Several sections assume the consent of a data principal for data processing to be deemed in certain situations, exposing them to excessive data processing
Section 18 gives government instrumentalities exemptions from the provisions of the Act, leaving citizens vulnerable to mass surveillance
The draft Bill has also introduced duties for data principals, which are vaguely defined and can leave them vulnerable to fines and legal proceedings
After years of deliberation and amendments, the Indian government has finally introduced a new iteration of the Digital Personal Data Protection Bill, limiting its scope to only personal data.
However, the Bill has faced criticism on a host of issues, especially those related to user privacy.
The individuals, or ‘data principals’ to whom the personal data relates, not only face the potential vulnerability of opening themselves up to government surveillance but also have been burdened with a set of ‘duties’, some of which could be exploited by ‘data fiduciaries’. A data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
Deemed Consent Clause Raises Concerns
Section 8 of the Digital Personal Data Protection Bill is titled ‘Deemed Consent’ and highlights the situations in which the government/data fiduciary would be able to access the data of a user.
“A data principal is deemed to have given consent to the processing of her personal data if such processing is necessary,” as per the draft, which lists nine sub-sections that present such situations.
These situations include medical emergencies, the issue of a certificate or a licence and compliance with judgement and court orders.
However, Sections 8(6), (7) and (8) state that the consent of a data principal for data processing will be deemed in situations including maintenance of public order, employment purposes including prevention of corporate espionage and intellectual property and in the public interest, respectively.
Further, Sections 8(8)(9) deems the consent of the data principal “for any fair and reasonable purpose as may be prescribed” after taking into account the public interest, the legitimate interests of a data fiduciary and the expectations of a data principal in context of the data processing in that situation.
The draft Bill has not clearly defined what ‘public interest’ means, which is a key point of concern expressed by many.
However, the definition of ‘fair and reasonable purpose’ includes search engine optimisation (SEO). This potentially allows data fiduciaries to process the personal data of data principals to a great extent without having to get explicit and informed consent from them, giving them a wide berth on what to do with user data.
An analysis by law news portal Bar&Bench pointed out the same. “One of the major concerns in the draft Bill is the vast definition of the term ‘public interest’ for contemplating ‘deemed consent’,” the publication said.
Similarly, the Internet Freedom Foundation, in a Twitter thread, said, “Clauses 8(6), (7), & (8) state that consent of a data principal will be “deemed” in certain situations including for the maintenance of public order, purposes related to employment & in public interest, opening the door to wide & vague interpretation.”
Exemptions For Government
Chapter four of the draft Bill deals with ‘special provisions’, which also includes Section 18, concerned with certain exemptions to the provisions of the draft Bill laid down in Chapter two.
Incidentally, Section 18 has reintroduced the vague exemptions for the government which were also present in various sections of the previous Data Protection Bill, 2021.
Section 18(2) of the draft Bill gives the government exemption from the provisions of the Act and allows it to process user data without consent.
Specifically, Section 18(2)(a) talks about how the Centre can process user data in the interest of national security, friendly relations with other countries, maintenance of public order or preventing incitement to any ‘cognisable offence’ relating to any of these.
Further, Section 18(4) allows the government to store a data principal’s data indefinitely, as the provisions of Section 9(6) do not apply to any instrumentality of the government. This means that government agencies, under certain circumstances, would be able to indefinitely store a user’s data.
The subsections are vaguely defined and are open to interpretation and therefore misuse.
On the exemptions, the Internet Freedom Foundation said, “If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance.”
The body added that any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality.
Duties Of Data Principals – Why Fine The Users?
Section 16 of the draft Digital Personal Data Protection Bill, 2022 details the duties of a data principal. The duties imposed on the data principal are:
- Comply with the provisions of all applicable laws while exercising rights under the provisions of the draft bill
- Not register a false or frivolous grievance or complaint with a data fiduciary or the Data Protection Board
- Not furnish any false particulars or suppress any material information or impersonate another person, and
- Furnishing only such information as is verifiably authentic while exercising the right to correction or erasure.
However, under Schedule 1 of the draft bill, the government has proposed a penalty of INR 10,000 on data principals for non-compliance with Section 16.
This means that the legislation which is supposed to protect the rights of a user is also imposing penalties on them for reasons that are ill-defined and thus open to interpretation.
Speaking on the issue, Prateek Waghre, policy director at Internet Freedom Foundation, said, “The imposition of duties and penalties on data principals is the opposite of what one would expect from privacy reform. A penalty on ‘frivolous complaints’ [Clause 16(2)] will disincentivise people from filing complaints especially since there are question marks around the independence of the proposed Data Protection Board.”
Waghre added that this might also potentially restrict individuals from providing pseudonyms or information that isn’t directly associated with them [Clause 16(3)] even for non-financial transactions/services (‘under no circumstances’).
According to him, this is “overbroad and not in keeping with the ways in which many people resist indiscriminate data collection on the internet”.
Industry Opinion Divided
Speaking at a session during the Carnegie Global Technology Summit, Nick Clegg, Meta’s policy head, said that while the draft DPDP bill is a ‘clear, cogent piece of draft legislation’, it lacks details needed for execution.
“There are lots of twists and turns in terms of how you interpret it and apply it. But in broad terms, it seems to me the Indian government has done some really thoughtful work in terms of this revised draft,” he said.
However, with the definition of ‘public interest’ including search engine optimisation, big tech companies such as Google, Facebook and Twitter can process user data without needing to get their consent.
The Consumer Unity & Trust Society (CUTS) International, in an earlier statement, noted that the draft DPDP Bill has skipped the clause of ‘Right to Privacy’ in its preamble, and added that it gives ‘unrestrained power’ to the government.
“The [current] Bill provides a broad scope and unrestrained powers to the government to prescribe on critical issues at a later date. Such powers, if not carefully and judicially used, can do more harm than good,” said CUTS International’s secretary general Pradeep Mehta.
However, CUTS also added that the decision to remove non-personal data from the Data Protection Bill is a ‘desirable’ move.
May Lead To A Large Number Of Litigations
While the government wanted to use simple language in the draft Data Protection Bill to keep it simple and jargon-free, there are several aspects which are ill-defined and vague and may open up the digital economy of the country to a large number of litigations.
The large number of issues raised by industry and experts regarding the draft Bill suggests the need for a rethink on a number of aspects.
Only time will tell if the government makes any changes based on the suggestions it receives on the Bill. The last date for sending feedback is December 17, 2022.