The draft Digital Personal Data Protection Act, 2022 released for public consultations by the government last Friday is a completely different approach to data protection from its predecessors. In this piece, I first highlight the main differences from the earlier versions, before analyzing what they mean for data protection and for India’s economy.
The old and the new
Previous versions of data protection legislation adopted an expansive framework towards data regulation.
The first version, drafted by a government-appointed committee headed by retired Justice Srikrishna proposed a framework that resembled the approach taken in the European Union’s General Data Protection Regulations. It proposed rights for consumers, such as the right to access data stored by businesses, and to have it corrected or deleted. It imposed many new obligations on businesses (defined as “data fiduciaries”) – the requirement of taking consumer consent, purpose and storage limitations, security and transparency requirements, and appointing data protection officers, among others. “Significant data fiduciaries” had additional requirements. The Bill proposed that the DPA would be an independent regulator that would enforce this law by framing detailed regulations. In addition, restrictions were proposed on the movement of certain categories of personal data outside India – sensitive and critical personal data.
In 2019, the Indian government released its version of the legislation, the Personal Data Protection Bill, 2019, largely based on the JSK committee’s version. It rationalized some compliance requirements. For example, (a) it made consent requirements a safe-harbour provision, (b) it reduced criminal penalties, and (c) it permitted greater movement of data outside India, while still retaining restrictions. It made some other significant changes: (a) social media platforms were brought within the ambit of the legislation, (b) one provision gave the government the power to mandate sharing of non-personal data, and (c) the narrow exemptions from compliance given to state agencies in the previous version were expanded significantly.
This approach to regulation had some significant issues that I have explained in detail elsewhere, and have summarized below:
- The legislation envisaged a quantum jump in regulation. Unlike the EU, India does not have any pre-existing jurisprudence on data privacy that stakeholders and the DPA could rely on while interpreting the new law.
- In addition, India does not have prior regulatory expertise to regulate data privacy with such an expansive scope.
- The increase in compliance because of this expansive scope would have been significant, and would have hurt small businesses more than big technology firms.
- While almost all private entities would be faced with increased regulation and compliance, state power would only increase. The DPA would have significant powers to look at all businesses. In addition, the regulatory burden on government agencies was modest compared to private businesses.
- The debate on data privacy was subject to new distractions like debates on data localization and non-personal data sharing. These debates found their way into the legislation, which made it even more expansive.
When the government withdrew the 2019 legislation from Parliament in August 2022, it expressed an interest in adopting a fresh approach, one also in sync with other laws to regulate the IT sector. The 2022 Bill reflects this approach. It has some major changes worth analyzing in greater detail:
- The somewhat ambiguous classification of personal data into personal, sensitive, and critical personal data has been done away with. The 2022 Bill refers only to digital personal data. This also means that the escalatory set of compliances for sensitive personal data are no longer there.
- The 2019 Bill had a definition of “harm” that was meant to guide businesses and government on the level of protections to be accorded to personal data. This definition included some overlapping concepts, some very low-threshold concepts (”humiliation”), and some vague standards (”any discriminatory treatment”). The 2022 version defines harm to include just four things: ID theft, harassment, bodily injury, prevention of lawful gain or causation of significant loss.
- There is not going to be any independent data protection regulator anymore. The DPA has been replaced by a Data Protection Board that will be appointed by the government. The composition, qualifications, and conditions of service will be written down in rules by the government, and are not going to be in the law, unlike the 2019 Bill.
- This new Board will only do the following: (a) investigate non-compliance with the law and issue penalties, (b) direct data fiduciaries to take remedial measures when data breaches occur, and (c) perform functions that the central government may assign. In short, this is not a regulatory agency anymore. It will not be a standard-setting authority. It will not monitor and supervise data protection against these standards. The Board is a limited agency with a narrow mandate.
- Consent and notice are still required. But there is a new provision allowing deemed consent in specific cases. These include cases where there is a reasonable expectation of data being processed, performing any function under law, compliance with court judgements, medical emergencies, epidemics, employment, and in public interest. The last is interesting, because it has been defined broadly so as to potentially include data processing by private entities as well. This is because public interest here includes activities like credit scoring and debt recovery.
- Many consumer rights and obligations for businesses are retained from the 2019 version. However, there has been a reduction in compliance. This is mainly because in the 2022 version, there is no DPA who will interpret these provisions to write detailed standards in the form of regulations. For example, businesses will have to implement data storage, safety, and accuracy requirements in accordance with the law, but there is no DPA to mandate how exactly they must do so.
- There has been a complete change in approach towards data localization. A strict interpretation of the provision would mean that all data transfers outside India are prohibited by default. The government can allow transfers to certain countries and regions subject to requirements it will prescribe.
- Provisions on non-personal data have been removed. The provision criminalising re-identification has been removed.
- A framework of financial penalties has been added and there are no longer any criminal provisions. The Board will have powers to impose penalties of up to INR 500 crore (INR 5 billion). The Schedule to the Bill provides different ceilings for different kinds of violations.
What should we make of this new approach?
The 2022 draft Bill is refreshingly pragmatic. This is reflected in its preamble, which recognizes the tension between protecting privacy and the economic need to process data. It also speaks to India’s economic context, which, though digitizing rapidly, is not yet a mature digital market. In addition, macroeconomic headwinds have negatively affected many technology firms, and it is possible that existing business models need to change. In this situation, it is good that the Bill creates regulatory certainty, and allows considerable leeway for adaptation while focusing more narrowly on privacy issues.
The Bill does so in the following ways:
- The removal of the DPA means that businesses will not have to design privacy by regulatory fiat. They will have leeway to implement data protection requirements in the manner that is most appropriate for their business. Rather than privacy through compliance, the proof of the pudding will now be in the eating. If the Board is an active agency, potentially hefty penalties will incentivise businesses to focus on guaranteeing privacy outcomes, rather than having them focus on undertaking expensive compliance.
- In addition, because there is no independent regulator with extensive regulatory powers, there will be lower regulatory uncertainty. The standards set out in the Bill are a complete set of requirements in themselves, and do not require further interpretation, deliberation and negotiation. Conceptual simplification will also help. For example, distinctions between different categories of data (personal, sensitive, critical), with escalating sets of protections, which, in turn would be specified by the DPA, would have been additional sources of uncertainty.
- The 2022 Bill dispenses with ideas like sharing non-personal data, that, at best, had incidental relevance to data privacy issues. The focus on protecting consumer data is clearer. Other issues will be dealt with in other legislation.
- There is greater regulatory certainty also due to the limited role of the Board. Unlike the DPA, it will not have to balance an expansive list of responsibilities and powers. The Board is designed to be a limited agency that will, for the most part, focus on misconduct and remedying data breaches. The scope for surprising markets with new regulations, something endemic in India,is therefore reduced.
There are also provisions that need greater discussion. One is the design of the Board and the role of the government in relation to it. Since the Board will have powers to issue hefty financial penalties, the qualifications of board members should ideally be set out in the law, and the law should also guarantee tenurial independence to its members. This should not be left completely to executive discretion.
Another is the provision on cross-border data transfers. As drafted, data flows will be prohibited unless permitted. In some ways, this is a regression from the 2019 version. While this provision is intended to allow the government the power to decide which jurisdictions are adequate for storage of Indian data, the provision should explain the considerations or principles that the government will use while determining whether to allow data transfers.
The provision on deemed consent that potentially permits private businesses to process data for activities like credit scoring, ostensibly in public interest, requires greater deliberation. It is unclear what public interest is served in these commercial activities.
Perhaps the major continuing disappointment with all versions of data protection legislation is the exemption given to government agencies. As in the 2019 version, the government will continue to exempt itself from most requirements set out in the Bill. The big silver lining, if one may call it that, is that we will no longer be faced with the irony of having a powerful and intrusive DPA tasked to protect privacy.
Anirudh Burman is a fellow and associate research director at Carnegie India. Views are personal.
The article was originally published in Ideas and Institutions, a fortnightly newsletter from Carnegie India’s political economy team, on November 22, 2022.