The full text of our comprehensive response to the Personal Data Protection Bill 2019 is available here.
The introduction of the Personal Data Protection Bill, 2019 (the Bill) in the Indian Parliament on 11 December 2019 signals the final stage of the process to put in a place a comprehensive data protection regime for India. The Bill was referred to a Joint Committee of Members of Parliament the Indian Parliament (the JPC) for further examination. The JPC called for public comments in February 2020, following which we have submitted a comprehensive response on the Bill.
Our comprehensive response is organised into two sections. Section I presents a set of seven overarching concerns with the Bill supported with detailed analysis and recommendations to address them constructively. Section II of the response presents a Chapter-wise analysis of the provisions of the Bill against the previous draft Personal Data Protection Bill, 2018 (the previous Bill), flagging new and persisting issues arising from changes over successive versions of the Bill.
Below, we summarise the overarching concerns outlined in our comprehensive response on the Bill. Addressing these concerns is crucial to create an effective, consumer-friendly data protection framework for India’s unique context.
1. We identify seven aspects of user protections that must be strengthened for the Bill to genuinely guarantee data privacy for Indians.
1.1 The Bill should not remove obligations to give notice to users where their personal data is processed without consent. The Bill dispenses with the data fiduciary’s obligation to provide notice to data principals while processing personal data without their consent. Although non-consensual grounds of processing have always existed in the Bill, previously notice was required to be provided to data principals of such use in most of these circumstances except grave emergencies. The provisions in the current Bill are wider, increasing opacity for users when there is non-consensual processing of personal data. The Bill should still require notice in these circumstances.
1.2 The Bill should not raise high barriers for the data principals to withdraw their consent. The Bill makes the data principal liable for all legal consequences of withdrawing consent to process personal data unless they have a “valid reason”. It is unclear why individuals should bear the threat of all legal consequences for withdrawal. This could disincentivise data principals from withdrawing consent. The Bill should not disincentivise data principals from withdrawing consent. Instead, withdrawal should simply result in termination of contract and discontinuation of related services.
1.3 The Bill should widen the suite of rights available to users’ rights, to meaningfully empower them. The Bill contains a very limited set of rights for data principals. The absence of a full suite of user rights could result in the scales being tipped against users who may seek to achieve more autonomy and control over their data. Additional rights that can be included to level the field between data fiduciaries and data principals include: (i) right to clear, plain and understandable notice for data collection (ii) right to be asked for consent prior to data collection (iii) right to adequate data security (iv) rights to privacy by design (including privacy by default) (v) right to breach notification (vi) right relating to automated decision-making (vii) right to informational privacy (viii) right against harm.
1.4 Data principals should not be charged fees (or be charged nominally) for exercising their rights. Data principals can be asked to pay a fee for exercising some of the rights in the Bill for e.g. the right to obtain a summary of the processing activity undertaken on their data, the right to data portability. We worry that charging a fee can raise barriers to exercise rights for low-income Indians who are becoming more digitally active but whose incomes remain low.
1.5 The Bill should not restrict users’ right to seek remedies. The Bill appears to limit individuals’ rights to directly seek remedies in courts when criminal offences are committed against them, or to the Adjudicating Authority of the DPA to initiate civil inquiries. Certain provisions (s. 83 and the proviso 63(1)) state that a court or an Adjudicating Authority can only act upon a complaint filed by the DPA. Similar provisions restricting citizens’ abilities to approach courts were held to be violative of rights by the Supreme Court when adjudging the constitutionality of the Aadhaar Act. We recommend that the relevant provisions should be removed or amended in the Bill.
1.6 The Bill should not make the notification of personal data breaches contingent on the breached entities’ determination of “harm”. The Bill requires data fiduciaries to issue a breach notification to the DPA only when they are satisfied that the breach is likely to cause harm. The DPA then determines if a breach notification should be conveyed to a data principal. Given that the concept of harm is not clear in the Bill (see point 5 below) it should not be the basis for deciding if breach notifications need to be issued. In addition, it requires that the breached entity itself that must make this determination. This could create the wrong incentives for companies suffering breaches, who now have to make a subjective decision of whether to report the breach. The process also creates a bottleneck at the DPA, which may delay notification of a breach to data principals. Instead, all data breaches should be reported to the DPA and data fiduciaries should have the freedom to reach out to data principals where direct actions are required following a breach.
1.7 The Bill should strengthen obligations for data fiduciaries to incorporate Privacy by Design. The Bill requires data fiduciaries to merely create privacy-by-design (PbD) policies that comply with its provisions. This obligation is weaker than that in the previous Bill which required data fiduciaries to implement PbD policies that would ensure compliance with its provisions. Accordingly, we submit that the version of the provision included in the previous version of the Bill should be re-instated.
2. Changes to the institutional design of the DPA could limit its independence, accountability and effectiveness. The design, powers and functions of the DPA have been considerably weakened in the Bill compared to the previous Bill.
2.1 The design and composition of the DPA should be changed to maintain its independence as a regulator. The composition and design of the Selection Committee and the Management Board are important ingredients required to create an independent, accountable and impartial regulator. Unfortunately, changes in the Bill risk compromising the quality of the future institution. No independent Members from technical and legal backgrounds are required to be part of the Board. The Selection Committee curated to appoint the Chairperson and Members of the DPA now comprises only Central Government officials (as opposed to the Chief Justice and an independent expert, as was previously the case). Further, the weaknesses in the composition and selection process of the Management Board of the DPA are compounded by provisions such as S. 86 (Power of Central Government to issue directions). It empowers the Central Government to issue binding directions to the DPA, without mandating prior consultation with the DPA. Within the context of the weaknesses of the DPA’s institutional design in the Bill, this provision further erodes the independence of the DPA and exposes it to undue governmental interference.
2.2 The absence of crucial accountability mechanisms can enable a future DPA to act arbitrarily or abuse powers. The DPA envisioned by the Bill is a powerful body equipped with a range of enforcement tools including launch of investigations, levying civil penalties and criminal punishment. However, it does not have adequate internal accountability mechanisms to ensure that it uses its powers appropriately. Further, the DPA is no longer required to publish results of inspections and other comments in the public interest.
To ensure that these punitive powers are not abused and misused, there is a need to create clear mechanisms that guide and fetter the DPA’s discretion. Setting out objective criteria to guide such discretion will also result in responsive regulation, that can more cheaply crowd in the rule of law orientation among newly-regulated entities in a vast regulated space. Further, the DPA’s obligation to periodically report on its enforcement actions should be retained to ensure transparency in regulation, which has been proved to benefit the regulator and strengthen the regulatory regime.
3. Immense powers and exemptions for the State will severely limit the effectiveness of the new regime. Section 35 of the Bill empowers the Central Government to pass orders to exempt itself or any of its agencies from any or all provisions of the proposed data protection regime. This provision is a dramatic shift from the exemption for the State provided in the earlier draft of the Bill (under the 2018 draft Bill’s section 42 (Security of the State)). It affords wide powers to the Central Government abrogate the fundamental right to privacy through executive order, without clear guidance and safeguards to fetter and guide the Central Government’s exercise of power.
Other approaches such as inclusion of judicial oversight mechanisms in the section, or specifically setting out clearer conditions for the exercise of a power or the use of are better alternatives to ensure legitimacy and proportionality of this provision, and ensure it is not adjudged to be arbitrary. For instance, section 42 of the previous version of the Bill required such restrictions to be by “procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved”. If not, in its current form the wide powers delegated through section 35 without clear guidelines for its use of other safeguards could open the provision up to the constitutional challenge.
4. Fair and reasonable processing should be an overarching obligation on data fiduciaries and data processors.
The Bill requires every person processing personal data to do so in a fair and reasonable manner (section 5(a)). However, unlike in the previous Bill where this obligation was provided in an independent provision, the obligation is mentioned in the Bill as a sub-clause under section 5 (Limitation on purpose of processing of personal data). This change in the position of the provision could create an impression that the fair and reasonable obligation is not an overarching obligation while processing personal data, but that it is limited when specifying the purpose of processing.
More worryingly, the obligation would no longer appear to apply when entities claim exemptions from obligations under Chapter VIII of the Bill. Specifically, there is no longer an overarching obligation for fair and reasonable processing for Government when it accesses personal data under the State use exemption in section 35 of the Bill. In the previous Bill, the State had an obligation to maintain “fair and reasonable processing” of personal data, even where it has otherwise been exempted from data protection obligations in the Bill. This drastically reduces the protection available to data principals, who were previously assured basic fairness and reasonableness in how their personal data was processed even if none of the other protections of the Bill applied. Accordingly, we recommend that the fair and reasonable obligation in the Bill should be reinstated as an overarching non-derogable obligation for all data fiduciaries to whom the Bill applies.
5. “Harm” should not be condition on which rights and obligations depend in the Bill.
The Bill makes harm a precondition for twenty-three provisions in the Bill relating to user protection, fulfilment of provider obligations and enforcement by the DPA. This is worrying because the definition of harm in the Bill is unclear, resulting in it becoming a subjective assessment by entities, severely weakening all provisions that are predicated on the occurrence of “harm”. Rights and obligations in the Bill should be fulfilled irrespective of the occurrence of harm.
6. The Bill should not include provisions relating to the sharing of Non-Personal Data. The Bill includes three new provisions relating to use of anonymised and non-personal data by the Central Government. These provisions are not related to the objectives of the Bill (i.e. personal data protection) and should not be included in the Bill. Policy on non-personal data should be dealt with separately, and by the separate Committee set up by the Government in September 2019 to study various issues relating to non-personal data.
7. The Bill should contain transitional provisions to create certainty about its implementation. The previous Bill provided transitional provisions that clearly laid down the timelines within which its provisions had to take effect, including the establishment of the DPA. Clear timelines help create political will and industry preparedness to implement the data protection regime. There are no comparable provisions in the present Bill, which can severely impede its implementation and data fiduciary compliance. This does not give data fiduciaries and data processors clarity on the time horizon to update their policies and processes. They may not be able to honour the obligations of the Act in a timely fashion. Silence on time frames for enforcing the provisions of the Bill may also adversely affect how much teeth it has in practice. This has a direct impact on individuals’ fundamental right to privacy. Data principals may find themselves in a precarious situation where their rights in relation to their personal data have been upheld by the Parliament but there is no effective machinery to enforce them or remedy contraventions in relation to them.
Our complete response substantiating these seven concerns and providing a Chapter-wise analysis of the Bill is available here.