Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause

Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause

SUMMARY

Several sections assume the consent of a data principal for data processing to be deemed in certain situations, exposing them to excessive data processing

Section 18 gives government instrumentalities exemptions from the provisions of the Act, leaving citizens vulnerable to mass surveillance

The draft Bill has also introduced duties for data principals, which are vaguely defined and can leave them vulnerable to fines and legal proceedings

After years of deliberation and amendments, the Indian government has finally introduced a new iteration of the Digital Personal Data Protection Bill, limiting its scope to only personal data.

However, the Bill has faced criticism on a host of issues, especially those related to user privacy.

The individuals, or ‘data principals’ to whom the personal data relates, not only face the potential vulnerability of opening themselves up to government surveillance but also have been burdened with a set of ‘duties’, some of which could be exploited by ‘data fiduciaries’. A data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.

Deemed Consent Clause Raises Concerns

Section 8 of the Digital Personal Data Protection Bill is titled ‘Deemed Consent’ and highlights the situations in which the government/data fiduciary would be able to access the data of a user.

“A data principal is deemed to have given consent to the processing of her personal data if such processing is necessary,” as per the draft, which lists nine sub-sections that present such situations. 

These situations include medical emergencies, the issue of a certificate or a licence and compliance with judgement and court orders.

However, Sections 8(6), (7) and (8) state that the consent of a data principal for data processing will be deemed in situations including maintenance of public order, employment purposes including prevention of corporate espionage and intellectual property and in the public interest, respectively.

Further, Sections 8(8)(9) deems the consent of the data principal “for any fair and reasonable purpose as may be prescribed” after taking into account the public interest, the legitimate interests of a data fiduciary and the expectations of a data principal in context of the data processing in that situation.

The draft Bill has not clearly defined what ‘public interest’ means, which is a key point of concern expressed by many.

However, the definition of ‘fair and reasonable purpose’ includes search engine optimisation (SEO). This potentially allows data fiduciaries to process the personal data of data principals to a great extent without having to get explicit and informed consent from them, giving them a wide berth on what to do with user data.

An analysis by law news portal Bar&Bench pointed out the same. “One of the major concerns in the draft Bill is the vast definition of the term ‘public interest’ for contemplating ‘deemed consent’,” the publication said.

Similarly, the Internet Freedom Foundation, in a Twitter thread, said, “Clauses 8(6), (7), & (8) state that consent of a data principal will be “deemed” in certain situations including for the maintenance of public order, purposes related to employment & in public interest, opening the door to wide & vague interpretation.”

Exemptions For Government

Chapter four of the draft Bill deals with ‘special provisions’, which also includes Section 18, concerned with certain exemptions to the provisions of the draft Bill laid down in Chapter two.

Incidentally, Section 18 has reintroduced the vague exemptions for the government which were also present in various sections of the previous Data Protection Bill, 2021.

Section 18(2) of the draft Bill gives the government exemption from the provisions of the Act and allows it to process user data without consent. 

Specifically, Section 18(2)(a) talks about how the Centre can process user data in the interest of national security, friendly relations with other countries, maintenance of public order or preventing incitement to any ‘cognisable offence’ relating to any of these.

Further, Section 18(4) allows the government to store a data principal’s data indefinitely, as the provisions of Section 9(6) do not apply to any instrumentality of the government. This means that government agencies, under certain circumstances, would be able to indefinitely store a user’s data.

The subsections are vaguely defined and are open to interpretation and therefore misuse. 

On the exemptions, the Internet Freedom Foundation said, “If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance.”

The body added that any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality.

Duties Of Data Principals – Why Fine The Users?

Section 16 of the draft Digital Personal Data Protection Bill, 2022 details the duties of a data principal. The duties imposed on the data principal are:

  • Comply with the provisions of all applicable laws while exercising rights under the provisions of the draft bill
  • Not register a false or frivolous grievance or complaint with a data fiduciary or the Data Protection Board
  • Not furnish any false particulars or suppress any material information or impersonate another person, and
  • Furnishing only such information as is verifiably authentic while exercising the right to correction or erasure.

However, under Schedule 1 of the draft bill, the government has proposed a penalty of INR 10,000 on data principals for non-compliance with Section 16.

This means that the legislation which is supposed to protect the rights of a user is also imposing penalties on them for reasons that are ill-defined and thus open to interpretation.

Speaking on the issue, Prateek Waghre, policy director at Internet Freedom Foundation, said, “The imposition of duties and penalties on data principals is the opposite of what one would expect from privacy reform. A penalty on ‘frivolous complaints’ [Clause 16(2)] will disincentivise people from filing complaints especially since there are question marks around the independence of the proposed Data Protection Board.” 

Waghre added that this might also potentially restrict individuals from providing pseudonyms or information that isn’t directly associated with them [Clause 16(3)] even for non-financial transactions/services (‘under no circumstances’).

According to him, this is “overbroad and not in keeping with the ways in which many people resist indiscriminate data collection on the internet”.

Industry Opinion Divided

Speaking at a session during the Carnegie Global Technology Summit, Nick Clegg, Meta’s policy head, said that while the draft DPDP bill is a ‘clear, cogent piece of draft legislation’, it lacks details needed for execution.

“There are lots of twists and turns in terms of how you interpret it and apply it. But in broad terms, it seems to me the Indian government has done some really thoughtful work in terms of this revised draft,” he said.

However, with the definition of ‘public interest’ including search engine optimisation, big tech companies such as Google, Facebook and Twitter can process user data without needing to get their consent. 

The Consumer Unity & Trust Society (CUTS) International, in an earlier statement, noted that the draft DPDP Bill has skipped the clause of ‘Right to Privacy’ in its preamble, and added that it gives ‘unrestrained power’ to the government.

“The [current] Bill provides a broad scope and unrestrained powers to the government to prescribe on critical issues at a later date. Such powers, if not carefully and judicially used, can do more harm than good,” said CUTS International’s secretary general Pradeep Mehta.

However, CUTS also added that the decision to remove non-personal data from the Data Protection Bill is a ‘desirable’ move.

May Lead To A Large Number Of Litigations

While the government wanted to use simple language in the draft Data Protection Bill to keep it simple and jargon-free, there are several aspects which are ill-defined and vague and may open up the digital economy of the country to a large number of litigations.

The large number of issues raised by industry and experts regarding the draft Bill suggests the need for a rethink on a number of aspects.

Only time will tell if the government makes any changes based on the suggestions it receives on the Bill. The last date for sending feedback is December 17, 2022.

Step up your startup journey with BHASKAR! From resources to networking, BHASKAR connects Indian innovators with everything they need to succeed. Join today to access a platform built for innovation, growth, and community.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause-Inc42 Media
Data Protection Bill: From Deemed Consent To Exemptions, Lack Of Clarity May Hurt The Cause-Inc42 Media
You’re in Good company