Analysis of the Draft Digital Personal Data Protection Bill, 2022
The following are the potential concerns that need to be addressed:
i. Bill didn't Defined exact timelines – The Bill seeks to impose certain obligations on data fiduciaries, however, without providing a timeframe.
Some of the examples include
- the lack of deadline for deleting personal data (in case of withdrawal of consent),
- lack of timeline for the Board to adjudicate on a complaint,
- no deadline for the data fiduciary to erase personal data once the intended purpose is served, etc.
ii. Under the guise of giving Wide definition of public interest– wide range of powers to data fiduciary. One of the major concerns in the draft Bill is the vast definition of the term “public interest” for contemplating “deemed consent”. For some reason, this definition includes search engine optimization (or operation of search engines) and “any fair and reasonable purpose,” which includes “any public interest” in processing personal data, and appears to be giving data fiduciaries a wide gamut of rights.
iii. Ambiguity in Composition/powers of the Board – The Bill does not specify the composition of the Board, which ideally should be defined in the proposed Act itself. Perhaps this issue can be resolved by the corresponding Rules.
- the Board has not been given suo motu powers to adjudicate on issues of breach of personal data, and is restrained to act only upon receipt of a complaint.
- Especially in cases involving mass breach (or substantial non-compliance), the Board should have suo motu powers to adjudicate on and impose necessary penalties on the losing parties.
iv. Limiting penalties for privacy breach - The Bill seems to focus on the severity of the non-compliance but not the non-compliance itself. It states that if the non-compliance is not significant, the Board may choose to close the enquiry, and will only take remedial measures in case the non-compliance is significant.
v. Excessive delegation/lack of clarity – The draft Bill appears to be either postponing or delegating much of the complicated (yet important) issues that ideally should be addressed in the proposed Act, by simply adding “as may be prescribed”. For instance, the draft Bill proposes that a significant data fiduciary must conduct a ‘Data Protection Impact Assessment’ in a manner which is not stipulated within the draft Bill at all. The provision simply states that such assessment must be “in relation to the objectives of this Act, as may be prescribed”.
vi. Wide set of exceptions – Section 18 of the draft Bill sets out the exceptions to the preceding Chapters . For instance,
a. Section 18(2) continues with the wide exemption granted to the state without any of the procedural safeguards being referenced.
b. Section 18(3) allows the Central government to exempt any data fiduciary from the provisions of the draft Bill, without any governing principles.
c. Section 18(4) does not explain the reason or basis for granting an over-riding power or right against erasure of personal data.
vii. Safety of the Sensitive personal data is not properly addressed---Lastly, while the 2019 PDP Bill addressed sensitive personal data (which included passwords, financial data, biometrics, caste, sexual orientation, etc) along with the manner of processing such information (under explicit consent), the 2022 draft Bill does not address this at all. This might suggest that “personal data” under the draft Bill includes all types of personal data, including sensitive personal data, which makes the concern highlighted above (re exceptions under Section 18) even more troubling.
The Union Ministry of Electronics and Information Technology (MeitY) recently published and sought inputs on the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill), which seeks to replace the earlier Personal Data Protection Bill (PDP Bill) introduced back in 2019 and withdrawn in August 2022. While circulating the draft Bill, MeitY has invited comments from the public at large, which can be submitted by December 17, 2022.
Comments
Post a Comment