In its fourth iteration since 2017, the Digital Personal Data Protection Bill 2022 attempts a better “comprehensive legal framework”. The bill operates on a triad—data principal, data fiduciary, and grievance resolver. Though prima facie, it looks similar to the General Data Protection Regulation (GDPR), the bill has welcome changes and grey shades. Unlike the GDPR, the bill boldly defines “harm”, “loss”, and “public interest” in small lists. A first in India's legislative history, the bill uses “her” and “she” for an individual, irrespective of gender—a welcome populist and inclusive move.
To prevent myopic sub-contextual understanding, it’s imperative to hold global and domestic dimensions close, specifically multi-country collaboration and “instrumentality of state”. They expose potential proclivities when a sovereign democratic state balances citizen privacy against aggression of the world order in the maze of dynamic cross-impacting technology vectors building volume, velocity, and variety of digital citizen data.
With the G20 presidency and multiple Free Trade Agreements (FTA)/ Regional Trade Agreements (RTA) in advancing cross-border digital transformation, India will have to find solutions for Data Free Flow with Trust (DFFT) and cross-border data flows.
Elephant in the room: Multi-country collaboration & instrumentality of state
India, by the turn of the decade, is projected to be world’s third largest economy and will have one of the world’s largest digital personal data footprints in motion and at rest. The bill’s essentiality shines in India's ever strengthening role in the global order. With the G20 presidency and multiple Free Trade Agreements
(FTA)/ Regional Trade Agreements
(RTA) in advancing cross-border digital transformation
, India will have to find solutions for Data Free Flow with Trust
(DFFT) and cross-border data flows. Close on the heels of 2022 CERT-India guidelines
and subsequent FAQs
(which clarified “the technology logs may be stored outside India…”), the Digital Personal Data Protection Bill 2022 allows the transfer of personal data outside India. In “public interest”, the bill includes “friendly relations with foreign States” and “preventing dissemination of false statements of fact (counter disinformation
)”. This will vest powers with the Central government to specify countries where India's personal data can reside and echoes the diplomatic dynamics in QUAD
, both regional multilateral groupings. Though this provision will foster diligent cloud adoption and large data volumes to build and train more sophisticated machine learning and artificial intelligence algorithms with immense problem-solving capabilities in healthcare, space technology, geospatial collaboration, autonomous vehicles, disaster management, etc., the bill is silent on recourse if a previously notified country were to go rogue and be de-notified at a later date.
As per Telecom Subscription Data,
Indian wireless telephone subscribers are at 1.15 billion. They are the world’s second largest mobile applications’ downloaders. Facebook, Instagram, Google, Snapchat, LinkedIn, Truecaller, YouTube, etc., running in excess of 1 billion downloads each, are immensely data-hungry and hyper-personalising advertisement tech-giants; and thus, collect vast amounts of personal, private and identifiable data. This data passes through multiple downstream and lateral chained data processors of data fiduciaries, where, often, the data fiduciary does not have any control over the downstream and lateral movement and processing of digital personal data across applications and servers transacting in multiple countries. This necessitates multi-country collaboration and, therefore, “any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these” fall under exemptions in the current edition of the Digital Personal Data Protection Bill.
Managing the near-impossible balance of personal digital anonymity in the gargantuan volume of digital transactions while ensuring anti-money laundering or combating the financing of terrorism, therefore, falls straight under “instrumentality of the state”.
Like physical currency, the Reserve Bank of India (RBI)'s Central Bank Digital Currency (CBDC)
(concurrently launched and designed as sovereign digital currency) needs to incorporate anonymity. All digital transactions leave trails and cloud anonymity. To manage CBDC transactions, the RBI has introduced the principle of Managed Anonymity—“anonymity for small value and traceable for high value” (akin to physical cash). As per National Payments Corporation of India (NPCI
), by October 2022, the total digital transactions were 54 billion. Managing the near-impossible balance of personal digital anonymity in the gargantuan volume of digital transactions while ensuring anti-money laundering or combating the financing of terrorism, therefore, falls straight under “instrumentality of the state”.
As per the Supreme Court
, if the Central government holds the entire share capital of the body and provides for the current and future expenditure, and if the body performs functions of public importance considering its relevancy with governmental functions, it may justify “instrumentality of state”.
While there’s a need to equip the Central Government with the necessary wherewithal for the security, sovereignty, and integrity of India and the maintenance of public order internally, a mixed dampener is the extended list of exemptions with unclear attributions, accountability, and reasons. The lack of definition of service levels (like turn-around time and accountability matrices) in a “digital by design” grievance resolver “Data Protection Board of India” is disheartening. Unclear clauses and absent practical citizen recourse could grant the central government extensive powers, while absolving it of accountability, to facilitate mass surveillance. This will defeat the purpose of the bill and, therefore, a comprehensive and practical citizen recourse framework against overreaching state interference in citizen privacy needs to be in the bill’s amendment.
Unclear clauses and absent practical citizen recourse could grant the central government extensive powers, while absolving it of accountability, to facilitate mass surveillance.
Suggested interventions and amendments
- In the "Consent" section, the bill must mandate if the consent manager is a consent bot. The data fiduciary must inform its users of all personal data processing and storage that takes place on the domain by the bot; ask for explicit and clear consent for the activation of cookies that process personal data, documents; securely store the obtained consents and renew consent regularly. Upon consent renewal cessation, data collected and processed must be destroyed and its confirmation provided to the data principal. Consent shouldn't be masked under ambiguous rule-based or user-behaviour data-analysing bots or unassuming captchas.
- The fact that the bill neither allows Data Fiduciary to “undertake such processing of personal data that is likely to cause harm to a child”, nor “undertake tracking or behavioural monitoring of children or targeted advertising directed at children” is another important dimension. Before processing any personal data of a child, data fiduciary needs to obtain verifiable parental consent. The Indian student population is legally a “Child” when they are younger than 18 years old. Indian students (more than 350 million in 2022) constitute the world’s largest student body. This clause prohibits data fiduciaries such as YouTube, Amazon, Spotify, Meta, Google, etc. from exposing children to targeted advertisements. How the advertisement- or subscription-centred tech giants will react to the misuse of this condition to dodge advertisements/subscriptions remains to be seen. Operationalising this will need robust grievance control mechanism.
- In definitions, “public interest” should include “peaceful production, consumption, and growth of goods and services and employment or entrepreneurship of persons in that endeavour”.
- In “Application of the Act” section, the clauses must additionally and clearly stipulate the four conditions' grid and application of clauses viz. a) Citizen inside India, personal data processed outside India; b) Citizen inside India, personal data processed inside India; c) Citizen outside India, personal data processed outside India; and d) Citizen outside India, personal data processed inside India. In “offline personal data”, the bill is grey if massive digital personal data is stored in mass storage detachable devices, transmitted, or processed across Indian borders.
- While giving reasonable opportunity of being heard, the bill introduces stiff non-compliance penalties "not exceeding rupees five hundred crore in each instance". Although it’s essential to build credible deterrence, heavy penalties will severely impact the continuously-throbbing globally 3rd largest start-up ecosystem in India. To balance deterrence and enterprise heartbeat, a ramp-based penalty system is recommended.
- The bill doesn’t stipulate digital personal data processing and retention duration limits, process of destruction, and confirmation to the Data Principal at the end of defined retention tenure or duration necessary for legal or business purposes. These systems need to be time-bound.
- Instead of an “OR” condition, for native mono-lingual citizens, bill condition should be amended to “in English and any two languages specified in the Eighth Schedule to the Constitution of India”.
- Will the primary data fiduciary be accountable for digital personal data protection and lapses through the lateral or downstream chain of contracts of data processors? In personal data breach incident in this chain of data processors, which Data Protection Officer is answerable to Data Principal’s questions and complaints? The amended bill must have these answers.
- Shouldn't data collected during the regular operations of the Data Protection Board of India also remain protected by this act? Why should there be “No suit, prosecution or other legal proceedings” against the Board or its Chairperson, member, employee, or officer?
- The bill is silent on non-consensual massive CCTV or other video/ audio recordings and their manipulation. Misuse violates IT act 2000 and Article 21 of Indian Constitution and allows defamation case under IPC sections 500, 506. Will these penalties be imposed over and above the non-compliance penalties?
In its attempt to balance national security, public order, ease of doing business, global diplomacy and cross-border cooperation, technology velocity, and data volumes, the Digital Personal Data Protection Bill 2022 does a fine-balancing act. While in the formative normative stages the Central government must have room for navigation, if the reservations and amendments in their respective context can be operationalised seamlessly, the bill can be the global digital personal data protection laws’ fore-runner.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.