Glaring gaps, missing pieces in draft data protection bill

In April 2021, Twitter users Santosh Sharma and Ullas PV posted screenshots of data breach alerts they had received from Firefox Monitor, a platform that tracks and alerts users when their data has been compromised.

Santosh (@SantushtiPhotog) and Ullas (@pablo_nicobar) were not the only victims of this data breach. Back in November 2020, cyber intelligence firm Cyble reported that a potential data breach could have leaked the personal details of two crore users of grocery delivery platform BigBasket. Cyble claimed that its research team found the database of the users, which included details like their names, addresses, contact numbers, dates of birth and locations, put up for sale on the dark web for over Rs 30 lakh.

It did not stop there. In April last year, there were reports that the information of BigBasket’s users is now being resold as Flipkart data, with many users claiming that attempts were made to place orders through their accounts. “I am (a) victim of this my 996 supercoins have been used to purchase Domino’s Voucher @Flipkart @flipkartsupport. I didn’t (get) any satisfactory reply from them.” said Laxmikant Pawar (@laxmikant_7) in a tweet. There were more like Laxmikant.

Also read | Designed to enable a surveillance state

While the grocery platform acknowledged, in a statement, that its user data might have been compromised, this came after media reports and several users pointed out the data breach.

However, if the Digital Personal Data Protection Bill, 2022, sees the President’s assent, there would be better safeguards against data breaches, says Sarvesh Mathi, a journalist at Medianama, a source of information and analysis on technology policy in India.

The draft bill requires data fiduciaries, meaning the entities responsible for processing the data, to inform both the data principal — the individual to whom the data relates — and the Data Protection Board of India in case of any data breach.

“For example, in BigBasket’s context, their customers have to be notified of this and they have to be told what data has been leaked,” Sarvesh says.

The Ministry of Electronics and Information Technology (MeitY), on November 18, released a draft Digital Personal Data Protection Bill three years after it withdrew the earlier version of the proposed legislation — the Personal Data Protection Bill 2019.

While there have been multiple iterations of proposed legislation on the topic of data privacy in Asia’s third-largest economy, the draft bill that has now been laid out for public comments has quite a few differences from its previous version.

For instance, to the relief of companies choosing to store data in foreign data centres, the government will allow them to transfer data outside India to countries that will be notified later. The draft bill does away with data localisation requirements for the transfer of “sensitive” and “critical” personal data, which appeared in previous iterations of the draft law.

The provision protecting the rights of children is one of the many promising aspects of the draft bill, says Deloitte partner Manish Sehgal. “The current ways in which a child engages with online applications utilities will undergo a change as consent will be required by child’s parent(s) or legal guardian before online utilities may collect or process child’s personal data,” he says.

Section 10 of the draft Bill also prohibits data fiduciaries from tracking or monitoring the behaviour of children or directing any targeted advertising at children.

Legal experts also agree. Although the provisions around children’s data protection are a welcome move, they are the “only good thing” in the draft bill, says Mishi Choudhary, senior vice president, Virtru Inc, which provides digital privacy technology, and founder of SFLC.in, a legal services organisation.

Also Read | Government imposes stiff fines under Data Bill

Abuse of rule-making power

Section 26 of the bill allows the Central Government to enact rules by way of notification in a way consistent with the provisions of the Act. In India's legislative parlance, ‘Rules’ often complement ‘the Act’, detailing the manner of implementation of provisions prescribed therein.

It also adds that each of such Rules made under this Act can be brought into effect by laying them before both Houses of Parliament, during which any changes are entertained. However, unlike a bill being debated, rules can be made applicable after a 30-day period in each of the Houses.

While rules are required for any law, in this particular bill, the government leaves too many details to rules, says Mishi.

“In the past few years, the government has used the rule-making power to extend its own jurisdiction,” she explains. This turns the proposed Act into “mostly a fig leaf” with all the power resting with the government.

However, the “open statements” in the current version of the bill are "very likely" to be refined in the final version bringing a right balance between privacy fundamentals and a digitally progressing economy, says Sehgal.

"The European Data Protection Board (EDPB) continues to offer practical guidelines, recommendations and best practices even when General Data Protection Regulation (GDPR) completed its fourth anniversary, similarly such practical rules and guidelines will be necessarily offered by competent authorities for effective implementation of the bill once enacted," he adds.

Also read | India's Data Protection Bill has a privacy problem

Surveillance tool

Section 18 of the draft bill also lays out instances in which a data fiduciary — be it a private entity or the State itself — can be exempted from some of the provisions of this Act.

One of the clauses under this section exempts provisions, including the grounds of processing personal data, obtaining consent from the data principal and the need for the data fiduciary to give a notice, among others, if “personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law”.

Some believe that the government could use such exemptions as a surveillance tool.

For instance, while data from CCTVs can be put to good use like issuing challans for breaking traffic rules or finding criminals who are on the run, it could also be misused, says Sarvesh. “They can track a particular individual they know is going to be a problem for them. This individual might be one who’s protesting against the government and they can track them even before the protest begins. And there’s nothing to stop them (the government) from any of this,” he says.

This is in stark contrast to data privacy laws in other countries. “States' surveillance powers are checked by the GDPR,” says Alok Prasanna, co-founder, Vidhi Centre for Legal Policy.

Europe’s GDPR allows for video surveillance measures only if the purpose of processing data could not reasonably be fulfilled by other means that are less intrusive to the fundamental rights and freedoms of the data subject.

The government is creating a dichotomy in data protection by laying out sweeping powers to exempt the State, Prasanna adds.

Others feel that there have been no checks on the government’s ability to use data as a surveillance tool. “There has been no surveillance reform. Government can do anything it wants and can access any data,” says Srinivas Kodali, a researcher at Free Software Movement of India.

The draft bill also lands a massive blow on the Right to Information Act 2005, which has enabled citizens to hold their public representatives to account. Section 30 of the bill proposes to amend a clause in the RTI Act 2005, which allowed disclosure of information related to a private individual only in such cases where the Central Public Information Officer or the State Public Information Officer or the appellate authority is satisfied that the larger public interest justifies the disclosure of such information. This means that even in instances where an RTI applicant wants to access information related to the private assets of a public servant and/or their dependents, no special exemption can be given even if the case justifies larger public interest.

Idea of consent

The draft bill requires a data fiduciary to give notice of the kind of personal data being sought and the purpose for processing such data. It does not prevent companies from further processing this data.

Such an idea of consent, experts point out, goes against ‘purpose limitation’, considered a good standard principle in GDPR. The ‘purpose limitation’ principle requires that data collected for one specified purpose should not be used for a new, incompatible purpose. “No further processing without further consent,” says Anushka Jain, policy counsel, Internet Freedom Foundation.

While Section 6 of the draft bill requires the data principal to be notified about the kind of personal data being collected and the purpose of processing, it does not provide for them to be notified about which third party the data will be shared with and for how long.

This is a problem because “a user would be okay if Google were to use their data to personalise ads, however, they might not be okay with the search engine sharing this information with third parties,” says Ameen Jauhar, a senior resident fellow at Vidhi Centre for Legal Policy.

Consent as a principle needs to be followed throughout the life cycle of data processing, he adds. “It has been well documented in the landmark Puttaswamy case that consent needs to be there for data processing as a whole and getting it only at the point of collection of data dilutes the understanding of consent,” Ameen says.

Redressal and recourse

Section 19 of the bill states that the establishment of a Board to address the grievances of the stakeholders, its composition, terms and conditions of its members and their removal will be controlled by the Central Government, raising questions on its independence.

Although the draft bill says the functioning of the Board needs to be independent, there is nothing to show how the government plans to achieve this, says Sarvesh.

“Suppose the government puts out a rule saying that the Ministry of Information and Technology will appoint all the members of the Board, then the Board is just the government’s puppet. And this becomes especially a problem when the person who is misusing the data is (from the) government,” he adds.

Additionally, the draft bill allows the Board to hear complaints and gives it the powers of a Civil Court, binding all stakeholders with the orders of the Board. However, those unhappy with the order could appeal at the High Court.

The government invited feedback on the draft bill in a chapter-wise format through the MyGov portal by December 17, 2022. However, the government has maintained that the comments received will not be disclosed and “held in fiduciary capacity, to enable persons submitting feedback to provide the same freely.”

This, too, goes against the pre-legislative consultation process, says Anushka.

While the stakeholders are glad that the long overdue bill will finally see daylight, considering the prolonged deferment, it fails to fulfil the purpose of people’s protection overall, says Mishi.

The draft addresses some key issues like children’s data privacy rights and makes it easier for foreign entities in India to process data across geographies. However, with wide-ranging exemptions carved out for the State and private entities, many details yet to be described by the rules and “nothing concrete” in the Act itself, “it is industry-friendly, government-friendly, but it leaves (out) the people,” says Srinivas.

Even the govt not exempted in case of breach

The draft Digital Personal Data Protection Bill mainly makes those entities, which are monetising data, accountable. In case of a data breach, even the government is not exempted.

Data protection law is a first for many countries across the world. Many countries are still learning. At least we are planning a robust Act. The new legislation makes sure that consumer rights to data protection are captured as rights, said Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology.

"We are doing everything in a transparent manner. The Bill achieves the seemingly contradictory objectives of data protection of our citizens, ease of doing business for industry and public interest of efficient governance and national security. If citizens or data fiduciaries have any grievances, they can approach the court," he said.

"The Data Protection Board will be independent. It will have a purely adjudicatory mechanism to decide on the issue of data breaches. The Board's decisions can be questioned in high courts. We have put out the draft bill for public consultation. Let us wait (and see) what kind of feedback we receive from stakeholders. We will take into account public suggestions also before finalising the Bill," the minister said

Exemptions to government agencies

A top government official insisted that no reason to worry about exemptions given to government agencies. Several government departments implement welfare measures. These departments may need to study data for better execution of schemes and to prepare for future welfare schemes. This was one reason behind exempting government agencies, the official said.