India’s data protection law needs refinement

Parliament is going to table the Digital Personal Data Protection (DPDP) Bill, 2022 in the monsoon session with some significant changes, including lowering the age of consent for data processing and providing exemptions for certain companies.

• Last year, the bill was released for public consultation.

Key provisions of the Bill:

• Aim: The Digital Personal Data Protection Bill, 2022 introduces a new framework for personal data protection, making it paramount to comprehend and understand its applicability and functions.
• Formation of Data Protection Board of India (DPB): The latest draft proposes a new regulatory framework that was present in previous versions, which now significantly limits the scope of the envisioned Data Protection Board of India (DPB) vested with significant regulatory-making, enforcement, and adjudication powers.
• Government’s procession of personal data and exemptions allocated:
  • The present Bill also includes significant exemptions to the state's handling of personal data.
  • First, as previously indicated, the Union government has the authority to establish "fair and reasonable" reasons for which personal data can be used without the consent of a data principal.
  • Second, most data protection standards are waived off if the processing is done "in the interests of preventing, detecting, or investigating any offence or other violation of any law.”
• Lowering Age of Consent:
  • The Bill had fixed the age of consent at 18 years, requiring parental consent for processing data of individuals below 18.
  • The upcoming Bill will adopt a graded approach, allowing a case-by-case determination of the age of consent.
• Provisions for Data Fiduciaries’ (SDFs):
  • DFs have to fulfil certain additional obligations for greater scrutiny by the government.
• Definition of a Child and Exemptions:
  • The definition of child may include individuals below 18 or a lower age as determined by the Central Government.
  • In the 2022 draft, the definition of a child was an “individual who has not completed eighteen years of age”.
  • Certain entities dealing with children's data may be exempted from obtaining parental consent if they can demonstrate verifiably safe data processing practices.
• Relaxations on Cross-Border Data Flows:
  • The bill allows global data to flow by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted.
• Penalties:
  • It provides financial penalties with a cap of 500 crores, which proves to be of much higher quantity as compared to the PDP Bill, 2019.
  • In addition to this, the legislation imposes obligations on data principals, and if they fail to comply with the regulations, fines of up to 10, 000 can be levied.

Stages for introduction of Data protection Bill:

Concerns associated:

• Limited in its scope and effect: The DPDP Bill only protects personal data that is any data that has the potential to directly or indirectly identify an individual.

• • This process of re-identification of non-personal data poses significant risks to privacy.
  • Such risks were accounted for in previous versions of India’s draft data protection Bill, in 2018 and 2019, but do not find a place in the latest draft.
• Limited reach of data protection board:
  • Under the Bill, the board is the authority that is entrusted with enforcing the law.
  • The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
  • The only exception to this rule is when the board can take action on its own to enforce certain duties listed by the Bill for users.
  • This is for the adjudication of disputes between the law and users.
• Limited knowledge of data transfers and exchanges:
  • Due to the ever-evolving and complex nature of data processing, users will always be a step behind entities which make use of their data.

Way forward:

• The government should lead by example in prioritizing data protection as it plays a significant role as a data fiduciary and processor.
• Creating an independent and empowered data protection board with parliamentary or judicial oversight is crucial for effective governance and enforcement of data protection regulations.
• Finding the right balance between stringent regulations to safeguard personal data and fostering innovation is essential. Overly prescriptive and restrictive norms can stifle innovation and impede cross-border data flows.