill remain unclear. The Bill’s objective of protecting children could be better achieved
by adopting a more comprehensive definition of harm which protects children’s interests in
a more holistic manner.
Lastly, steps towards protection of children’s data are appreciated, but the last sub-clause
heavily dilutes these protections by allowing for exceptions as may be prescribed in Rules.
The Bill does not lay down any criteria for such exceptions, which could reduce the scope of
protections afforded to children. The criteria for exceptions should therefore, be provided for
in the text of the Bill.
RIGHTS AND DUTIES OF DATA PRINCIPAL
Clause 12 - Right to information about personal data
Recommendation
Timelines should be prescribed for providing information to the Data Principals
Comments
This clause will be useful to ensure transparency and accountability of Data Fiduciaries.
However, there are no defined timelines for provision of such information in the Bill. Data
10
Clause 3(20), 2019 Draft Bill, Clause 3(21), 2018 Draft Bill
11
https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-
%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf
8
STRATDEEP PVT LTD
Fiduciaries will have to have the necessary mechanisms in place to comply with such requests.
The clause should specify the timelines to offer predictability to businesses, investments and
facilitate compliance.
Cause 13 - Right to correction and erasure of personal data
Recommendations
• The right to be forgotten should be included in the Bill

• Alternatively, reasons should be supplied for removal of the right to be forgotten,
as envisaged in the earlier iterations
Comments
Data Principals have been given the right to correction and erasure of their data, without any
rider. The 2019 Draft had a provision under Clause 18 for the Data Fiduciaries to decline such
requests. This has been done away with, which is a welcome move. Notably, the right to be
forgotten which was present in the 2018, 2019 and 2021 Drafts has not featured in this Bill
and no explanation has been provided for its removal. The reasons for deciding to do away
with the right to be forgotten, especially since the Bill is based on the principles of purpose
limitation and data minimization, would be appreciated to better understand the
government’s position on this clause.
Clause 14 - Right of grievance redressal
Recommendation
Necessary timelines for grievance redressal need to be prescribed in the Bill
Comments
Data Fiduciaries need to have a readily available means of registering grievances of Data
Principals. If the Data Principal is not satisfied with the response of the Data Fiduciary or
receives no response within seven days, she can register a complaint with the Board.
No timelines have been put in place for grievance redressal, which is a departure from the
2018, 2019 and 2021 drafts of the Bill. To ensure compliance by Data Fiduciaries, the Act will
have to prescribe the necessary timelines. Effective compliance can also be achieved by
implementing the this clause in a phased manner.
Additionally, all unsatisfied Data Principals having recourse to the Board may result in
overburdening of the Board, considering the quantum of complaints that may be received in
a populous country like India. Therefore, we suggest the creation of state level boards in our
comments under the chapter on Compliance Framework.
9
STRATDEEP PVT LTD
Section III: CROSS BORDER DATA TRANSFERS AND TRUSTED GEOGRAPHIES

Clause 17 - Transfer of personal data outside India
Recommendations
• Clarification on the following phrases is required:

o “such countries or territories outside India”
o “after an assessment of such factors as it may consider necessary”
o “in accordance with such terms and conditions as may be specified”
• The reciprocal obligations of cross-border data sharing agreements should be
considered
o EU’s Adequacy Framework or Singapore’s standard of protection may be
studied
• Other tools to facilitate cross-border transfers of data may be considered, such as:
o Adoption of an Accountability Framework
o Internal company transfers through standard contractual processes
• To ensure greater predictability for the businesses, the Act and Rules should come
hand in hand
Comments
The Union Government may, after an assessment of such factors as it may consider necessary,
notify such countries or territories outside India to which a Data Fiduciary may transfer
personal data, in accordance with such terms and conditions as may be specified.
Assuaging the many concerns about data localization in the previous versions of the Bill, this
Bill has done away with the requirement of data localization. The Union Government has been
empowered to notify countries to which data can be transferred, based on an assessment of
“such factors as it may consider necessary”.
The departure from data localization is a positive step towards ease of doing business in India.
The problem with this clause is not in what it provides, but in what it lacks to provide. One of
the biggest risks for a business in a country is the uncertainties in the policy and legal
framework. The following clarifications on this clause would be useful to help align businesses
with the policy objectives of the government:
1. The phrase “such countries or territories outside India” should be elaborated. In the
absence of any definitions to suggest the scope of this phrase, it would be a good
exercise to bring more clarity to this provision. A question that warrants consideration
here is whether the territories where data can be transferred refer to land only or they
can also be at sea?
10
STRATDEEP PVT LTD
2. “After an assessment of such factors as it may consider necessary” is a phrase which
offers little certainty on what the criteria would be adopted for such assessment.
Whether these factors will be limited to the objective of this Bill or will other factors
also play a role in such decision making? How is the assessment going to ensure that
data principals are afforded the same degree of rights and protection, and effective
grievance redressal in the third country where their data is transferred to? The criteria
for assessment should be specified in the Bill.
3. “In accordance with such terms and conditions as may be specified” – While the Bill
itself does not contain these terms and conditions, there have been news reports12
which indicate that this clause will be operationalized through bilateral or multi-lateral
agreements with other territories. The terms and conditions of data transfer will be
reflected through such agreements. Before this Bill is passed, a deliberation on what
terms and conditions should be pre-requisite for entering into agreements should be
undertaken. These terms and conditions should be prescribed in the Bill to ensure that
digital rights of digital citizens would be protected even when the data is transferred
based on an agreement entered with a country at a later stage.
While formulating our principles on cross-border data flow, reciprocal obligations of

agreements entered with international jurisdictions should be considered. For context, other
jurisdictions such as Singapore and the EU have strict standards for transfers of data from
their territory to another. Singapore’s Personal Data Protection Act prohibits organizations
from transferring personal data outside Singapore unless such country or territory provides a
standard of protection comparable to Singapore.13
The GDPR allows data transfers to a third country or international organization only if they
ensure an adequate level of protection.14 Consequently, European Union uses adequacy
decisions of the European Commission as the basis of transfer of personal data from the EU
to third countries. The European Commission has been entrusted to pass adequacy decisions
which confirm with binding effect that a third country’s level of data protection is “essentially
equivalent” to that of the EU.15 The result of an adequacy decision is free flow of data from
European Economic Area to a third country. This exercise involves an analysis of the content
of law applicable in the third country and the means of ensuring its effective implantation.16
12
https://economictimes.indiatimes.com/tech/tech-bytes/reworked-personal-data-bill-may-relax-rules-on-
data-localisation/articleshow/94745957.cms
13
Section 26(1), Singapore’s Personal Data Protection Act, 2012,
https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=pr26-
14
Article 45, para 1, GDPR
15
Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, 6 October 2015, para 52
16
Article 45, para 2, GDPR
11
STRATDEEP PVT LTD
Some of the General Data Protection Principles17 taken into account while making this
analysis are listed below:
1. Content Principles
a. Grounds for processing data must be lawful, fair, and legitimate
i. The legitimate bases must be stated in a sufficiently clear manner
b. Purpose limitation
c. Data proportionality
d. Data retention principle
e. Security and confidentiality principle
2. Procedural and Enforcement Mechanism
a. Competent independent supervisory authority
i. Such body should function with complete independence and
impartiality
3. Essential guarantees in third countries for law enforcement and national security
access to limit inferences to fundamental rights
a. Processing based on clear, precise and accessible rules
b. Demonstrated necessity and proportionality with regards to legitimate
objectives
c. Processing subject to independent oversight
Apart from bi-lateral agreements, the following tools could be considered by the Indian
government to allow cross-border flow of data, while maintaining adequate protection
safeguards and enabling ease of doing business:
1. Adoption of an Accountability Framework: The bill could adopt an Accountability

Framework designed on the lines of the Asia-Pacific Economic Co-operation (APEC)
Cross-Border Privacy Rules (CBPR) System18. The CBPR is a government-backed data
privacy certification that companies can join to demonstrate compliance with
internationally recognized data privacy protections. Through the CBPR System,
certified companies and governments work together to ensure that when personal
information moves across borders, it is protected in accordance with the standards
prescribed by the system’s program requirements and is enforceable across
participating jurisdictions. The system is based on the following tenets:
a. Enforceable standards
b. Accountability
c. Risk-based protections
17
Adequacy referential, Article 29 Data Protection Working Party, adopted on 28 November, 2017, last revised
and adopted on 6 February, 2018
18
https://www.apec.org/about-us/about-apec/fact-sheets/what-is-the-cross-border-privacy-rules-system
12
STRATDEEP PVT LTD
d. Consumer-friendly complaint handling
e. Consumer empowerment
f. Consistent protections
g. Cross-border enforcement cooperation
2. Internal company transfers – Globally, legislation allows internal company transfers
through standard contractual processes. Our law can recognize such transfers across
borders through these processes without having the businesses rely on bilateral
agreements at a national level. This would avoid the possibility of political relations
between two nation-states impacting the businesses’ internal operations.
To ensure greater predictability for the businesses, we suggest that the Rules and legislation
should come hand in hand. Not everything should be left to be brought in through rules at a
later, undefined stage. Certainty in our data protection regime would enable compliance and
could potentially unlock digital growth for India at a global scale.
Section IV: EXEMPTIONS AND STATE SURVEILLANCE
Clause 18 – Exemptions
Recommendations
• The phrase “any instrumentality of the State” needs to be circumscribed

• The provision should clearly prescribe the limits or boundaries of surveillance
• The grounds for identification of Data Fiduciaries, to whom certain provisions will
not apply, should be mentioned
• The exemptions should reflect the principles of legitimacy, proportionality and
legality as laid down by the Supreme Court
• We recommend a surveillance sanction and oversight mechanism that has two
levels:
o Level 1 This will cover cases related to terrorism and public safety where
the proposed legal sanction and oversight mechanisms can be post-facto,
but within 72 hours of the sanction
o Level 2 This will cover all other cases that can attract state surveillance,
where legal sanction must be obtained before carrying out surveillance,
followed by the oversight mechanisms as detailed below
• We recommend a surveillance oversight mechanism based on the following
principles:
o Parliamentary Oversight
o Judicial Authorisation
o Legality
o Legitimate goal
13
STRATDEEP PVT LTD
o Proportionality
o Procedural guarantees
o Internal Oversight
o Administrative and Technical safeguards
Comments
The Fundamental Rights, including the right to privacy fall under part III of the Constitution of
India, which are applicable against the ‘State’ as defined in Article 12. It defines State to
include the Government and Parliament of India and the Government and the Legislature of
each of the States and all local or other authorities within the territory of India or under the
control of the Government of India.19 Through various judicial precedents, we now have a
broad set of parameters evolved by the Supreme Court to determine whether a particular
body falls under “other authorities” and could thus be considered “State”.20 The definition of
State has thus been broadly interpreted by the judiciary, and fundamental rights are
enforceable against all the bodies that fall within its ambit.
In this constitutional context, when the Bill exempts “any instrumentality of the State”
without defining ‘instrumentality’, it renders this provision open to broad exemptions.
Additionally, such instrumentalities of state could be given blanket exemptions from the
applicability of the “entire Act”. Exemptions with such a broad sweep to the State could prove
to be dangerous to the very scheme of Fundamental Rights enshrined in the Constitution.
These exemptions to any instrumentality of the State have been replicated in essence from
Clause 35 of the 2019 Draft. This has left unaddressed the many concerns raised in the earlier
iteration about excessive surveillance by the government. Therefore, we suggest that the
term “any instrumentality of the State” be defined.
The terms that set the boundaries for surveillance are not well defined and understood21.
Nearly every action can misuse these terms to circumvent the necessity and proportionality
threshold as laid down by the Hon’ble Supreme Court and thus,make the surveillance order
legal.
This is especially true for the term “National Security” or security of the State (most used for
targeted surveillance22) “public order” and “investigation” of a crime. Besides, India lacks a
national security strategy that could clarify the definition of national security and the
19
Article 12, Constitution of India, https://indiankanoon.org/doc/609139/
20
In R.D. Shetty v. The International Airport Authority of India (1979 AIR 1628), Ajay Hasia v. Khalid Mujib (1981
AIR 487), Pradeep Kumar Biswas v. the Indian Institute of Chemical Biology (2002 (5) SCC 111)
21
Shekar, K., & Mehta, S. (2022, February 17). The state of surveillance in India: National security at the cost of
privacy? | ORF. Observer Research Foundation. Retrieved March 12, 2022, from
https://www.orfonline.org/expert-speak/the-state-of-surveillance-in-india/
22
Sirohi, N. (2021, August 7). Pegasus in the Room: Law of surveillance and national security's alibi. ORF.
Retrieved March 12, 2022, from https://www.orfonline.org/expert-speak/pegasus-in-the-room-law-of-
surveillance-and-national-securitys-alibi/
14
STRATDEEP PVT LTD
government’s objective in ordering surveillance. We suggest that the terms that set the
boundaries for surveillance be defined in this clause.
Until now, a pre-independent and colonial Indian Telegraph Act and S. 69 of the Information
Technology Act regulate surveillance. While the Union is empowered to pass a legislation to
form a Central Bureau of Intelligence as per Item no, 8 of List I of Schedule VII, it has not
exercised this power to lend any statutory backing to the Intelligence Bureau (IB), Research
and Analysis Wing (R&AW) and the National Technical Research Organisation (NTRO). As a
result, the IB, R&AW and NTRO are created through gazette notifications.23 The
constitutionality of the creation of IB through an executive order has been in question in
Intelligence Bureau Housing Society v. R.N. Kulkarni.24
In the United Kingdom, the Security Service (equivalent of the IB, popularly knownas MI-5) was
created using the Security Service Act, 1989 and their Secret Intelligence Services (equivalent
to R&AW) was brought under the Intelligence Services Act.25
The Supreme Court has, in its earlier rulings, held that an executive action cannot interfere
with rights of a citizen without a valid statutory legislation.26 The Apex Court gave the
mandate to an independent committee27 to review the surveillance architecture of India in
light of right to privacy, which highlights the importance of having a parliamentary or judicial
oversight mechanism over surveillance.28
In the absence of any specific post-constitution legislation on surveillance, the wide

Exemptions to the state would not bode well for the privacy rights of the citizens. The clause
on Exemptions should be reworked in light of the existing surveillance architecture to provide
for more safeguards to the digital privacy rights of the citizens.
Sub-clause 3 of Clause 18 also gives the Union Government the power to notify certain Data
Fiduciaries to whom certain provisions will not apply. This provides the Executive with the last
say in who protects the fundamental rights of the citizens and who is allowed to infringe it.
Our recommendation is that the grounds for identification of Data Fiduciaries, to whom
certain provisions will not apply, need to be mentioned in the Bill.
Once privacy was enshrined as a fundamental right, it should become subject to Article 21 of
the Constitution of India, which means it cannot be infringed except according to procedure
23
Bailey, R., Bhandari, V., Parsheera, S., & Rahman, F. (2018, July 27). Use of personal data by intelligenceand
law enforcement agencies. NIPFP. Retrieved March 12, 2022, from
https://macrofinance.nipfp.org.in/PDF/BBPR2018-Use-of-personal-data.pdf
24
Writ Petition No. 14616 of 2012
25
Please see: https://www.legislation.gov.uk/ukpga/1994/13/contents
26
State of M.P. v. Thakur Bharat Singh, 1967 AIR 1170
27
Manohar Lal Sharma v. Union of India
28
Mr. Gourav Gogoi’s dissent, JPC Report, page 224, para 5
http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%
20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
15
STRATDEEP PVT LTD
established by law. The JPC had noted that these exemptions should be subject to procedure
that is just, fair, reasonable, and proportionate. The 2022 Draft makes no mention of the
procedure to be followed in cases of exemptions. The government cannot take a pre-eminent
position in safeguarding the right to privacy as per their interpretations of events when this
right has now been constitutionally guaranteed.29
It is also important to note that purpose limitation, stated in the explanatory note as being
one of the cornerstones of this Draft, does not apply to the State or any instrumentality of
the State. This means the government can retain data for as long as it wishes. These wide-
ranging exemptions dilute the scope of rights and duties enumerated in the previous chapters
to a great extent.
Ultimately, this clause will have to stand the tests for infringement of privacy laid down in the
Justice K.S. Puttaswamy v. Union of India. The exemptions should reflect the principles of
legitimacy, proportionality and legality laid down by the Supreme Court in the case. In fact,
the 2018 Draft afforded the strongest protections against government access to data. The
2019 Draft watered them down to a great extent but still had some safeguards. The Joint
Parliamentary Committee had recommended that such exemptions should be just, fair and
reasonable, but this draft misses the opportunity to address these suggestions. A look at the
GDPR shows that they have exemptions, but they are much narrower in scope. Their
framework is oriented towards providing maximum privacy to their digital citizens. The
objective of the Bill states that it seeks to balance the right of individuals to protect their
personal data and the need to process personal data for lawful purposes. The Exemption
clause in its current form tips the scale heavily towards greater processing of data by the
State.
Comments on safeguards against State Surveillance under the Bill:
The following substantive and procedural safeguards could be adopted for creating a robust
oversight and accountability mechanism:
There should be a body that must be empowered to oversee the legal enforcement agencies
and intelligence agencies' operations. This body must have oversight on the policies,
administration and operations of various agencies subjected to secrecy. But, for this to
operationalise Clause 18 of the 2022 Draft must be amended as it empowers the government
to exempt its agencies from the purview of the Bill. The approach taken in the Law
Enforcement Directive (“LED”) in the EU deals with theprocessing of personal data by data
controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR.
Although it is in the form of a directive, it has been embedded in domestic legislation across
29
Mr. Amar Patnaik’s dissent, JPC Report, page 246, para 3
16
STRATDEEP PVT LTD
Europe. The LED regime only applies in cases where the data controller is a ‘competent
authority’, and the processing is done for ‘law enforcement purposes.
In short, a combinationof specific legislation that speaks of the manner in which large scale data
collectionand analysis for legitimate purposes of Law enforcement, along with an empowered
Data Protection Body can serve as effective oversight mechanisms.
The following principles on surveillance oversight should be applied:
A. Parliamentary Oversight:
i. A Multi-Party parliamentary standing committee should oversee the

law enforcement agencies and intelligence agencies' operations. A
mechanism followed by the UK should advise the model because
India inherited and emulated the Westminster model of
parliamentary government. The UK has the Intelligence and Security
Committee of Parliament30 formed under the Intelligence Services
Act 1994 (reinforced by Justice and Security Act, 201331) to oversee
the policies, expenditure, administration and operations of various
intelligence agencies subjected to secrecy.32
ii. It has been argued that Members of Parliament should not have
access to such information. However, in advanced democracies
such as the UK, the Prime Minister retains control over who will be
part of the Committee, provided they are drawn from other parties
besides his/her own.
iii. In addition to this, the parliamentarian must be granted access to

information held by intelligence and law enforcement agencies
without restricting any information under the ambit of preserving
national security. A similar mechanism is followed by the United
States, where US Congress monitors the law enforcement agencies
and intelligence agencies, and there are no statutory restrictions
on information access.33
30
Intelligence and Security Committee of Parliament (ISC). (n.d.). Retrieved March 12, 2022, from
https://isc.independent.gov.uk/
31
Sections 2, 3, and Schedule I of the Justice and Security Act, 2013
32
Section 1(1)(b) of the Official Secrets Act 1989
33
F Smist, Congress oversees the intelligence community, 2nd edition, University of Tennessee Press, Knoxville,
1994.
17
STRATDEEP PVT LTD
B. Judicial Authorisation:
1. It would safeguard the right to privacy of the individuals from unwanted state
surveillance as the Supreme Court recognised privacy as a negative
content.34
2. Judicial authorisation could be spilt into two areas.
I. For prevention and investigation of criminal offences

(warrant of interception from the concerned court, with
expiring time duration and archiving of intercepted
contents and submission to the court) and
II. A special authority (to be created), and for intelligence
purposes that can be on the lines of the UK Investigative
Powers Commissioner35
3. It would bring about a separation of powers to check and oversee the

executive actions, which could at times hamper the democratic safeguards
due to malicious motives.36
4. The State agencies (both intelligence and law enforcement agencies) must take
a prior warrant from the court in Level 2 cases and post-facto in Level 1
cases before intruding into the private communications between
individuals. Various jurisdictions follow this mechanism37 and India must
pick inferences from those to devise a more nuanced judicial authorisation
system.
5. The court warrant must assess the constitutional validity of the request for
surveillance through four prerequisites (as follows) for infringing upon an
individual's privacy and personal liberty discussed in Puttaswamy
Judgement I.38
34
Puttaswamy Judgment I, (2017) 10 SCC 1 [Para 232 (iv)]
35
Please see the UK’s Office of the Investigatory Powers Commissioner https://www.ipco.org.uk/
36
Ryan, J. (2009, April 14). Torture Memo Gave White House Broad Powers. ABC News. Retrieved March 12,
2022, from https://abcnews.go.com/TheLaw/DOJ/story?id=4569746&page=1
37
Under the Canadian Security Intelligence Service Act, 1985, specially designated judges of the Federal Court
provide the approval to the warrant of the intelligence agencies. In the United States, intelligence and law
enforcement agencies must take warrants, court orders etc., for domestic surveillance activities under the
Electronic Communication Privacy Act of 1986. In addition, in Riley v. California, the United States SupremeCourt
marked that search and seizure of digital data are considered to be unconstitutional.
38
Puttaswamy Judgement I, (2017) 10 SCC 1 [S.K. Kaul, J part]
18
STRATDEEP PVT LTD
A. Legality: Existence of a law by Parliament (which was also emphasised by the

Supreme Court in the Maneka Gandhi case of 197839)
B. Legitimate goal: The intelligence and law enforcement agencies must prove the
legitimate aim for conducting surveillance with proper justification.
C. Proportionality: The request must show that surveillance is necessary to achieve

the aim. In addition, the request must prove the rational nexus between the
objects and the means adopted to achieve them – in terms of
(a) the amount of data required to be tapped or retrieved (b) tools used for
surveillance (for which it is important to equip judges with technical
expertise).
D. Procedural guarantees: The state abuse and misuse must be minimal byhaving
concrete procedural safeguards followed by the state agencies, including the below
discussed safeguards.
E. Administrative Oversight:
1. In addition to the external oversight proposed that has been proposed

above, we recommend having a review committee model.40 The constituted
authority should be answerable to the parliamentary committee and the
Parliament in general.
2. In addition, the authority must audit and review the practices and
safeguards followed by the agencies.
3. Besides, the authority should be empowered to take complaints related to

unauthorised disclosure of classified or sensitive national security
information, illegal surveillance activity, administrative misconduct etc. For
instance, in the United States, under the U.S. Code, the office of the
Inspector General of the Intelligence Community is in place to oversee
programs and activities within the purview of the Director of National
Intelligence (DNI).
39
1978 SCR (2) 621
40
Review Committee formed under Rule 419A of Indian Telegraph Act.
19
STRATDEEP PVT LTD
F. Internal Oversight:
1. We propose that every law enforcement and intelligence agency must have
an independent Inspector General who will scrutinise the surveillance
requestbefore it reaches the court for approval.
2. Many jurisdictions follow a similar kind of model. For instance, in the UK

every law enforcement agency has independent officials to scrutinise
surveillance requests.41
3. Independent Inspector Generals must also audit and review the practices
and safeguards followed by respective agencies and be answerable to the
Parliamentary committee and the Parliament in general.
G. Safeguards
H. Technical safeguards: Various technical safeguards must be establishedto

protect the privacy of individuals following some of the universal principles
such as:
1. Data minimisation: The data collected through means of surveillance should

not exceed the purpose for which it was collected and should not be
held/stored post the completion of the purpose.
2. Proportionality: The data required through surveillance must have a

rationale connection with the object of the investigation, such that data
demanded is absolutely necessary. The UK also propagates this principle
through its Investigatory Power Act, 2016 (previously Regulation of
Investigatory Powers Act, 2000), which mandates that data demanded by
the intelligence agencies must be necessary and proportionate.
3. Purpose limitation: The information received through surveillance must be

processed only for the case/investigation it was accrued. The investigating
agency must initiate a new request to use the same evidence in other
cases/investigations. Besides, usage of evidence for anything other than law
enforcement must be prohibited.
41
Law and Governance. (n.d.). MI5. Retrieved March 12, 2022, from https://www.mi5.gov.uk/law-and-
governance.
20
STRATDEEP PVT LTD
4. Privacy by design42: The processing of evidence by law enforcement agencies

and intelligence agencies should be privacy-friendly and doesn’t trade-off
privacy at the cost of other State interests such as nationalsecurity, public
order etc. It should use Privacy Enhancing Technologies to ensure that
unnecessary personal details are not exposed. The access control must be
designed to be adequately granular, with audittrails, to enforce privacy and
accountability.
5. Fair and lawful processing: The data acquired through surveillance mustbe
processed fairly and lawfully such that unintended consequences like
discrimination, historic disposition, oppression do not translate into the
action.
6. Training: The personnel engaged in surveillance, including supervisory

officials, must attend trainings on privacy and ethics annually, to ensure that
the right culture is built and nurtured.
7. Data provenance: Law enforcement agencies and intelligence agencies must

have legal and technical measures to differentiate citizens from foreign
nationals within the bulk of data gathered through the surveillance. By
identifying the provenance of the data it should be treated differently.
8. Data security: The data collected through surveillance should be encryptedat

rest to ensure the safety of the information stored.
9. Data deletion: The data collected through surveillance must not be retained
longer than necessary, which is followed by intelligence agencies in the UK
under Investigatory Powers Act, 2016.43 At the laps of data retention
mandate by regulations, the information gathered through surveillance by
law enforcement and intelligence agencies must be destroyed.
10. Data disclosure: When a crime or security threat is not established from the
data collection and processing exercise, the agencies must inform the
individuals about the surveillance and reveal the data collected (after a
42
Privacy by design has seven foundational principles - https://iab.org/wpcontent/IAB-
uploads/2011/03/fred_carter.pdf
43
Sections 87 and 150 of the Investigatory Powers Act, 2016.
21
STRATDEEP PVT LTD
period) to them.
I. Administrative safeguards
Every legal enforcement agency and intelligence agency must have privacy/ethics officers
within their agencies to ensure day-to-day operations are not violating ethicality and
privacy. The officer should also provide advice and guidance to the officials on matters
related to privacy and ethicality. Many countries, including the US, UK and Germany, follow
this system, for instance, in the US, the Office of Privacy and Civil Liberties is formed within
the CIA44, NSA45 etc.
It is understood that some exigencies such as those falling under the Security of the State
could be extremely time and information sensitive, while others may not be of an equally
critical nature. Therefore, we suggest the adoption of a graded approach to the oversight
mechanism suggested above. Exemptions on the grounds of security of the state could have
internal oversight, while the rest less critical grounds could be subject to the full rigours of
the proposed oversight mechanism.
Section V: COMPLIANCE FRAMEWORK
Clause 19. Data Protection Board of India
Recommendations
• The composition of the Board and the qualification of its Members should be
specified.
• The mode of appointment and removal of Members needs to be laid down.
• The terms “Digital by Design” and “Digital Office” should be explained to
establish their consistency with the provisions of the Civil Procedure Code.
• Zonal or State level bodies should be created to make the DPB more functional
and for compliance with Schedule VII of the Constitution
Comments
The first observation in this clause is that a Data Protection Board has replaced the earlier
Data Protection Authority, as envisaged in the 201846 and 201947 Drafts. No explanation for
such change has been provided. This change in terminology indicates a departure from the
44
Office of Privacy and Civil Liberties. (n.d.). CIA. Retrieved March 12, 2022, from
https://www.cia.gov/about/organization/privacy-and-civil-liberties/
45
Civil Liberties & Privacy Overview. (n.d.). National Security Agency. Retrieved March 12, 2022, from
https://www.nsa.gov/Culture/Civil-Liberties-and-Privacy/Overview/
46
Clause 49, 2018 Draft Bill
47
Clause 41, 2019 Draft Bill
22
STRATDEEP PVT LTD
internationally recognized nomenclature i.e., “Authority”48.
Justice Srikrishna Committee’s
recommendations and accompanied Draft proposed the creation of an independent body
called the Data Protection Authority. Favoured measures for maintaining the independence
of the body such as fixed tenure, disclosure of conflicts, post-retirement safeguards and
restrictions on future employment, and financial independence were provided for in the 2018
Draft. The composition of the Board and qualifications of members were specified. The
composition of the Selection Committee which would appoint the Board was also specified
and contained a fair balance of members from the judiciary, the executive, civil society, and
industry representatives.
The 2019 Draft also had the above broad provisions of the 2018 Draft but with lesser
measures to ensure independence of the Authority. The JPC sought to attribute such
independence to the Authority by recommending a few changes. Notably, it said that that it
should be specified that one member of the Authority be an expert in the field of law. It also
said that the Selection Committee in the 2019 Draft comprised all Secretary level bureaucrats,
and recommended that the Committee be composed of technical, legal and academic experts
to make it more inclusive, robust and independent. These suggestions of the JPC are not
reflected in the current 2022 Draft.
The Data Protection Board proposed in this Bill is just a bare structure, scheduled to be
defined later by the Union Government. Leaving critical details about the composition,
qualifications, terms of service, removal, etc. to be decided by the Union will affect the
independence of the Board.
Independence of the Board can be assessed by checking the following specifications:
1. Appointment of members, qualifications, their removal, and the terms of service

2. Financial autonomy of the Board
3. Criteria for selection of the Board and Composition of the Selection Committee.
Secondly, when clause 19 is read with clause 20(1), phrases such as “the functions of the
Board shall be digital by design” and “digital office” offer little clarity. Since the Board will be
functioning as per the procedure of the Code of Civil Procedure, 1908 (‘CPC’), clarity is
required on how will it harmonize its processes with the already existing procedures for
inquiry, summoning, examination of witnesses, collection of evidences, etc. under the CPC.
How will the objective of being a digital office be achieved in the existing procedural
framework? Further clarity is required on this.
Our recommendations on the DPB are as follows:
• The composition of the Board and the qualification of its members should be specified.
48
EU’s GDPR has Data Protection Authorities https://dataprivacymanager.net/list-of-eu-data-protection-
supervisory-authorities-gdpr/
23
STRATDEEP PVT LTD
• The mode of appointment and removal of Members needs to be laid down.

• The terms “Digital by Design” and “Digital Office” should be explained to establish
their consistency with the provisions of the Civil Procedure Code.
Thirdly, it was strongly urged in the dissent note by Dr. Amar Patnaik, member of the JPC, that
setting up of State level Data Protection Authorities would be the more appropriate
framework from a constitutional, legal, administrative and jurisdictional point of view.49 This
suggestion was made due to two primary reasons:
1. It would be reflective of the true spirit of federalism between the Centre and the
States
2. Public order, health, education, etc., are fall under the State List of the Seventh
schedule, so a state level body will be better suited to handle the complaints related
to consent and data breaches occurring within its territorial jurisdiction.
State level bodies were created under the Right to Information and Consumer Protection Acts
for supplementing the central level bodies in effective and efficient implementation of those
Acts.50 During implementation of GDPR in Europe it was observed that the authorities
established were overburdened, despite there being multiple levels of authorities. 51
The 2022 Bill only envisages one centralized Data Protection Board. We are of the view that
an institutional design with zonal or state level bodies will be more ideal as per our
constitutional principles and will also be more functional. Therefore, our recommendation
would be to implement a federal framework to the architecture of the Data Protection Board.
Clause 20 Functions of the Board
Recommendation
The DPB should have a clearly defined mandate.
Comments
Details relating to the functions of the Board are not present in this Bill. Functions which were
prescribed in the earlier iterations like promoting awareness about data protection,
monitoring technological developments and commercial practices, advising Central
Government, State Government and any other authority on measures required to be taken
to promote protection of personal data and ensuring consistency of application and
49
Dr. Amar Patnaik’s dissent, JPC Report, page 246, para 4,
https://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection
%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
50
Dr. Amar Patnaik’s dissent, JPC Report, page 247, para 2
51
JPC Report, page 226
24
STRATDEEP PVT LTD
enforcement of this Act, etc. are not present in the 2022 Bill. Further, the power to determine
functions is given to the Central Government through the form of delegated legislation.
Our suggestion is that the mandate of the Board should be clearly defined. It cannot be open-
ended and needs to be circumscribed.
Clause 23. Alternate Dispute Resolution
Recommendations
• The clause should specify that mediation will be carried out in accordance with the
procedure laid down in the Arbitration and Conciliation Act, 1996
• The term “other processes” for achieving ADR needs a clear definition
Comments
If the Board is of the opinion that any complaint may more appropriately be resolved by
mediation or other process of dispute resolution, the Board may direct the concerned parties
to attempt resolution of the dispute through mediation by a body or group of persons
designated by the Board or such other process as the Board may consider fit.
This is an important clause but raises two broad issues:
1. The phrase “Mediation by a body or group of persons designated by the Board” leaves
appointment of mediators by the Board, without specifying considerations for such
appointment. This could potentially affect the independence of the ADR process.
2. What are the “other processes” that the Board may achieve Alternate Dispute
Resolution through? This needs to be clarified in the text of the Bill.
We suggest that mediation be carried out in accordance with the procedure laid down in the
Arbitration and Conciliation Act, 1996. The 1996 Act provides for a just, fair and reasonable
procedure for achieving Alternate Dispute Resolution. Secondly, the term “other processes”
that could be used to achieve ADR needs to be clearly defined.
Clause 29. Consistency with other laws
Recommendations
• The clause should specify how the Data Protection Board will harmonize its
functions with other regulatory authorities
Comments
The implications of this Bill will cut across sectors, but the Bill does not clarify how the Data
Protection Board will interact with other regulatory bodies. There are other authorities
established under other legislations with corresponding jurisdictions, such as under the
Information Technology Act, 2000, the IT Secretary is the designated authority for
adjudicating disputes. It needs to be clarified within Clause 29 how the functions and
25
STRATDEEP PVT LTD
jurisdiction of the Data Protection Board would be harmonized with other regulatory bodies
that also work at the intersection of digital personal data and related rights.
Clause 25 - Financial Penalties
Recommendations
• Consultations undertaken before finalizing financial penalties should be released

to guide the Law Enforcement on adoption of a uniform approach for imposing
penalties
• A provision for seeking compensation should be made available to the Data
Principal
• Separate penalties should be provided for government offences
• Financial autonomy of the DPB can be ensured through
o Corpus funding
o Authorization to use fines collected for specified purposes
Comments
We have three comments on this provision. First, how has the maximum ceiling of INR 500
crore been arrived at? The rationale for fixing this ceiling does not become clear from reading
the Bill or the Explanatory note attached to it. We suggest that consultations on financial
penalties be released to guide the Law Enforcement on adoption of a uniform approach for
imposing penalties and to prevent erring on the side of imposing higher penalties.
Second, the provisions on penalties and compensation have been reduced from an entire
chapter in the previous iterations to just one clause. While the quest for brevity is
appreciated, the reduced scope affects some key rights of the Data Principal. There is no
provision for Data Principals to seek compensation from a Data Fiduciary for the harm
suffered by her. The earlier three iterations all had a provision for compensation.52 Unlike the
previous drafts, this Bill also does not have specific penalties for the government offences,
and puts them in the same boat as other Data Fiduciaries. Indian law generally imposes
greater liability for government offences due to greater accountability and trust reposed in
government bodies. The same ideology has not been reflected here. To afford adequate
protections towards the right of citizens to their digital personal data, adequate
compensation and penalty provisions should be added to the Bill.
India is a signatory to the Universal Declaration on Human Rights (UDHR). Article 12 of the
UDHR states, “No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation. Everyone has the
right to the protection of the law against such interference or attacks.” Tested against this
backdrop, the DPB should have a more nuanced chapter incorporating the elements
52
Clause 75, 2018 Draft Bill, Clause 64, 2019 Draft Bill, Clause 65, 2021 Draft Bill
26
STRATDEEP PVT LTD
suggested above, the penalties and compensations should be more adequately defined, and
these provisions should pass the scrutiny of the Parliament to guard against excessive state
action.
Third, financial autonomy of the Data Protection Board is paramount for certain critical
factors for its success, such as:
•
For its independence
•
For having its own human resource framework for attracting the suitable
talent
This can be ensured through appropriate corpus funding and by authorizing the DPB to use
the fines collected for specified purposes, as is seen to be done by SEBI.
Section VI: AMENDMENTS
Clause 30 – Amendments
Recommendations
• Amendment to S. 43 A IT Act, 2000 should be omitted and provision for

compensation should continue to exist
• Amendment to S. 8(1)(j) and proviso of the RTI Act, 2005 should be omitted and
disclosure of information should be continued to be allowed under the section in
its existing form
Comments
Section 43A of the Information Technology Act, 2000, which provides for compensation in
cases of failure to protect data will be omitted once this bill becomes an Act. In effect, there
will be no scope for claiming compensation from the affected persons. We are of the view
that provisions related to compensation should exist in the IT legislation to ensure adequate
grievance redressal.
One notable amendment will be made to the Right to Information Act, 2005, a legislation that
empowers citizens to demand information on the working of the government. Section 8(1)(j)
is an exemption to the State from disclosing personal information which has no relationship
to any public activity or interest, or which would be an unwarranted invasion of privacy.53 At
present, this exemption is subject to two riders, which mandate disclosure of personal
information in two cases:
1. When larger public interest justifies the disclosure of such information
53
S. 8(1)(j), Right to Information Act, 2005, https://indiankanoon.org/doc/758550/
27
STRATDEEP PVT LTD
2. Information which cannot be denied to the Parliament, or a State Legislature shall not
be denied to any person.54
The amendment proposed in this Bill would mean there would be no obligation at all to give
to citizens such information which is of a personal nature. Thus, information related to public
functions could be denied on the ground that it is personal in nature even if larger public
interest justifies disclosure of such information or that information is such as cannot be
denied to the Parliament or State Legislature.
The right to information flows from the fundamental right under Article 19(1)(a) of the
Constitution.55 The State cannot make any law which is in violation of the fundamental
rights.56 The amendment to S. 8(1)(j) of the RTI Act goes against this constitutional principle.
The overriding export of this Bill would be fatal to the fabric of the RTI Act and be violative of
Article 19(1)(a).
If this Bill were to have an overriding effect over the RTI Act, it would have major
consequences for the principles of transparency and accountability of public authorities in
India. For instance, this Bill defines a person to include an individual, a Hindu Undivided
Family, etc.57 Can each of these persons refuse information on the grounds that it has
personal attributes?
Currently, a citizen has the right to seek information contained in file notings and no
information would be complete without note-sheets having file notings. This amendment will
allow refusal to provide notings on the ground that it contains personal information. Such
refusal would mean that the citizens will get censored information, bereft of the reasons that
a public official took to arrive at a decision. This would impact any meaningful exercise of the
RTI.
This would also have a heavy impact on journalists who actively use the tool of RTI to report
many important issues of public interest. Refusal under the existing S. 8(1)(j) already accounts
for the highest (approximately 35%) cases of refusal of information.58 The amendment would
make the exemption clause under Section 8 of RTI Act very broad and would significantly
curtail the right to information of citizens.
In this context, we propose a review of this amendment. The following reasoning may be
adopted to omit the amendment to the RTI Act and retain its S. 8(1)(j) in its current form.
54
Proviso to S. 8(1)(j), Right to Information Act, 2005, https://indiankanoon.org/doc/758550/
55
Peoples Union for Civil Liberties v. Union of India, (2003) 2 S.C.R. 1136, Indian Express Newspapers (Bombay)
Pvt. Ltd. vs India (1985) 1 SCC 641), State of U.P Vs. Raj Narain AIR 1975 SC 865
56
Article 12, Constitution of India, https://indiankanoon.org/doc/134715/
57
Clause 2(12) DPDP Bill, 2022
58
https://www.moneylife.in/article/over-47-percentage-rti-applications-rejected-under-section-81-in-fy20-21-
cic-annual-report/66623.html
28
STRATDEEP PVT LTD
The Bill has a deemed consent clause which presumes the consent of citizens for processing
their personal data in certain cases, but somehow the same clause does not seem to apply to
public officials. Citizens’ consent can be deemed under clause 8 in cases for any fair and
reasonable purpose59 based on the following grounds:
a. whether the legitimate interests of the Data Fiduciary in processing for that purpose
outweigh any adverse effect on the rights of the Data Principal
b. any public interest in processing for that purpose
c. the reasonable expectations of the Data Principal having regard to the context of the
processing.
Disclosure of personal information under S. 8(1)(j) of the RTI Act and its proviso, meets the
above criteria because:
a. There exists a legitimate interest – the objective of the RTI Act is to promote
transparency and accountability in the working of the public authorities and
preserving the paramountcy of the democratic ideal.60
b. S. 8(1)(j) in its existing form only allows such disclosure if larger public interest justifies
it.
c. It serves the principle of reasonable expectations because the principle of informed
citizenry affords the right to seek information of public officials which serve the larger
public interest.
Our view, therefore, is that this Bill and Section 8(1)(j) of the RTI Act can both co-exist and
there is no need for this amendment. While digital personal information of public officials will
be protected under this Bill, only such personal information which justifies the criteria of
public interest or is mandatory to be provided to the Parliament or State Legislatures, can be
disclosed. We suggest that Clause 30(2) under the Amendments be omitted, or a careful
rewording be considered so that it does not result in dilution of the purpose of the RTI Act.
The Lack of a Sunset Clause
Recommendation
A sunset clause should be added to the Bill to have time and function based review of the
provisions of the Bill by a parliamentary committee
Comments
The bill does not make provisions for time/function-based review of any of its provisions. In
a dynamic and constantly changing environment such as technology regulation, the risk of
legislations becoming obsolete at a fast pace is always present. The IT Act and subsequent
59
Clause 8(9), DPDP Bill, 2022
60
https://rti.gov.in/RTI%20Act,%202005%20(Amended)-English%20Version.pdf
29
STRATDEEP PVT LTD
issuance of rules to meet with the evolving landscape of social media intermediaries which
were non-existent when the act was passed is a telling example of this scenario.
The Bill should incorporate time based (three-year technical review/five-year legal review) for
a set of or all of the provisions by a parliamentary committee. This will ensure that advances
in technology are factored into the legislation at an appropriate time. A function-based review
may be mandated for certain provisions that are related to transfer of personal data outside
of Indian borders on a case-by-case basis.
ENDNOTE
DeepStrat wishes to acknowledge the experts, stakeholders and partners who generously
contributed their views and expertise to our comments on the DPDP Bill, 2022.
Our comments on the DPDP Bill 2022 were contributed by the following authors:
1. Mr. Yashovardhan Azad, IPS (Retd), Chairman, DeepStrat
2. Mr. Amitabh Mathur, IPS (retd), Co-Founder, DeepStrat
3. Ambassador Pinak Ranjan Chakravarty, IFS (Retd), Co-Founder, DeepStrat
4. Mr. Nandkumar Saravade, IPS (Retd). Co-Founder, DeepStrat
5. Mr. Saurabh Chandra, IAS (Retd), Co-Founder, DeepStrat
6. Ambassador Amar Sinha (Retd), Co-Founder, DeepStrat
7. Vice Admiral Shekhar Kumar Sinha, (Retd), Co-Founder, DeepStrat
8. Mr. Saikat Datta, CEO & Co-Founder, DeepStrat
9. Mr. Anand Venkatanarayanan, Co-Founder, DeepStrat
10. Ms. Shachi Solanki, Programme Associate, DeepStrat
11. Mr. Ranjeet Rane, Consultant, DeepStrat
30

Deepstrat

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deepstrat

Uploaded by

Copyright:

Available Formats

STRATDEEP PVT LTD

To, 16 Nov 2022

DHAN AZAD Date: 2022.12.16

1. Section I – NOTICE AND CONSENT FRAMEWORK

2. Section II – RIGHTS AND OBLIGATIONS

3. Section III: CROSS BORDER DATA TRANSFERS AND TRUSTED GEOGRAPHIES

4. Section IV: EXEMPTIONS AND STATE SURVEILLANCE

• The phrase “any instrumentality of the State” needs to be circumscribed

5. Section V: COMPLIANCE FRAMEWORK

6. Section VI: AMENDMENTS

CLAUSE-BY-CLAUSE COMMENTS ON THE DPDP BILL, 2022

Section I- NOTICE AND CONSENT FRAMEWORK

• A consent manager framework along the lines Data Empowerment and

Clause 8 - Deemed Consent

• Clear definitions of criteria for deemed consent should be specified

Section II – RIGHTS AND OBLIGATIONS FRAMEWORK

OBLIGATIONS OF DATA FIDUCIARIES

Clause 10 - Additional obligations in relation to processing of personal data of children

• Age limit of consent should be reviewed

a. any bodily harm; or

RIGHTS AND DUTIES OF DATA PRINCIPAL

Clause 12 - Right to information about personal data

Timelines should be prescribed for providing information to the Data Principals

Cause 13 - Right to correction and erasure of personal data

• The right to be forgotten should be included in the Bill

Clause 14 - Right of grievance redressal

Necessary timelines for grievance redressal need to be prescribed in the Bill

Section III: CROSS BORDER DATA TRANSFERS AND TRUSTED GEOGRAPHIES

• Clarification on the following phrases is required:

While formulating our principles on cross-border data flow, reciprocal obligations of

1. Adoption of an Accountability Framework: The bill could adopt an Accountability

Section IV: EXEMPTIONS AND STATE SURVEILLANCE

• The phrase “any instrumentality of the State” needs to be circumscribed

In the absence of any specific post-constitution legislation on surveillance, the wide

Comments on safeguards against State Surveillance under the Bill:

The following principles on surveillance oversight should be applied:

i. A Multi-Party parliamentary standing committee should oversee the

iii. In addition to this, the parliamentarian must be granted access to

2. Judicial authorisation could be spilt into two areas.

I. For prevention and investigation of criminal offences

3. It would bring about a separation of powers to check and oversee the

A. Legality: Existence of a law by Parliament (which was also emphasised by the

C. Proportionality: The request must show that surveillance is necessary to achieve

1. In addition to the external oversight proposed that has been proposed

3. Besides, the authority should be empowered to take complaints related to

2. Many jurisdictions follow a similar kind of model. For instance, in the UK

H. Technical safeguards: Various technical safeguards must be establishedto

1. Data minimisation: The data collected through means of surveillance should

2. Proportionality: The data required through surveillance must have a

3. Purpose limitation: The information received through surveillance must be

4. Privacy by design42: The processing of evidence by law enforcement agencies

6. Training: The personnel engaged in surveillance, including supervisory

7. Data provenance: Law enforcement agencies and intelligence agencies must

8. Data security: The data collected through surveillance should be encryptedat

Section V: COMPLIANCE FRAMEWORK

Clause 19. Data Protection Board of India

Independence of the Board can be assessed by checking the following specifications:

1. Appointment of members, qualifications, their removal, and the terms of service

Our recommendations on the DPB are as follows:

• The mode of appointment and removal of Members needs to be laid down.

Clause 20 Functions of the Board

The DPB should have a clearly defined mandate.

Clause 23. Alternate Dispute Resolution