Digital Personal Data Protection Bill 2022

Introduction

Personal data in particular , lies at the core of our digital economy, facilitating several
business models and algorithms that enhance user experiences in the digital world. In
this background, it is extremely essential that there exist effective legislation around
which companies could build frameworks governing the use of personal data.
On 18th November 2022, the Government of India seeking consultation from various
stakeholders, released a draft version of The Digital Personal Data Protection Bill,
2022 (hereinafter referred to as “the Bill”). The following article highlights certain
promising features along with some worrying concerns that arise out of this draft Bill

Promising features of the proposed bill

The Digital Personal Data Protection Bill, 2022 has proposed several forward-looking
laws that are expected to be instrumental in protecting and safeguarding personal data.
1. The Bill makes use of the pronouns ‘her’ and ‘she’, to refer to individuals
regardless of anyone’s gender. It has been stated that the implementation of
such a novel drafting practice is in furtherance of the government’s philosophy
of women empowerment. Section 6 of the Bill mandates a Data Fiduciary to
produce an ‘itemised’ description of the personal data sought to be collected,
which, more importantly, has to be enunciated in ‘clear and plain language’.
2. The Bill seeks to eliminate the occurrence of such situations by enabling data
principals to better understand and fairly assess what kinds of personal data
they have consented to provide and how such data will be processed.
3. The Bill provides for such consent notices to be presented in English or any
other language part of the 8th Schedule of the Constitution that may be
requested by the data principal. The drafters of this Bill have rightly considered
the pertinent linguistic demographics, enabling data principals to better
understand terms relating to the use of their personal data.
4. Section 7 (8) of the Bill expressly states that data principals would not be
forced to provide personal data that is not absolutely necessary for rendering
services by the fiduciary. For example, you would not be mandated to provide
your phone number for the use of a social media platform as the furnishing of
such information would not be absolutely necessary for the use of that service.
5. Section 11 prescribes the additional procedures and safeguards that significant
data fiduciaries (as notified) are mandated to follow. The determination of what
 is a ‘significant’ data fiduciary depends on a host of factors including the ‘the
volume and sensitivity of personal data processed’ along with their associated
‘risk to electoral democracy’.
6. Section 11 attempts to protect the interests of data principals in a functioning
democracy, and enables a greater scrutiny on the management of personal data
by fiduciaries.
7. Most digital platforms obtain informed consent through standard form contracts
encumbered with legal jargon that consequently resulted in individuals not fully
comprehending how their personal data will be processed. The Bill seeks to
eliminate the occurrence of such situations by enabling data principals to better
understand and fairly assess what kinds of personal data they have consented to
provide and how such data will be processed.
Questions on Practicality and effectiveness
However, the proposed Bill is not short of certain doubts and concerns regarding the
practicality and effectiveness of such provisions.
1. A ‘Data Fiduciary’ is defined as an individual or a group that determines the
purpose and means by which personal data will be processed. The inclusion of
the conjunctive ‘and’ in the definition raises doubts on whether an entity would
be considered as a fiduciary, even if it doesn’t determine the means of
processing data.
2. The Bill also widely defines ‘public interest’ in Section 2(18) which includes
preventing incitement to the commission of any cognizable offence and
dissemination of false statements of fact.
3. Under Section 8 of the Bill, any fiduciary could assume consent for processing
personal data in public interest. Having such a broad definition could only
increase the scope of exploitation of personal data, ironically working against
the interest of the public. A similar instance has already occurred back in 2019,
when the Delhi Police admittedly extended the use of confidential personal data
using automated facial recognition systems. The personal details of the Anti-
CAA protestors were stored on a database using the facial recognition systems,
even though they were only permitted to use such systems to find missing
children.
4. Section 9 of the proposed Bill provides the general obligations of data
fiduciaries managing personal data. Every data fiduciary and data processor are
obliged to protect the personal data in their possession or control by taking
‘reasonable security safeguards’. It is noteworthy to mention that the proposed
Bill fails to list down the objective technical standards that data fiduciaries are
 compelled to follow under the EU’s General Data Protection Regulation.
Merely instructing to employ ‘reasonable’ safeguards, would again leave a
wide scope for interpretation, consequently jeopardizing the personal data of
citizens.
5. Section 10 of the Bill provides for additional obligations in processing personal
data of children, wherein 10(1) mandates data fiduciaries to obtain ‘verifiable
parental consent’ before processing a child’s personal data. It is not quite clear
as to how data fiduciaries would obtain parental consent or confirm the veracity
of such consent. Take into example social media platforms like Instagram, that
deal with large volumes of personal data of millions of teenagers. The
provision raises the perplexing question of how such fiduciaries would obtain
‘verifiable parental consent’ in such a scenario.
6. The Bill also contemplates the establishment of a ‘Data Protection Board of
India’, for the purpose of determining non-compliance with the Bill, imposing
penalties, issuing directions, and performing other such functions as the Central
Government may prescribe. The Board aims to act as an independent regulator
on a case to case basis. It will be vested with the power to conduct inquiries,
summon witnesses, inspect evidence, conduct proceedings relating to
complaints, and impose penalties. Thus, it is important that its composition has
a right balance, so that it can function independently of the different wings of
the State. the Bill is silent on the above aspect. It empowers the Central
Government to stipulate the Board’s strength, composition, process of member
selection and terms and conditions of appointment and removal. This is a
departure from the approach that was contemplated under earlier Bills. In the
absence of any insights on how the said board will be constituted, there is
speculation that the Data Protection board of India may not be truly
independent the discharge of its functions.
Conclusion

As provided in the preamble of the Bill, its purpose is to recognize the right of
individuals to protect their personal data along with the need to process personal data
for lawful purposes. In the author’s opinion, while considering the several obligations
placed on data fiduciaries, the Bill tips the balance in favour of the rights of
individuals to protect their personal data. The several doubts mentioned above now
requisite reconsideration by the legislative bodies on certain provisions. Setting aside
loopholes that need to be addressed, the proposed Bill is a step in the right direction
for safeguarding citizens’ personal data. The government through the proposed Bill
has tackled an essential need in time for our growing digital economy. However, the
effectiveness of this law can only be gauged by the test of time.