Updated: Sep 25
On November 18, 2022, the latest draft of India’s proposed data protection law, the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) was released by the Ministry of Electronics and Information Technology (Meity), Government of India for public consultation and comments on a draft of the Bill. Article 21 Trust also participated in the consultation and submitted its comments. We share our main points of concern and analysis in a two-part article. In this first part, we will focus on the historical development of the Bill, unnecessary brevity in drafting, incomplete preamble, issues with the definition clause, issues surrounding notice and the all-encompassing deemed consent clause.
Historical development around data protection legislation
The Supreme Court of India, in 2017, in the landmark judgement of K.S. Puttaswamy v. Union of India1, also referred to as the right to privacy judgement, observed the need for a robust regime for the protection of data in India. Subsequent to the historic judgement, a committee, headed by former Supreme Court Justice B.N. Srikrishna, constituted on 27-7-2018, proposed a draft data protection law that was later codified as a draft Bill in 2018. This Bill was revised, after consultation with stakeholders, and tabled in Parliament on 11-12-2019, as the Personal Data Protection Bill, 2019 (PDP Bill). A Joint Parliamentary Committee (JPC) was then set up to review the PDP Bill. The JPC submitted its report in December 2021, proposing that the PDP Bill be replaced with a new Bill, the Data Protection Bill, 2021.
The DPB, 2021 on which the lawmakers had worked and deliberated upon in one form or another, was then abruptly withdrawn by the Government on 3-8-2022, with the stated reason being “to make way for a comprehensive legal framework for the digital ecosystem”. Consequent to the withdrawal, the present Bill was released for public consultation.
An unwanted brevity
The DPDP Bill 2022 has made a departure from the previous iterations of the Bill in terms of length and depth. The 2019 and 2021 Bills were comprehensive, detailed and contained over 90 clauses. The DPDP Bill, 2022 has been restricted to 30 clauses with various of the details left out for the future only to be decided by the government through rules and regulations. The aim as set out by the previous versions of the Bill was the protection of the privacy of individuals relating to their personal data, creation of a relationship of trust between the data principal and data fiduciary (preamble and title). It also acknowledged the right to privacy as a fundamental right. The 2022 Bill omitted all these important aspects and the preamble of the Bill could not mention these recognitions.
Preamble: A missed opportunity
The 2019 and 2021 Bill acknowledged that the right to privacy is a fundamental right in their preamble. The 2022 Bill has failed to acknowledge this and this perhaps is the reason that the Bill strays far from the right in its provisions.
The Supreme Court has held in Puttaswamy that the right to privacy is an integral part of both “life” and “personal liberty” under Article 21, and is intended to enable the rights bearer to develop her potential to the fullest extent made possible in consonance with the constitutional values.
There is a practical problem with this omission. It is a well-settled rule of interpretation that a preamble is key to the interpretation of a statute and helps, as an internal aid, in deciphering the ambiguous terms and provisions of the law and lays out the objectives that are to be achieved through the law. Since the preamble of the present Bill has overlooked this aspect, it is a serious concern that in future this may lead to the interpretation of the Bill in a manner that may violate the very right of the privacy of the data principal.
Preamble as provided by the DPDP Bill, 2022
Second, the preamble now enables the processing of data under “lawful purpose” which was missing in the previous versions of the Bill. Clause 5 of the Bill defines lawful purpose as “any purpose which is not expressly forbidden by law.” This is inherently flawed. When this phrase is read with Clause 5, it becomes apparent that the state has conferred itself with wide powers of processing personal data under the garb of lawful purpose. For example, there are various activities which are not expressly forbidden by any statute but they are violative of an individual's right to privacy such as linking voter ID with Aadhaar, collection of personal and sensitive data under health schemes without the consent of the citizens etc. Such wording may go against the mandate of the Puttaswamy Judgment wherein the Supreme Court categorically held that privacy is a necessary facet under Article 21 of the Constitution and any intrusion into the fundamental rights or privacy must meet the triple requirements test.
The Preamble, therefore, should strike a balance between the right to privacy of the data principal and the legitimate interest of the state and should be drafted on the lines of the preambles as featured in the 2019 and 2021 Bills.
The definition clause is arcane
One of the main aims of the Data Protection Bill is to protect data principals from the harm which may arise because of the data collection and processing of their data or may be caused in the event of a data breach. Therefore, the definition of harm becomes significant. The present Bill significantly narrows down the instances of harm in comparison to the 2019 and 2021 Bill. A tabular comparison of these iterations will be appropriate in explaining the difference.
PDP Bill, 2019
DP Bill, 2021 (Recommended by JPC)DPDP Bill, 20221
DPDP Bill, 2022
The definition of harm under Clause 3 (20) "harm" included— (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (iii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal;
The JPC added two more grounds in the definition provided by the 2019 Bill. They were (xi) psychological manipulations which impairs the autonomy of the individual; and (xii)such other harms as may be prescribed.
2(10) “harm”, in relation to a Data Principal, means - (a) any bodily harm; or (b) distortion or theft of identity; or (c) harassment; or (d) prevention of lawful gain or causation of significant loss;
The definition under the present Bill has constricted the harm to only four instances of harms. This has substantially reduced the liability of the data fiduciaries as they would not be liable in cases of other harms other than those mentioned in the Bill. For example, the definition excludes discriminatory treatment as harm, which means a person can still be discriminated against on the basis of her race, religion, colour, or sexual orientation on the basis of the data processed and will have no remedy for such harm as the discrimination has been removed from the purview of the definition. Similar is the case with the observation or surveillance which was not reasonably expected by the data principal. In the case of surveillance, despite being at the receiving end, the data principal shall have no remedy as the present Bill has omitted this as well and the data fiduciaries without any accountability and liability can continue to process the personal data of the data principal.
The definition is limited in scope and meaning, thereby not benefitting the data principal who may otherwise suffer harm on a number of accounts which have not been included in the Bill. The Bill should therefore redraft the definition to make it more inclusive and include all possible harms.
Unlike the 2019 and 2021 Bill, the 2022 Bill only defines personal data and is silent on biometric and sensitive data. This can better be understood in a tabular form.
PDP Bill, 2019
3(28) "personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
3 (7) "biometric data" means facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;
(36) "sensitive personal data" means such personal data, which may, reveal,be related to, or constitute— (i) financial data; (ii) health data; (iii) official identifier; (iv)sex life; (v)sexual orientation; (vi)biometric data; (vii)genetic data; (viii)transgender status; (ix)intersex status; (x)caste or tribe; (xi)religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under section 15….. explanation….
DP Bill. 2021
No change in the definition except the number of the clause.
No change in the definition
No change in the definition. Also, sensitive data also includes biometric data.
DPDP, Bill, 2022
2(13)“personal data” means any data about an individual who is identifiable by or in relation to such data;
The Bill has omitted the definition.
The definition has been omitted
Clause 13 (1) of 2019 Bill that dealt with the non-consensual processing of the personal data made an exception with regard to the sensitive data and provided that any personal data not being the sensitive personal data could be processed without obtaining the consent if such processing was necessary.
The 2019 and 2021 Bills had placed stringent conditions on the State for processing the sensitive data. The Clause 11(3) of 2019 and 2021 Bill required the Data Fiduciary to obtain explicit consent for processing the sensitive data. This requirement has been omitted from the 2022 Bill
The 2022 Bill has blurred the difference between personal data and sensitive personal data. Now, under the new Bill, State can process any data without the consent of the data principal. For example, under the deemed consent clause the State is empowered to process not just the personal data of the data principal but the sensitive personal data such as financial data, genetic data, sexual data, religious or political belief, biometric data etc. In other words, the law empowers the Government with carte blanche to process the data of any citizen and for that, it does not require the consent of the data principal.
The 2022 Bill should address this concern and there is a need to bring out the separate definitions of personal data, biometric data and sensitive data and they should not be bundled up in one definition. The Bill should also ensure that the sensitive personal data of the data principal is not processed without her consent.
Public interest has been defined for the first time by the Data Protection Bill. The previous iterations of the Bill did not contain any definition in relation to the term. It is noteworthy that the present Bill provides two meanings of the term which we have illustrated through the table below;
Definition of Public interest under clause 2(18)
Definition of Public interest under clause 8(8)
“public interest” means in the interest of any of the following:
(a) sovereignty and integrity of India; (b) security of the State;
(c) friendly relations with foreign States;
(d) maintenance of public order;
(e) preventing incitement to the commission of any cognizable offence relating to the preceding sub-clauses; and
(f) preventing dissemination of false statements of fact.
in public interest, including for: (a) prevention and detection of fraud; (b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws; (c) network and information security; (d) credit scoring; (e) operation of search engines for processing of publicly available personal data; (f) processing of publicly available personal data; and (g) recovery of debt;
The Bill creates ambiguity by attempting to define public interest and it is unclear if there is an overlap in the understanding of the term. However, under Clause 8(8), the list is not exhaustive as the provision begins with “in public interest, including for:” making the provision illustrative which means the government will have the powers to add more terms within the purview of public interest.
Public interest is a broad term and has been defined by the Supreme Court in a number of cases for different purposes. We believe that no straight jacket definition can be attributed to the term and therefore, the Bill should not attempt to define it.
Is there a need for notice?
The 2019 and 2021 Bills had made it mandatory for the data fiduciaries to give notice to the data principal in relation to the other data fiduciaries with whom the processed data would be shared. Clause 6 of 2022 Bill makes no such provision. It doesn't require the data fiduciaries to give notice to the data principal in the event of personal data being processed by the third party.
A notice by the data fiduciary to the data principal allows her to make an informed decision with regard to the processing of her personal data. The 2022 Bill should consider provision like the California Consumer Privacy Act, 2018 2 (CCPA) that requires businesses to inform the consumers from whom data is collected whether their data will be sold or shared further at or before the point of collection. The 2022 Bill should empower the data principal to opt out of the process, in cases, where their data is sold to a third party by the data fiduciary.
Half-baked consent requirements
Clause 11 of the 2019 Bill made the requirement of consent mandatory for the processing of personal data. The clause was detailed and required that the consent be free, informed, specific and clear. The 2022 Bill does not contain detailed definitions of these terms. The 2022 Bill also does not provide the consent requirements for processing sensitive personal data, as the definition of sensitive personal data is missing from the Bill.
Further, the Bill of 2019 provided that in cases where the data principal withdraws consent without any valid reason, the legal consequences for the effects of such withdrawal shall be borne by the data principal. However, the present Bill provides that the legal consequences shall be borne by the data principal regardless of the fact whether the reasons for withdrawing the consent were valid or not. The Bill provides an illustration which may be reproduced here:
The Illustration of Clause 7 (4) of DPDP Bill, 2022
There may be situations where the purpose of processing is fulfilled and the data principal no longer desires to give consent but that does not disentitle the data principal to availing of the services. For example, A who has been visiting the Country’s renowned hospital for her treatment gets to know that there was a data breach in the hospital. The next time, when she visits, she refuses to give her number at the patient slip counter. The Hospital can not deny her services because she has a reasonable apprehension of harm that may occur to her due to the said breach.
Free, informed and specific requirement of consent is a necessary facet of an informed democracy. There is a need to bring a provision within the law that requires the request for consent to be separated from other requests. Further, the Bill should ensure that specific and clear consent is to be obtained for processing the sensitive data of the data principal.
Deemed Consent: an autonomy exercised by the government on behalf of data principal
Like the 2019 Bill and the 2021 Bill, the present Bill also contains a clause for non-consensual processing, now called “deemed consent.” The clause lists out the grounds on which the personal data of the data principal can be processed without her consent. This includes wide phrases such as public interest, reasonable purposes, the performance of any function under any law, employment etc. Public interest may include the operation of search engines, credit scoring, recovery of debt etc. Thus, the processing of such purposes can be carried out without obtaining the consent of the data principal.
Given the wide scope of the clause, and the absence of safeguards, the provision can be used as a tool by various state instrumentalities, for processing of personal data under the deemed consent.
Justice BN Srikrishna Committee in its report noted that permitting non-consensual processing by entities for all kinds of public functions may be too wide an exception to consent. The committee referred to para 181 of the Puttaswamy judgement wherein the Supreme Court had commented on the need for non-consensual processing. The Court noted that in a welfare state data mining by the state in order to provide public resources to the marginalised and collection of their authentic data is valid. However, the Court cautioned that the data which the state has collected has to be utilised for legitimate purposes of the state and ought not to be utilised unauthorizedly for extraneous purposes. This will ensure that the legitimate concerns of the state are duly safeguarded while, at the same time, protecting privacy concerns.
When the Bill is read in the light of this judgement, it becomes clear that the provision is in violation of the pronouncement of the Supreme Court.
Therefore, we suggest that the scope of the clause should be narrowed down so it does not vitiate the very purpose of the law. The tests of legality, legitimate state aim proportionality, and procedural safeguards as set out in Puttaswamy should be made an essential threshold to process the data under the Bill.
(2017) 10 SCC 1
California Consumer Privacy Act of 2018 [1798.100 - 1798.199.100]