By Sarosh Bana, Mumbai Correspondent.
The Indian public is on edge as it awaits the government’s new Digital Personal Data Protection Bill, the last draft of which had conferred wide-ranging powers on the authorities, while prescribing very few safeguards.
The government had last November made public a draft Bill that was the fourth iteration of a planned law intended to accord legal framework to the 2017 Supreme Court ruling on the right to privacy.
The previous iterations, namely, the Personal Data Protection Bill, 2019, and the Data Protection Bill, 2021, were withdrawn after stakeholders raised several issues.
The final draft Bill was released to solicit public comments and was accompanied by an Explanatory Note that outlined the need to “restructure the legal and regulatory framework for the telecommunications sector”.
Since then, the proposed legislation has generated much discussion on various changes that it proposed to make to the current telecom regulatory framework, the government maintaining that its exercise was to update the extant regulatory framework in keeping with the advancements and challenges in the sector as well as to consolidate the laws governing the provision, development, expansion and operation of telecommunication services, telecommunication networks and telecommunication infrastructure, and assignment of spectrum.
It said the proposed law was much needed, since the three prevailing legislations concerning this domain were considerably outdated, with the most recent of these having been enacted more than 70 years ago. These legislations were the Indian Telegraph Act, 1885, Indian Wireless Telegraphy Act, 1934, and Telegraph Wires (Unlawful) Possession Act, 1951. The draft Bill proposed to repeal these legislations and “restructure the legal and regulatory framework” for the telecommunications sector.
In its four-page affidavit submitted to a five-judge Constitution bench of the apex court on Tuesday, the government announced its intention to introduce the new bill in Parliament “at the earliest”, though without specifying any timeframe.
“MeitY [Ministry of Electronics and IT] initiated a stakeholder consultation exercise on the draft Bill, inviting comments from the public by….2 January, 2023,” the affidavit informed. “MeitY is in the process of collating and analysing the feedback and suggestions received, with a view to take the draft Bill forward.”
The last draft Bill, released on 18 November, had focused on personal data, as compared to earlier unwieldy drafts, and had stipulated hefty penalties for non-compliance, which were capped without any link to the turnover of the concerned enterprise.
The Supreme Court had last September questioned the delay in framing a law to protect the data privacy of citizens, despite its declaring the right to privacy a fundamental right in 2017. At that time, the government had told the court that the Personal Data Privacy Bill had been tabled in Parliament in 2019, scrutinised by a joint Parliamentary committee, and subsequently withdrawn a month earlier to make way for a more comprehensive law based on suggestions and amendments proposed by the House panel.
There is widespread concern about the final form of the Bill, considering that its last version had provided a near blanket exemption for government agencies from complying with some more onerous requirements under the Bill, and a dilution of the remit of the proposed Data Protection Board, which is mandated to oversee the provisions of the proposed legislation.
In its comments on the draft sent to the government for consideration, Mumbai-based Majmudar & Partners, a premier law firm, pointed out that contrary to the earlier drafts, the November draft Bill provided for “deemed consent” given by the data principal for specified reasons, including a medical emergency, for employment purposes, to comply with any court judgment or order, or in public interest.
“However, the draft Bill empowers the government to prescribe additional categories of deemed consent that can override the rights of the data principal. “Such a broad power can result in government overreach on an individual’s personal data and right to privacy,” notes Majmudar. “Besides, while consent for a specific purpose, which is not classified as ‘deemed consent’, may be withdrawn by the data principal, the draft Bill fails to address immediate or future withdrawal of deemed consent and the question arises whether it is even possible for a data principal to specifically withdraw consent in a situation where there is deemed consent.”
The law firm also finds that while right to data portability was prescribed in the 2019 and 2021 Bills, it is absent in the Draft Bill. It explains that the earlier drafts had bestowed the right on the data principal of receiving his/her personal data in a structured, commonly used, and machine-readable format.
They had also entitled data principals to transfer their personal data to any other data fiduciary. “Such data portability rights would have been beneficial to data principals and would allow them to better monitor and manage their data,” suggests Majmudar.
According to the law firm, the draft Bill is also silent on the data principal’s right to be forgotten – the right to restrict or prevent the continuing disclosure of personal data by a data fiduciary – although it retains the right to correction and erasure of personal data. “In our view, these two concepts cannot be conflated and should have been kept independent,” it maintains.
The draft Bill covers the processing of digital personal data of data principals within India, as also outside India, if this involves the collection of data that relates to the behavior or interests of data principals within India, or data emanating from goods or services offered for sale to data principals within India.
As regards the 2019 Bill, the Joint Parliamentary Committee had emphasised the importance of data localisation and had proposed measures to restrict cross-border data flow. However, while the draft Bill does not prescribe any blanket restrictions on cross-border data transfer, lack of clarity on the jurisdictions to which data may or may not be transferred, or the criteria for assessing to which jurisdictions data may or may not be transferred, leaves a lot of ambiguity for businesses. Majmudar states, “Upfront clarity on this issue is necessary, so that technology companies can plan their data processing in countries where this will be permissible.”
The draft Bill does not apply to any non-personal data, any data in a non-digital format or personal data about an individual that is contained in a record that has been in existence for at least 100 years. Additionally, it does not apply in cases of non-automated processing of personal data or processing of personal data by an individual for any personal or domestic purpose. It has also removed the classification of personal data in various categories, such as sensitive personal data and critical personal data.
While the 2019 Bill had proposed a penalty not exceeding Rs15 crore ($1.83 million), or 4 per cent of the defaulting entity’s global turnover, for non-compliance of the proposed provisions, the draft Bill has raised this limit to Rs500 crore ($61 million), while additionally imposing six types of penalties on data processors and/or data fiduciaries for non-compliance.
Failure of data processor or data fiduciary to take reasonable security safeguards to prevent personal data breach will attract a penalty up to Rs250 crore ($30.5 million), failure to notify the Board and affected data principals in the event of a personal data breach, or non-fulfilment of the additional obligations in relation to processing of personal data of children, will attract a penalty up to Rs200 crore ($24.4 million), non-fulfilment of additional obligations of a significant data fiduciary will attract a penalty up to Rs150 crore ($18.3 million), non-compliance with the duties of data principals will attract a penalty up to Rs10,000 ($123), and a default penalty up to Rs50 crore ($6.1 million) will be levied for contravention of the provisions for which fines have not been specified.
While the 2019 Bill allowed for an aggrieved data principal to be compensated for misuse of the individual’s personal data, the draft Bill excludes such compensation requirements, and, in fact, makes the data principal liable up to an amount of Rs10,000 ($123) for not complying with the duties specified under the draft Bill. These include furnishing unverifiable information, registering false and frivolous complaints, or furnishing any false information while applying for any document, service, unique identifier, proof of identity, or proof of address.
“In our view, some of the changes proposed in the draft Bill grant wide discretionary powers to the government,” indicates Majmudar & Partners. “The provisions on exemption under Section 18 of the draft Bill loosely enable the government to exempt the application of laws in relation to the processing of personal data proposed in the draft Bill.” It adds that the lack of clarity on cross-border transfers of data makes things very ambiguous for the outsourcing industry as a whole, which has been a big exporter of services from India.
