The Ministry of Electronics and Information Technology (MeitY) has extended the last date for receiving public comments on the Digital Personal Data Protection Bill, 2022, by another two weeks to January 2.
In an interview, Supratim Chakraborty, Partner, Khaitan & Co, who also leads the Privacy and Data Protection Practice at the corporate law firm, says the draft bill has not identified certain necessary aspects such as timeline for enforcement of the law (i.e. the sunrise period that will be available once the bill becomes a law). Therefore, at this stage it is important that stakeholders provide their constructive and specific feedback to the Ministry, so that they are able to absorb the feedback and finalise a more well-rounded draft of the bill, he says. Edited Excerpts:
Freedom of speech and the right to privacy are both synonymous with digital rights. Considering the extensive digital framework that exists in India, the protection of such rights is imperative. Unfortunately, it has been a difficult journey for data protection laws. Do you think this Bill will succeed in making a significant and positive change to the current scenario of digital rights?
Agree that the journey up to the release of the Digital Personal Data Protection Bill has been quite long. Right from its inception to the present date, I am cognisant of the trajectory that several iterations of draft data protection bills have had. At the core of all this, is the prime goal to preserve digital rights and privacy of individuals. Being an optimist, I am quite hopeful that the new bill will pave the way for India on the digital rights front. Although the draft bill requires some refinements and tightening, it appears to have the framework to bring about this positive change.
The bill has, deliberately, moved away from an orthodox approach of a compliance heavy legislation to a draft that attempts to balance the digital rights and interests of data principals whilst addressing the practical challenges faced by businesses. It is important at this juncture that innovation and digital growth of the country goes hand in hand with protection of individual’s digital rights. The government is undertaking public consultations and is organising stakeholder meets to discuss concerns. I understand that significant constructive feedback is being provided by stakeholders on the bill. Hopefully, all these will be taken into consideration effectively and we will get to see the rolling out of a robust data protection law.
This DPDP Bill 2022 is the revived version of the Personal Data Protection Bill, 2019 that was shelved in entirety in August earlier this year. The format, scope and approach of the DPDP is much simpler compared to its earlier version. However, critics say that there are several provisions still left open ended. Which according to you are some of these gaps and how can we plug them?
The approach of the bill has been to keep it largely principles based, lean and succinct. As a result, quite a bit of detailing is proposed to be carried out subsequently through rule-making. This construct is probably by design and is not necessarily detrimental for all provisions of the bill. Rapidly evolving nature of technology mandates that our laws also remain nimble. Rules could be an avenue to bring about that nimbleness. Therefore, the concern of stakeholders that certain provisions of the bill are not detailed enough or vague in terms of the exact nature of compliance, will possibly get resolved when the rules are released.
That being said, the draft bill has not identified certain necessary aspects such as timeline for enforcement of the law (i.e. sunrise period that will be available once the bill becomes a law). Therefore, at this stage it is important that stakeholders provide their constructive and specific feedback to the Ministry, so that they are able to absorb the feedback and finalise a more well-rounded draft of the bill.
The phrase “as may be prescribed” occurs at 18 places covering Data Protection Board (DPB), form and manner of personal data breach notifications, registration and functions of consent manager, parental consent for processing of personal data of children, additional obligations for Significant Data Fiduciaries, etc. Do we need to be more precise and detailed with regard to such phrases?
As indicated in my previous response, this draft bill has attempted to take a unique approach towards legislation drafting. There has been an attempt to keep it brief and precise, and to primarily provide guiding principles. Granular and procedural aspects are expected to be released later, by way of issuance of rules. This approach may prove to be effective for many of the provisions as the law can be kept more dynamic in this manner. Amending the mother legislation, time and again, could be cumbersome and time consuming.
The lack of elaboration of the role and composition of the DPB, and the terms and qualifications of the chairman and members has raised questions regarding the scope, independence and autonomy of the Board especially since the power of appointment vests with the government. What’s your view on this?
Agree that certain provisions of the bill require refinements and some more detailing. In this regard, I understand that a number of stakeholders are providing their inputs, in order to make this a comprehensive umbrella legislation. While absorbing the stakeholder feedback, the aim should be to ensure that this bill does not get watered down or struck down by courts in future. We can also expect that the rules under the bill will throw more light in the context of composition of the Data Protection Board of India.
Excessive reliance on user consent is out-of-sync with reality and puts a disproportionate burden on the user to protect her data. Under this Bill, consent cannot override data protection stipulations. Consent can be given directly or through consent aggregators accountable to the Data Principals (those to whom the personal data relates to), increasing accountability. However, providing choice of any language to a user for consent could be a burden. Your comments please.
The mandate of making available consent request in local Indian languages is probably keeping in mind the linguistic diversity of the country. Such condition may have been added so that data principals are able to understand and access basic information in relation to their personal data in their local language. This in a way ensures that individuals are able to make a fair assessment of the nature and purposes of usage of the personal data being sought from them. While this move is commendable and in the interest of the data principals, this could be a challenge for several businesses who may not have the resources to comply with such obligation. Also, translated versions may not always be accurate unless done by professionals.
Notably, this translation requirement is mandatory and not optional, unlike the position under the 2018 draft data protection bill wherein privacy notices were required to be made available in multiple languages only where necessary and practicable. This will certainly be a challenge at least in the initial stages of complying with the new law. Hence, a middle ground could be recommended here to ease the compliance burden. Instead of maintaining translations in 22 languages, entities could be asked to maintain translations of their privacy notices and consent requests in few specific languages based on their targeted audience.
It is unclear whether the prescribed obligations for handling data of minors apply only when they disclose that they are children. The Bill does not require data fiduciaries (persons determining the purpose and means of processing personal data) to undertake KYC to determine if a user is a child — that would have compromised rather than protected her data. However, obtaining verifiable parental consent prior to processing children’s personal data could pose challenges, undermine privacy of both. What’s your take please?
Undertaking KYC to identify if a user is a child might actually be counterproductive to privacy. Having said that, the obligation to obtain verifiable parental consent is not uncommon and several countries have laws which provide for such obligations with respect to processing of children’s data. Further, it is true that young adults under 18 years are prolific users of the internet and parents/guardians may not be able to effectively give consent given their lower participation in the digital ecosystem. Therefore, a young adult category can be thought of in the bill. On age gating content, it may be pertinent to note that regulation of content is not the legislative remit of this bill, which pertains to data protection. Having said that, children’s personal data is a sensitive aspect and definitely needs careful and immediate attention from India’s legislative framework perspective.