The 2022 Bill has made significant changes in a lot of important concepts such as data localization, the rights of data principals, and the concept of consent manager, among other things.
What are some of the salient features of the Bill?
The movement of data localisation has been made simpler in order to ease cross-data flows. In contrast, the 2019 Bill had stringent provisions in relation to the transfer of personal data, especially critical personal data.
However, there are certain issues which remain to be resolved. It has been stated in Clause 17 of the 2022 Bill that the Union Government may, after an assessment of “such factors as it may consider necessary”, notify such countries or territories outside India to which a data fiduciary (defined in the Bill as any person who “determines the purpose and means of processing of personal data”) may transfer personal data. However, there is no mention of the ‘factors’ which will be taken into consideration while transferring data outside India.
The 2022 Bill has categorically not used the term ‘data localisation’, yet it bestows the power onto the Union Government to notify such countries or territories where data can be transferred, after considering such factors as it considers necessary. There are no set criteria upon which these factors can be based, bringing in an element of subjectivity; possibly an angle of geopolitics and international relationships.
It is interesting to note that data localisation was an underlying tone of the data protection endeavour of the Indian regime for about half a decade. Be it the Bills of 2018, 2019 or 2021, it found repetitive mention within the provisions of each. However, a stark contrast comes in the 2022 Bill, which has categorically not used the term ‘data localisation’, yet it bestows the power onto the Union Government to notify such countries or territories where data can be transferred, after considering such factors as it considers necessary. There are no set criteria upon which these factors can be based, bringing in an element of subjectivity; possibly an angle of geopolitics and international relationships.
The role of the Consent Manager has been kept the same as it was in the 2019 Bill. The consent manager will have to get registered with the Data Protection Board.
The Bill could have explained in detail the functions of the consent manager, considering the fact that a large section of the population still doesn’t know the intricacies of giving consent on digital platforms.
Data Protection Board of India
The Data Protection Board of India has been entrusted with the responsibility of looking at complaints related to data breaches; in case it finds that there has been a violation of the Data Principal’s rights (data principal being, according to the Bill, “the individual to whom the personal data relates”), it shall conduct an inquiry following the principles of natural justice.
Ironically, the Bill provides that the Board shall function independently; knowing that its composition and functioning is primarily with the Union Government, it is hard to imagine it being able to function independently.
At the same time, the independence of the Data Protection Board remains to be seen, considering the fact that the Union Government will be appointing the members of the Board. In addition, the terms and conditions of the service will also be determined by the Union Government.
The Data Protection Board, replacing the Data Protection Authority of India (‘DPAI’) from the earlier Bills, in its intrinsic nature seems more like a quasi-judicial body. The role of the DPAI was pretty much on the lines of the Data Protection Commissioner of the European Union, and had a larger role in consulting the Union Government on major policy decisions, such as on cross-border transfer of data. However, starting with the 2021 Bill, data protection has turned more Union Government-centric, and this role seems to be more augmented within the 2022 Bill.
Additionally, the function of the board as delineated within the bill is not as liberated as that of the DPAI, primarily because the role of the Board is more along the lines of a grievance redressal mechanism, though non-compliance is a ground for taking action. Yet, the Board will function on an individual basis; in the event of individual data breaches, the Board may direct the concerned data fiduciary “to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals” (see Clause 20).
Additionally, under clause 20(1)(b), the Board will perform such functions as the Union Government may assign to the board. This needs to be read along with the fact that the Board is composed by a notification by the Union Government, and the major functions of the Board have to be allocated by the Union Government. Ironically, the Bill provides under clause 21(1) that the Board shall function independently; knowing that its composition and functioning is primarily with the Union Government, it is hard to imagine it being able to function independently.
The other side from which the Bill needs to be explored is that it has explored the side of multilingualism. Under Clause 6(3) of the Bill, notice for processing of personal data shall be given to the data principal by the data fiduciary in an itemised form and in one of the languages mentioned in the Eighth Schedule of the Constitution (there are 22 languages mentioned in the schedule) as per the option chosen by the data principal.
Understanding the linguistic diversity in our country and the inability of the masses to comprehend the English language, this is a welcome move by the Bill.
Onus on the data principal
Interestingly, the 2022 Bill has also brought onus on the data principal in a manner that the previous bills did not. The 2022 Bill demands that the data principal shall furnish only such information as is verifiably authentic while exercising the right of erasure or correction. However, a reading of Clause 16(1) indicates a bigger responsibility onto the data principal, since it demands that the data principal should comply with all the provisions of the applicable laws while exercising rights under provisions of the Bill.
It genuinely seems like a considerable demand from Indian users, who to a large extent seem ignorant of the existing legal framework.
The exemption clause seems to have withstood the battering of time. Like the previous bills, the 2022 Bill has also empowered the Union Government to exempt instrumentalities of the State from the application of the bill.
The Bill demands that the data principal should comply with all the provisions of the applicable laws while exercising rights under provisions of the Bill. This genuinely seems like a considerable demand from Indian users, who to a large extent seem ignorant of the existing legal framework.
Interestingly, it seems that the exemption clause has relaxed the standard of safeguard to be provided by the instrumentalities of the government. The 2019 Bill, under the proviso of its Clause 35, had recommended that though agencies of the government are exempted from the provisions of the bill, yet they have to provide such procedures, safeguards and oversight mechanisms as may be prescribed for the processing of personal data. The definition of “such procedure” was later added on by the 2021 Joint Parliamentary Committee report in its Recommendation no. 56 as “just, fair, reasonable and proportionate procedure”. As per the new section under the bill (Clause 18), the standards will be set by the Board.
Scope for ADR
Another key feature of the Bill is its introduction of alternative dispute resolution (‘ADR’) in cases in which the Data Protection Board deems it to be fit that the matters between the parties can be settled through ADR mechanism.
However, it will be imperative for the Data Protection Board of India to release a set of guidelines so that the parties opting for the ADR mechanism are well aware about the procedure which is going to be followed. A similar kind of mechanism is present in the EUGDPR, Article 65 of which provides for derogation in case the permission is granted for opting ADR.
It has been a little over five years since the right to privacy judgment has come out. With a lot of optimism, India too had an expectation that personal data protection will soon be provided through a functional mechanism. However, legislative procrastination is turning out to be lethal from the perspective of digital dignity.
There are several interested parties in the data protection mechanism, especially in light of the fact that India is attempting to create a self-reliant India which demands a free flow of data. A relaxed data protection regime will probably ensure an ambience of a sandbox culture with the interoperability of millions of data sets. On those lines, the 2022 Bill seems to be an industry-friendly bill.
However, it has to be remembered that the real principle of data protection is about acknowledging ‘data ownership’ of the data principal, and the creation of a genuine, independent body that works as an arbitrator between private service providers, the government and users towards ensuring protection of personal data. In the absence of an independent body, the power-disparity which was there between private corporations and users shifts to between the government and users.
All said and done, it needs to be remembered that the present bill is still in its consultative stage, and is open to comments from the public.