• Data Principal: The individual whose personal data is collected and used. A user on a marketplace like Amazon.
• Data Fiduciary: The entity that collects, processes, and manages personal data responsibly. A marketplace like Amazon.

Principles of the DPDP Act

The DPDP Act is built upon six core principles that guide its approach to data protection:

1. Lawful, Fair, and Transparent Usage: Organizations must use personal data in a manner that is lawful, fair, and transparent to the individuals concerned.
2. Purpose Limitation: The use of personal data should be limited to the purpose for which it was collected.
3. Data Minimisation: Only the necessary personal data required for the specified purpose should be collected.
4. Accuracy: Reasonable efforts should be made to ensure the accuracy and up-to-date nature of personal data.
5. Storage Limitation: Data should be stored only for the duration necessary for the stated purpose.
6. Security: Reasonable safeguards must be implemented to prevent unauthorized access, processing, and data breaches.

The draft rules have been published to realize these principles and the provisions of the Act. The period for submitting comments and feedback on the rules ended on March 5, 2025.

Key Provisions in a nutshell

The Draft DPDP Rules provide detailed guidance on various aspects of data protection, including notice and consent, security safeguards, data breach notification, and data retention. Some of the key provisions are:

• Clear and concise notices
• Reasonable security safeguards
• Data breach notification
• Time restrictions on data storage

Notice and consent

The Digital Personal Data Protection Act, 2023 and the Draft Rules, 2025, place emphasis on informing Data Principals before processing their personal data, especially when consent is the legal basis.

Section 5(1) of the Act mandates that any request for consent under Section 6 must be accompanied or preceded by a notice from the Data Fiduciary.

To ensure understanding, Section 6(3) requires that the consent request be in clear and plain language, offering the option to access it in English or any language in the Eighth Schedule of the Constitution. It must also include contact details for a Data Protection Officer or another authorised person.

Rule 3 of the Draft Rules further details the notice requirements, stipulating that it must be:

• Understandable independently of other information (Rule 3(a)).
• Provide a clear and plain account of the necessary details for informed consent, including an itemised description of the personal data and the specified purpose with an itemised description of the goods, services, or uses (Rule 3(b)).
• Include the communication link to the Data Fiduciary’s website or app and other means for the Data Principal to withdraw consent (with comparable ease), exercise their rights, and make a complaint to the Board (Rule 3(c)).

Reasonable security safeguards

The Digital Personal Data Protection Act, 2023 mandates that Data Fiduciaries must protect personal data by taking reasonable security safeguards to prevent breaches [Section 8(5)]. The Act also outlines exemptions under certain conditions in Section 17. Specifically, Section 17(2) (b) states that the Act’s provisions do not apply to processing necessary for research, archiving, or statistical purposes if such processing adheres to prescribed standards.

The Draft Digital Personal Data Protection Rules, 2025, further detail these obligations in Rule 6 (“Reasonable security safeguards”), requiring Data Fiduciaries to implement, at a minimum:

• Rule 6(1)(a) Encrypting, obfuscating, or masking data to prevent unauthorized access.
• Rule 6(1)(b) Controlling access to computer systems handling the data.
• Rule 6(1)(c) Monitoring and logging data access to detect, investigate, and prevent breaches.
• Rule 6(1)(d) Ensuring backup and recovery in case of data loss or compromise.
• Rule 6(1)(e) Retaining logs and data for at least one year to detect and prevent unauthorized access.
• Rule 6(1)(f) Including security requirements in contracts with Data Processors.
• Rule 6(1)(g) Implementing technical and organizational measures to enforce security safeguards.

Data breach notification

In the event of a personal data breach, the draft rules mandate a swift and transparent notification process. As per Rule 7 of the Draft Rules, the Data Fiduciary must, without delay, inform each affected Data Principal in a clear and plain manner about the nature and extent of the breach, the likely consequences, the measures implemented to mitigate risk, and the safety measures the Data Principal can take. Crucially, Rule 7(1) (e) also requires the provision of business contact information for a person able to respond on behalf of the Data Fiduciary. Furthermore, Rule 7(2) of the Draft Rules stipulates that the Data Fiduciary must intimate the Data Protection Board of India upon becoming aware of a breach. This initial intimation should include a description of the breach, and a more detailed report must follow within 72 hours, or a longer period if permitted by the Board. This subsequent report must contain broad facts, circumstances and reasons leading to the breach, mitigation measures, findings regarding the responsible person, remedial actions, and a report on the intimations given to Data Principals.

Erasure of personal data when consent is withdrawn

When a Data Principal decides to withdraw their consent for the processing of personal data, the draft rules necessitate its erasure, unless legal obligations dictate otherwise. Specifically, Rule 8(1) of the Draft Rules states that a Data Fiduciary processing personal data for relevant purposes specified in the Third Schedule must erase such data if the Data Principal does not contact the Data Fiduciary for the specified purpose or exercise their rights for the relevant time period stipulated in that Schedule, provided its retention is not required by law. For significant digital platforms like e-commerce entities and social media intermediaries with not less than two crore registered users in India, this time period is three years from the date the Data Principal last contacted the Data Fiduciary for the specified purpose or exercised their rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.

Necessity to inform principals of the erasure so that they can take action to retain

To ensure Data Principals are aware of impending data erasure and can take necessary steps if they wish to retain their data, Rule 8(2) of the Draft Rules imposes an obligation on Data Fiduciaries. They must inform the Data Principal at least forty-eight hours before the expiry of the period for erasure. This notification will alert the Data Principal that their personal data will be erased upon the completion of this period unless they log into their user account or otherwise contact the Data Fiduciary for the performance of the purpose or exercise their rights.

Provisions for vulnerable groups like personal data of children, persons with disabilities, etc.

The draft rules include specific safeguards for the personal data of vulnerable groups. Rule 10 of the Draft Rules mandates that a Data Fiduciary must adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before processing any personal data of a child. This rule also requires due diligence to check that the individual identifying themselves as the parent is indeed an adult. For processing the personal data of a person with a disability who has a lawful guardian, Rule 10(2) similarly requires due diligence to verify that such guardian has been appointed by a competent authority under applicable law. Furthermore, the Fourth Schedule (Part B) of the Draft Rules provides specific exemptions from the requirements of subsections (1) and (3) of section 9 of the Act(Section 9 (3) of the Act prohibits processing of personal data that could have detrimental effect on the well-being of the child) for processing the personal data of a child for certain purposes, such as the exercise of any power or function in the interests of a child under any law, or for providing subsidies or benefits to a child. These exemptions are subject to the condition that the processing is restricted to the extent necessary for such purposes.

Consent managers

The draft rules establish a framework for the registration and obligations of Consent Managers. Rule 4 of the Draft Rules outlines the process for a person to apply to the Board for registration as a Consent Manager, requiring them to fulfil the conditions set out in Part A of the First Schedule. These conditions include being a company incorporated in India with sufficient technical, operational, and financial capacity, including a minimum net worth. Upon registration, Consent Managers are subject to obligations specified in Part B of the First Schedule. These obligations include ensuring that the personal data is made available or shared in a manner that its contents are not readable by the Consent Manager, maintaining records of consents and notices, providing Data Principals access to these records, acting in a fiduciary capacity, and avoiding conflicts of interest with Data Fiduciaries.

Data processing by the state

The draft rules permit the State and its instrumentalities to process personal data for specific purposes in the public interest. Rule 5(1) of the Draft Rules allows for the processing of a Data Principal’s personal data to provide any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds. However, Rule 5(2) specifies that such processing must be done following the standards outlined in the Second Schedule. These standards include ensuring that processing is carried out in a lawful manner and for the specified uses, is limited to necessary personal data, is done while making reasonable efforts to ensure accuracy, and that personal data is retained only as long as required. The Second Schedule also mandates reasonable security safeguards, providing business contact information of a person able to answer questions about processing, specifying the means for Data Principals to exercise their rights, and ensuring accountability of the person determining the purpose and means of processing. Similar standards apply to the processing of personal data necessary for research, archiving or statistical purposes.

Concerns

The rules have drawn criticism for potentially breaching fundamental data protection principles such as purpose limitation and proportionality, particularly due to the broad exemptions granted to government agencies for processing data related to subsidies and public services without adequate safeguards. Concerns have also been raised about increasing executive influence over the Data Protection Board of India through the appointment process, which could compromise its independence and objectivity. This is critically important since State has already been given a special treatment under the act and yet, there is no effort to make the preliminary adjudicating body like the Data Protection Board more independent.

Additionally, the mandatory data retention requirements for certain entities have sparked concerns about excessive data collection and heightened surveillance risks. Lastly, Rule 22, which grants the Central Government extensive access to data, is seen as bypassing key surveillance safeguards and the criminal justice system, posing significant privacy risks. Its broad and ambiguous language, including terms like “sovereignty and integrity of India,” grants the government the power to demand data from Data Fiduciaries without clear notification protocols. The absence of restrictions on data retention heightens fears of indefinite storage and potential misuse. Transparency is further compromised as Fiduciaries are prohibited from disclosing government requests, weakening accountability. Moreover, the government’s ability to exempt itself from key data protection regulations threatens privacy, allowing unrestricted data collection without user consent or adequate legal justification.

Conclusion

The establishment of consent managers represents an innovative approach to managing individual autonomy in an era where data collection has become omnipresent. Special protections for children and vulnerable groups demonstrate a recognition of differential risks in our digital ecosystem.

However, the shadow of a dystopian future looms large. The broad exemptions granted to government agencies for processing data related to public services and subsidies create concerning possibilities for expanded state surveillance under the guise of public interest. The mandatory data retention requirements for significant digital platforms raise questions about the long-term storage of sensitive information and the potential for mission creep in data usage.

India stands at a crossroads where the path forward is neither predetermined nor inevitable. The Draft DPDP Rules contain within them the seeds of both surveillance and freedom. The ultimate direction will be determined by how these rules are interpreted, enforced, and amended in response to real-world consequences. The coming years will test whether India can navigate this complex landscape to create a digital society that respects both innovation and individual rights. 

(The author is a legal researcher with the organisation)

Related:

India at the Crossroads: The delimitation exercise and its implications for democracy

Catch people’s attention on pollution narrative: “Switching to public transport can lower your heart attack risk by 10%.”

Electoral Trusts Scheme: Utter non-transparency in political funding & an unholy nexus between big corporate giants and major political parties

The post Draft DPDP Rules, 2025, seeds of both surveillance and freedom appeared first on SabrangIndia.

As the Lok Sabha election results loom large, a mass WhatsApp campaign has cast a shadow over the electoral process. Initiated by a business account named “Viksit Bharat Sampark,” the campaign has ignited significant debate and raised serious ethical and legal questions. This initiative involved the widespread dissemination of an open letter from Prime Minister Narendra Modi, in which he praised his government’s achievements and solicited public feedback. The messages were not only sent to millions of people in India but also reached citizens in Pakistan and the UAE, raising concerns about data privacy and the misuse of government resources.

The letter may be read here:

The controversial messages from “Viksit Bharat Sampark” were sent between March 15 and March 18, coinciding with the announcement of the Lok Sabha elections by the Election Commission of India on March 16, 2024. Some recipients reported receiving the messages as late as March 18 and beyond, exacerbating concerns about the timing and legality of their dissemination during the election period.

The WhatsApp messages, sent from a verified business account categorized as a “Public and government service,” aimed to publicize the Modi government’s initiatives and solicit feedback. The account identified itself as linked to the Ministry of Electronics and Information Technology (MeitY), Government of India. The letter, addressed to “My dear family member,” highlighted various government schemes and achievements over the past decade.

The use of “Viksit Bharat Sampark,” a business account on WhatsApp linked to the Ministry of Electronics and Information Technology, raises serious questions about the misuse of government resources. This account utilized a paid service to send messages in bulk, a service permitted for government agencies but explicitly prohibited for political parties or entities engaging in political campaigning. Using government machinery for political campaigning undermines the integrity of the electoral process. This blurring of lines between government functions and political agendas is highly problematic.

Violation of the Model Code of Conduct

The Model Code of Conduct (MCC) is a set of guidelines issued by the Election Commission of India (ECI) to ensure free and fair elections. It prohibits the use of government resources for electioneering and mandates that parties in power should not misuse their official position for campaign purposes.

Clause VII(4) of the MCC states that “issue of advertisement at the cost of public exchequer in the newspapers and other media and the misuse of official mass media during the election period for partisan coverage of political news and publicity regarding achievements with a view to furthering the prospects of the party in power shall be scrupulously avoided.” The “Viksit Bharat Sampark” campaign, funded by government resources, violates this clause.

The campaign blurred the lines between governmental functions and political agendas. By using a government-linked WhatsApp account to send messages that promote the ruling party’s achievements, it appears to leverage official platforms for partisan purposes, which is against the principles of the MCC.

The opposition and the citizens have been vocal in its criticism, with leaders like Congress MP Shashi Tharoor and Manish Tewari highlighting the misuse of government machinery and data. They have called on the Election Commission of India to take action and ensure a level playing field. The Election Commission has responded by directing the Ministry of Electronics and Information Technology to halt the campaign and sought a compliance report on the matter.

Will the ⁦@ECISVEEP⁩ take note of such a blatant misuse of government machinery and government data to serve the partisan political interests of the ruling party? pic.twitter.com/wrV6iWwfsJ

— Shashi Tharoor (@ShashiTharoor) March 18, 2024

.@ECISVEEP – This unsolicited WhatsApp message came at 12.09 AM today . It seems to be from @GoI_MeitY .
Is this not a blatant violation of the both Model Code of Conduct & Right to Privacy.

Where did @GoI_MeitY get my mobile number from ? Which database are they unauthorisedly… pic.twitter.com/MDvOhHrYcb

— Manish Tewari (@ManishTewari) March 18, 2024

Upon receiving complaints about the “Viksit Bharat Sampark” campaign, the Election Commission of India took action to address the violations. The ECI directed the Ministry of Electronics and Information Technology to halt the bulk WhatsApp messaging campaign immediately. The ECI emphasized that such actions compromised the level playing field necessary for free and fair elections.

Find the letter sent by the ECI to the Ministry of Electronics and Information Technology here:

The Ministry of Electronics and Information Technology was ordered to stop sending the bulk WhatsApp messages immediately to prevent further misuse of government resources. The ECI asked the Ministry to submit a compliance report detailing the steps taken to halt the messaging campaign and ensure adherence to the MCC.

While the Election Commission of India’s response was swift, it has not gone far enough to address the full extent of the violations and their implications:

• Halting the campaign and requesting a compliance report, while necessary, do not address the systemic issues that allowed the campaign to happen in the first place.
• The ECI’s actions did not hold specific individuals accountable for the breach. A detailed investigation into who authorized and executed the campaign, and appropriate punitive measures against them, are crucial to prevent future occurrences.
• The ECI did not address the breach of privacy adequately. The misuse of personal data for political campaigning is a serious violation that demands thorough investigation and stricter enforcement of data protection laws.
• This incident highlights gaps in the legal framework governing the use of digital platforms for political campaigning. The ECI should advocate for stronger regulations and enforcement mechanisms to govern the use of technology in elections.

The “Viksit Bharat Sampark” campaign has highlighted the blurred lines between governmental functions and partisan political activities. By using official channels to send messages that praise the ruling party’s achievements and using government resources, the campaign undermines the impartiality of the electoral process and raises doubts about the integrity of elections. This misuse of government resources for political gain not only violates the Model Code of Conduct but also threatens the democratic fabric of the country.

Data Privacy and Viksit Bharat Sampark

The long and short of the issue is unauthorized access to a vast database of phone numbers. MeitY used some database to send its messages, but there is a complete lack of transparency about how it was acquired or what database was use. This obscurity casts doubt on the legality and ethical implications of how the data was obtained. A crucial question is: how did MeitY acquire the vast database of phone numbers used for this unsolicited outreach? Did they get user consent before using this information^[1]?

The possibility that MeitY acquired the data from another public or private entity opens a whole new can of worms. Were legal procedures followed during the acquisition of this database? Did the original source adhere to data privacy norms? A core principle of data protection is that personal information can only be used for the specific purpose for which it was collected. Reusing it for something entirely different, especially without consent, is a major red flag. MeitY facilitated this access without clear consent mechanisms from the recipients.

Further exacerbating the situation is the delayed enforcement of the Digital Personal Data Protection Act (DPDPA) and the exemption granted to government entities under Section 17(2)(a). This section allows the Central Government to issue a notification exempting any “instrumentality of the State” from the provisions of the Act in the interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to any cognizable offence relating to any of the above. This creates a legal grey area where the government has significant autonomy in data collection and usage, with limited checks and balances. The lack of strong regulations makes it difficult to hold the government accountable for potential breaches of privacy. With the ability to collect and process personal data without consent, the potential for misuse becomes a significant concern. This could involve political micro-targeting, where voters are bombarded with messages tailored to their preferences, potentially manipulating their choices and undermining the fairness of elections.

Ideally, a Data Protection Board should have established guidelines in advance of the elections to prepare for privacy-related infractions under the new Digital Personal Data Protection Act of 2023. Except the Data Protection Board would report to the Ministry of Electronics and Information Technology, which is the body violating these provisions to send WhatsApp messages to everyone^[2]. The BJP and the state apparatus have merged, with little distinction between party operations and official policy.

The absence of stringent restrictions on data usage under the current legal framework creates a worrisome prospect of unchecked data exploitation. The lack of clarity on the criteria for invoking exemptions under the DPDPA leaves room for interpretation, potentially leading to further misuse of personal data.

Moreover, the campaign has also violated the policy of WhatsApp. The WhatsApp Business Messaging Policy mandates that businesses obtain opt-in permission from recipients before sending messages. Clause 1 of the policy reads “You may only contact people on WhatsApp if: (a) they have given you their mobile phone number; and (b) you have received opt-in permission from the recipient confirming that they wish to receive subsequent messages or calls from you on WhatsApp^[3].” However, in the case of the “Viksit Bharat Sampark” campaign, there was no evidence of such consent being obtained. This not only violates WhatsApp’s policies but also raises fundamental questions about the government’s respect for individual privacy rights.

Article 21 of the Indian Constitution guarantees the right to privacy as a fundamental right. However, the actions of MeitY in using personal data for political messaging without consent undermine these guarantees. The campaign’s reach into countries like Dubai and Pakistan underscores the international scope of the privacy concerns, raising questions about the legality and appropriateness of such cross-border data usage.

Conclusion

In conclusion, the “Viksit Bharat Sampark” campaign has exposed critical flaws in India’s data protection and privacy frameworks. The unauthorized use of contact information for political messaging, without explicit consent, is a clear violation of privacy rights and undermines democratic principles. As India moves forward, it is imperative to enact and enforce data protection laws that prioritize the rights and interests of citizens over unchecked governmental authority.

Upholding the principles of individual privacy rights is not just a legal obligation but a moral imperative in safeguarding democracy in the digital age. The delayed enforcement of the Digital Personal Data Protection Act and the absence of robust regulations create a fertile ground for data exploitation, particularly in the context of political campaigning. As citizens grapple with the intrusion into their personal space, questions loom large over the government’s commitment to upholding constitutional guarantees of privacy and freedom of expression.

In this digital era, the integrity of electoral processes and the protection of individual privacy rights must be preserved at all costs. The “Viksit Bharat Sampark” campaign serves as a stark reminder of the dangers of unchecked data usage and the urgent need for comprehensive data protection laws and regulatory oversight. Without these safeguards, the trust of citizens in democratic institutions and electoral processes will continue to erode, posing a serious threat to the future of democracy in India.

[1] https://internetfreedom.in/whatsapp-message-from-meity/

[2] https://www.barandbench.com/columns/inside-the-pms-inbox-privacy-politics-and-digital-governance

[3] https://business.whatsapp.com/policy

Related:

The Digital Personal Data Protection Bill, 2002 is harbinger of a surveillance regime?

A miss and a miss with the new Data Protection Law

United Against Hate: CJP’s Battle for a Hate-Free Election in 2024!

Several instances of hate speech in March and April mar the election cycle, demonise religious minorities before the polls

Digital Personal Data Protection Bill seeks to amend RTI Act to bar disclosure of personal information

In Garb of Data Protection Bill, Centre Attacking RTI, Allege Information Commissioners

New data protection law comprehensive but full of exemptions

The post Unboxing the Inbox: Decoding the “Viksit Bharat Sampark” Controversy and its Shadow over Indian Elections appeared first on SabrangIndia.

Expressing grave concerns at the impact of the recently enacted law on journalistic activities, the EGI, established post-Emergency in 1978[1], The detailed representation explains how this law, ostensibly brought in to “protect data privacy” will, in fact bring journalistic activity to a standstill.

The representation points out that while the DPDPA does not address journalists or their activities, it regulates the underlying processing (e.g., collection, use, storage) of personal data that is inevitable in almost every instance of journalism.

The EGI statement states, “ The enactment of the Digital Personal Data Protection Act, 2023 inadvertently endangers the freedom of the press 1.1 The DPDPA, while a laudable initiative towards protecting the personal data of individuals, if applied indiscriminately to the processing of personal data in a journalistic context, will bring journalism in the country to a standstill. This will have a long-standing impact on the freedom of the press, and the dissemination of information not just in reporting in print, TV, and the internet, but also the mere issuance of press releases by all parties including political parties. 1.2 The continued existence of the press – the fourth pillar of democracy – enables the dissemination of news, thoughts, and opinions and ensures a free and fair democracy. It informs public opinion, promotes civic engagement, and empowers individuals to make informed decisions including political choices. Its centrality is recognised by the Constitution of India (Constitution), which only permits reasonable restrictions on the exercise of the right to freedom of speech and expression.

As the statement points out, the Srikrishna Committee Report also recognised these consequences in noting that the untrammelled dissemination of news, current affairs, and documentaries, especially when they inform, criticise, and analyse issues of public importance, is in the public interest.

Journalistic Conduct regulated by Press Council of India (PCI) norms

The protection of personal data in the course of journalistic activities is built into journalistic conduct, such as those issued by the Press Council of India (PCI), established under the Press Council Act, 1978, Code of Ethics and Broadcasting Standards released by the News Broadcasters and Digital Association. 6.2 Notably, the PCI prescribes safeguards in the context of communalism in the press and cautions against defamatory writings and objectionable investigative reporting, obscenity, and vulgarity in, for example, news stories, or feature reports.

Through this, journalists are barred from (i) intruding upon or invading the privacy of an individual unless outweighed by the genuine overriding public interest; (ii) tape-recording a conversation without that person’s knowledge or consent, except where the recording is necessary to protect the journalist in a legal action, or for other compelling good reason. Journalists are also required to (i) obtain the prior consent of a minor’s parent, if “public interest” overrides the minor’s right to privacy; (iii) to apply due care by not disclosing the real names of persons involved in incidents affecting personal lives; and (iv) refrain from publishing inaccurate, baseless, graceless, misleading or distorted material. 6.3 Given that these codes of conduct, which apply to all journalists, achieve a balance between freedom of expression and the right to privacy applying a second framework to the same processing activities, concerning the same personal data will only create duplicate compliance requirements, impose an unwarranted burden on journalists, and more importantly, impair free speech and expression. This is particularly true since these applicable codes of conduct for journalism provide a more tailored compliance regime in balancing the competing rights at hand.

Concerns over DPDP Act

The newly enacted DPDP Act requires individuals or entities that determine the purpose and means of processing such personal data outside a personal or domestic context, i.e., data fiduciaries, to meet various requirements (e.g., provision of notice and obtaining consent, erasure, etc.). These requirements are undeniably onerous in the context of processing for journalistic purposes. Given the nature of the profession and the implications for fundamental rights involved processing personal data for journalistic purposes is an ideal case and must be an exemption from the provisions of the DPDPA. The DPDPA requires all processing of personal data to proceed on the basis of either consent or certain legitimate uses (e.g., for employment purposes or in the case of a medical emergency) under Section 7 of the DPDPA, which is narrow and specific in nature. Processing personal data for journalistic activities will invariably fall outside these narrow buckets.

While certain journalistic activities involving interviews, collecting responses to questionnaires, etc., may be covered under Section 7(a) of the DPDPA, which recognises voluntary provision of personal data by the data principal, most other forms of journalism, such as investigative journalism, general news reporting, opinion pieces, analyses, etc., are still largely dependent on private research and investigative study by journalists, which is remarkably absent in the current list of legitimate uses.

Explains the representation, given this, journalists will invariably have to rely upon consent to process any personal data in the course of their journalistic activities.

In fact, the onerous nature of this requirement was critiqued in the Report published by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (Srikrishna Committee) titled ‘A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians’ (Srikrishna Committee Report)/ The Committee, which prepared the Personal Data Protection Bill, 2018, noted that mandating consent for processing such personal data would be unfavourable, as the data principal could simply refuse to consent forestalling all such publishing. The fundamental role of the press and its ability to ensure transparency and accountability would thus be severely undermined by the data principal’s ability to simply refuse consent to the processing of their data.

As the EGI’s representation to MEITY points out, the Srikrishna Committee Report that accompanied the 2018 Bill, too, recognised that exempting journalistic activity from compliance with the 2018 Bill was necessary for greater public interest. Accordingly, the Personal Data Protection Bill, 2018 (2018 Bill), prepared by the Srikrishna Committee, exempted processing for a ‘journalistic purpose’ from complying with all provisions of the 2018 Bill, except for the duty to process personal data in a fair and reasonable manner that respects the privacy of the data principal, and the obligation to implement reasonable security safeguards.³ The 2018 Bill defined ‘journalistic purpose’ as any activity intended towards the dissemination through print, electronic, or any other media of factual reports, analysis, opinions, views, or documentaries regarding:

• news, recent or current events; or
• any other information that the data fiduciary believes the public, or any significantly discernible class of the public, to have an interest in, which would be absolved from obtaining consent from data principals.⁴

 The Personal Data Protection Bill, 2019 (introduced in the Parliament) and the Data Protection Bill, 2021 (prepared by the Joint Parliamentary Committee on data protection), contained similar provisions to exempt processing for journalistic purposes.

This position is notably consistent with other jurisdictions with data protection regimes that provide for exemptions from processing for journalistic purposes. For instance, the European Union’s General Data Protection Regulation (GDPR) enables Member States to provide for exemptions or derogations from certain provisions (e.g., have a lawful reason or basis for using data, provide privacy information, comply with individual rights that people have about their data, etc.) of the GDPR for journalistic purposes and freedom of expression.⁵ Similarly, Singapore’s Personal Data Protection Act, 2012 provides an exception for news organisations to collect, use, and disclose personal data without consent solely for its news activity to collect, use, and disclose personal data without consent solely for its news activity.

Despite this, processing for journalistic purposes is not exempt from the obligations under the DPDPA.

It may be possible to argue that Section 17(1)(c) of the DPDPA, which permits processing in the interest of prevention, detection, investigation, or prosecution of any offence or contravention of any law, would exempt processing for a specific kind of journalism: investigative journalism. However, the lack of a broad exemption that applies to all journalistic activity (as envisaged under prior iterations of this law and international statutory frameworks) and the absence of any clear guidance for this exemption severely hampers the ability of journalists to investigate, report, and publish any articles or reports of journalistic import. It is, therefore, crucial that an exemption be made available to cover processing related to journalistic purposes.

Unfortunately, India will be the sole modern democracy without an exemption for journalistic activities, which could severely impair the fourth pillar of democracy. Moreover, India is currently ranked 161 out of 180 countries in the World Press Freedom Index maintained by Reporters Without Borders below other Asian countries like Pakistan, Afghanistan, Sri Lanka, and Cambodia, and risks falling further down in the ranking if the DPDPA is enacted in its present form states the representation.

The detailed representation may be read here:

[1] Editors Guild of India [“EGI”] is an organisation established in 1978 to protect freedom of the press and to raise the standards of editorial leadership of newspapers and magazines. Since it’s establishment, EGI have consistently defended the freedom of speech and expression of publishers and the right to information of the citizens of India.

Related:

Concerned over arrest of TV journalist working for Republic Bangla: Editor’s Guild

FIR against editors, Prabhat Khabar, Editor’s Guild voices concern

Press Club of India condemns FIR against Editor’s Guild of India (EGI), criminalising journalism

The post Grave concerns on DPDP Act, 2023 as journalistic activities threatened: Editor’s Guild to MEITY appeared first on SabrangIndia.

What does the law say with respect to Data Rights?

The law recognises a Data Principal —the individual to whom the personal data relates to i.e., whose personal data is being engaged with. In cases of children and person with disability, lawful guardians on their behalf will be the Data Principals.  For example, if someone is collecting your personal Data, you are the Data Principal.

The law also recognises the Data Fiduciary —the entity which determines the purpose and means of processing such data after being entrusted with this data by the Data Principal. Essentially, those who are collecting the data for a purpose and processing it, are the Data Fiduciaries. There are certain rights for the Data Principal and additionally, there are certain duties too.

The pillars of data protection legislation in countries worldwide revolve around consent, purpose limitation and storage limitation. Consent means the permission of the person who is giving the data; purpose limitation means the restriction on the person who is collecting the data to use the data only for the purpose for which the data is being collected. Storage limitation means that a limit on storage: the data will only be stored only until it serves that particular purpose for which it was collected in the first place.

Let us understand what the new act does with respect to these principal, non-negotiable, internationally recognised pillars.

Purpose Limitation and Consent:

Section 7 of the Act deals with processing of the data by the Data Fiduciary. Section 7(a) of the Act says that the Data Fiduciary can process the personal data of the Data Principal for a purpose for which the latter has voluntarily provided the data. The rest of the uses raise the question of whether, the Data Fiduciary can process the personal data of the Data Principal for the state or any of its instrumentalities to provide to the Data Principal such subsidy, benefit, service, certificate license or permit etc., if she has previously consented or if the data has been available with the government.

This processing could also be done in the interest of Sovereignty, Integrity of India, or Security of the State, for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal, for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health, for taking measures to ensure safety of or provide assistance or services to any individual during any disaster, or any breakdown of public order and finally, for the purpose of employment.

This means that for all these purposes the Data Fiduciary can process the data without the consent of the data principal.

Apart from the all-encompassing power granted under processing for the security of the state, there is also the additional purpose granted under the Act, “for public order”. Another important use for which the data can be processed is for employment purposes. Many data legislations place processing of some data of employees, such as sensitive data like gender, and Social Media Data under restrictions and regulations.

The DPDP Act, 2023, however, gives a free hand for the processing of employee-related data, without any safeguards to the employer. If an employee’s personal data is allowed to be processed by the employer, without the consent of the former, it could lead to discrimination at the workplace and the new law has no safeguards.

For example, if a woman employee has stated that she is pregnant, and processing of the data could lead to the company firing her.  There have been study after study that reveal that the companies are already apprehensive about hiring women due to the potential maternity benefits that they might have to pay to her. Employee Monitoring restrictions are completely absent in the act.

Storage Limitation- Here too, there is a generic rule that the data should not be stored if the purpose for which it was collected has been served. However, under the (Indian) Act, the Union Government can notify such Data Fiduciaries or Class of Data Fiduciaries, to whom this generic rule will not apply. The central government can do this on consideration of volume and nature of the Personal Data processed. There are no directions as to whether this volume has to be high or low for the fiduciaries to be so exempted or what kinds of nature of data will allow an exemption. Essentially, this means that it is the Union Government who can choose who can store the data and who cannot, under some vague criteria which has not been specified or mentioned under the Act.

There are two more important features of this act. One is the exemptions the Act gives the Union Government and the Act’s de facto amendment to the Right to Information Act, 2005.

Exemptions to the Government

Section 17(2) of the act gives exemption to the government with respect to the processing of the data. The act does not apply to processing of personal data by such instrumentality of the state, in the interests of “sovereignty and integrity of India,” “Security of the State,” “Friendly relations with foreign states,” “maintenance of public order” or “preventing incitement to any cognisable offence” relating to any of these, and the processing by the Central Government of any Personal Data that such instrumentality may furnish to it.

This essentially means that, the government can process the data for the purposes or such data that an instrumentality of the state furnishes to the Union Government, without the consent of the Data Principal.

Section 17(2)(b) also exempts the Central Government and enables the government the processing of such data necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

The Amendment to RTI Act

The Right to Information Act, 2005 empowers Central Public Information Officer or the State Public Information Officer at the appellate authority to give information relating to personal information if such information is in the larger public interest.

Essentially the RTI act says that personal information cannot be disclosed until the Information Officer is satisfied that the larger public interest justifies the disclosure of such information. The pre-amended RTI act places check on the way Information Act could be used to invade the privacy of people but also creates a balance where the larger public interest overrides the right to privacy of people.

Section 44 of the DPDP Act 2023 amends the RTI act and states that there shall be no obligation to give any citizen information which relates to personal information. The DPDP Act removes the balance that was achieved by the RTI act thereby diluting the progressive nature of the RTI act.

Conclusion

The Act only has data protection in its title (!!!) whereas the provisions of the act seem like it is an empowering act for the government to use and process and collect data without any hassle or safeguards.

In essence, the act divides data protection into two different realities one where Data Fiduciaries and Data Principals are responsible for each other and another reality where government is not responsible for anything at all.

Additionally, the Act also creates some punitive duties on Data Principals upon whose breach the Data Principal will be required to pay a fine of Ten Thousand Rupees. This creates both an unnecessary and unjustified burden on the Data Principal while making the government act with impunity. In a way, much of the Act stands as an example of how not to draft and enact a Data Protection Act.

(The author is a legal researcher with the organisation)

Related:

In Garb of Data Protection Bill, Centre Attacking RTI, Allege Information Commissioners

A surveillance regime that violates both Privacy & Right to Life: Digital Personal Data Protection Bill, 2002

Digital Personal Data Protection Bill seeks to amend RTI Act to bar disclosure of personal information

The post Serious flaws in the Digital Personal Data Protection Act appeared first on SabrangIndia.

For the past decade, India has been dealing with data without a comprehensive policy governing data and privacy. Justice K. S. Puttaswamy & Anr. vs Union Of India & Ors judgement, which, in 2017, declared the Right to Privacy to be a fundamental, right remains one of the few pillars available to guide policy formulations on privacy.

The central government introduced the Personal Data Protection Bill, 2019 and then changed its title to Data Protection Bill, 2019 after a report of the Joint Parliamentary Committee [JPC].

The government then withdrew the Data Protection Bill, 2021 in August and has now published a Digital Personal Data Protection Bill, 2022, inviting public comments. This can be read here and public comments can be made here, the deadline being December 17.

This article looks at the bill within the lens of the rights of users whose data would be in question and examines the accountability frameworks within the bill for data collectors like corporations and the state. Before we discuss this, it is important to understand a few definitions of the terms that are used in the bill for the purposes of fully understanding the argument.

Data Principal – The person whose data the bill seeks to protect. This is defined as^[1]

“The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;” [Section 3 (6)] of the proposed Bill) 

Data Fiduciary – The person who collects and processes the data collected and determines the purposes for which it was collected. This entity is defined as below.^[2]

“Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.” [Section 3 (5)] 

Personal Data is defined thus, “any data about an individual who is identifiable by or in relation to such data. [Section 3 (13)]”^[3]

Processing relation to personal data “means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;” [Section 3 (16) ]^[4] 

The explanatory note to the bill states that the bill is based on seven principles which are listed out. Pertinently, there is absolutely no emphasis on consent of the data principal contained within these seven principles. Fundamentally, data privacy legislations have been based on the non-negotiable principle of consent – that the user should give explicit consent to the collection and processing of his/her data; purpose limitation – that the data collector and processor should only use the data for the purpose they are collecting it for and nothing else; data minimisation – that only specific and required amount of data should be collected for the purpose and nothing more. 

However, consent does not seem to form the bedrock of the Digital Personal Data Protection Bill, 2022 at all. With the absence of consent of the data principle in this newly drafted legislation, an absence that is glaring and could mean rampant unnecessary collection of data and unbridled sharing for commercial, political and surveillance purposes, it is crucial to understand what this bill entails for all users and their rights. 

The first section of this article lists the rights and duties of Data Principal and the Accountability framework that has been set up for data fiduciaries, by the bill. The second section deals with how these rights and duties affect individuals and their privacy. 

I. The Bill.

A. Rights of the Data Principal

a)      The Data Principal can know if the data they gave to a data fiduciary is still under process (processing) or if (the entity) has processed the data; can get a summary of all the data of theirs, available with the data fiduciary and the processing activities undertaken on such data; identities of other data fiduciaries with whom the data has been shared; and any other information as may be prescribed.^[5]

An example for a part of this right could be how we can download the details of our account on social media platform Instagram and it would provide us the data it has on us. 

b)      The Data Principal can erase and remove data as according to laws and in the manner a may be prescribed.^[6]

c)      The Data Principal also has the right to get their grievances redressed by the data fiduciary or by a Central Government set up Board if the Data Fiduciary does not reply within seven days or if they are not satisfied with Data Fiduciary’s response.^[7]

d)     The Data Principal can also nominate another individual to exercise their rights in the event of death or incapacity.^[8]

The rights of a data principal are accompanied by Section 16 of the bill which deals with duties of the data principal. One of the duties mentioned is that the data principal shall not lodge a false or a frivolous complaint to either the Data Fiduciary or the Board that will be constituted by the Central Government. The bill also mandates that the data principal can, under no circumstances, furnish any false particulars or suppress any material information or impersonate another person.^[9]

B. Accountability Frameworks.

The Accountability framework from the bill can be divided into two sections. One is the positive obligation and the second is the exemptions from such obligations. 

1)      Obligations of the Data Fiduciaries.^[10]

a)      The Data Fiduciary can only process data for a lawful purpose and such data has to have been collected with consent or deemed consent of the data principal; the data fiduciary has to give the data principal, on or before collecting the data, an itemised notice in clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data.

b)      Data Fiduciaries are obligated to employ reasonable security safeguards to prevent personal data breach and should remove data from its possession once the purpose for which the data has been collected is fulfilled and it need not be retained for any business and legal purposes.

c)      Data Fiduciaries should have a Data Protection Officer, whose contact details need to be mentioned on their website and should have procedures in place to redress grievances of data principals.

d)     Additional Obligations for Data Fiduciaries arise regarding childrens’ data where any processing of data on children that might cause harm to them cannot be done and a verifiable consent of the parent or a legal guardian and they shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

e)      The government will notify what constitutes a significant data fiduciary on the basis of the volume and sensitivity of personal data processed; risk of harm to the Data Principal; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the State; public order; and such other factors as it may consider necessary.

f)       These significant data fiduciaries will have to appoint a Data Protection Officer and will have to conduct periodic audits and Data Protection Periodic Assessment. 

2) Exemptions^[11]

a)      Deemed Consent^[12]

The bill proposes a vast number of scenarios in which an express consent from the Data Principal is not necessary and their consent would be deemed to have been given for the processing of their data. These scenarios include for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order; for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance.

The bill also deems that people have given consent for the processing of publicly available data among others in the wide scenario of public interest. Additionally, the consent is to have been deemed for any fair and reasonable purpose as may be prescribed after taking into consideration whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal; any public interest in processing for that purpose; and the reasonable expectations of the Data Principal having regard to the context of the processing.

b)      None of the obligations, except the obligation to keep the data secure with reasonable security practices, apply to the case when such non-compliance is done  and personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law, among other reasons such as performance of judicial and quasi-judicial function.^[13]

c)      The Central Government can also notify and exempt such any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these from the provisions of the whole act.^[14]

d)     The Central Government is also empowered to notify having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries as Data Fiduciary from the obligation of purpose limitation, additional obligations of a significant data fiduciary and the additional obligations regarding processing of the data of the child.^[15]

e)      The State and its instrumentalities are also exempted from purpose limitation i.e. the state and its instrumentalities can retain the data for indefinite periods.^[16]

f)       And finally, there is a Data Protection Board of India which will determine the non-compliances with the bill and also pronounce decisions after giving a fair hearing; the appeals from the decisions of this board will lie to the High Court.^[17]

II. The Impact of the Bill on Rights of People

a)      Potential tools for Surveillance State.

The state will now be legally allowed to retain the data for indefinite periods without any directive whatsoever could open doors for a big brother state which is ready to see and hear everything.

This exemption is not applicable just to the state’s core functions like the police, civil supplies etc, for whom the indefinite data storage exemption is problematic in itself, but also to the instrumentalities of the state which mean all government bodies including government hospitals, colleges, schools and any entity that constitutes the government. This means huge amounts of data could be stored with the government and its arms for indefinite periods of time despite the purpose for which the data was collected. 

b)      Deemed Consent

The definitions of instances in which the data principal is deemed to have given their consent are not only broad and vague, but also allow for even broader expansion by the state.

For example, the data principal is deemed to have given consent for processing of his data for the purpose of taking any measure to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order. After this, a special case is made for public interest, and then again the government was empowered to prescribe the instances in which the consent is deemed to be given. And the government is directed to take into consideration whether the legitimate interests of the data fiduciary outweigh the adverse effects on Data Principal and if the processing has been done in Public Interest and the reasonable expectations of the Data Principal in the context of that processing. This clearly indicates an alienation of the data from Data Principal and gives its ownership to the state and empowers it to decide what could be done with such data.

The deemed consent in the case of personal data processed for the purposes related to employment is a particularly concerning one, especially given how the employment modes have changed after the pandemic. There are multiple scenarios in which employee personal data that is collected by the employers could be processed in an unfair or prejudicial manner.

To give just one example, in a service centre of the multinational clothing brand H&M, large amounts of employee data was collected including their illnesses, vacation times, family issues, religious beliefs and other facets of employees’ life. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights. Since there is no consent that is being given, explicitly, by the employee-the company would be able to use the data collected any way without the employee ever having a clue. Therefore, effectively, via the deemed consent, the act empowers some sections of data fiduciaries to bypass the provisions of the act. 

c)      Excessive Delegation and Delegation without Direction

For the exemption of significant data fiduciaries from additional obligations and notification of significant data fiduciaries in the first place, the central government is empowered.

The legislation does not give any directions to the government for it to follow while laying down the rules. For example, the bill mandates that the data fiduciary take consent, a verifiable one, from the parents or legal guardian before collecting the data of a child and it also mandates that the data fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. However, a bypass of these two mandates is available to the data fiduciary as prescribed by the government, as per its whims and fancies and without any directions.

Another example is that the bill gives a right to the data principal for correction and erasure of the data, but according to the laws and in the manner prescribed. Here, the government is given the power to curb the right of the data principal to erase their information completely. At least, such power has not been recorded in the bill. These excesses of delegation give arbitrary powers to the administration on crucial legislation. 

d)     The Bill also imposes a penalty of up to ten thousand rupees in case of a data principal not complying with the duties as specified among which one is to not file a false or frivolous complaint. There are two issues with this provision – one is that there is no indication whatsoever as to what can be considered as false and frivolous and what cannot be. And on another level, to impose a penalty on data principals goes counterproductive to the legislation that aims to protect the digital personal data since it would discourage people from lodging complaints.

e)      The Board, which the bill proposes to constitute, has members appointed by the government and such members only. This is concerning on two levels. One is that if they are appointed by the government, an inherent conflict of interest arises when deciding the issues concerning the state itself.  Secondly, no other information about the board including the qualification of the members has not been provided by the bill. It empowers the executive to make the rules.

Conclusion

Despite more than six years of intense, public discourse on privacy legislation, backed by jurisprudence from the highest court, the government has yet again come up with a bill that completely undermines the rights of people more than the previous bills did. People are a reflection of the memories they accumulate and the actions they then perform, also become their memories. To store records of such actions and to be able to analyse them is a process that commands huge power. Through this Bill, not only does the state divest unto itself the power unilaterally, but it also empowers itself to extend such power to any other entity. To amend and better this bill too would be a facile act, given that the bar is set so low. Again, the Modi 2.0 government is weaponising the state with a law that specifically annuls a citizen’s right to privacy and control over personal data, a hard earned right, finally only articulated in 2017 in the Puttaswamy judgement.

(The author is a legal researcher currently giving his post graduate examinations)

The post A surveillance regime that violates both Privacy & Right to Life: Digital Personal Data Protection Bill, 2002 appeared first on SabrangIndia.

Clause 30(2) of the draft proposes an amendment to Section 8(j) of the RTI Act, which will have the effect of totally exempting personal information from disclosure. Section 8(j) of the RTI Act states that information which relates to personal information will be exempted from RTI Act, if its disclosure has no relationship to any public activity or interest or if it would cause unwarranted invasion of the privacy of the individual reports LiveLaw. However, the Public Information Officer can direct the disclosure of such personal information if the authority is satisfied that “the larger public interest justifies the disclosure of such information”.

Also, there is a proviso to Section 8 (j) which says that personal information which cannot be denied to the Parliament or the State Legislature cannot be denied to an RTI applicant.

Now, the draft Digital Personal Data Protection bill proposes to completely take away limitations on the restrictions to disclose personal information and also to remove the powers of the Public Information Officers to allow disclosure of such information on the ground of larger public interest. Also, the proviso to Section 8 (j) is also proposed to be taken away.

Clause 30 of the draft now reads as follows –

Clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 shall be amended in the following manner:

(a) The words “the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information” shall be omitted;

b. The proviso shall be omitted.”

If these proposed amendments receive the Parliamentary approval, Section 8(j) of the RTI Act would read as “information which relates to personal information”. In other words, personal information will be totally exempt from disclosure.

Noted RTI activist and former Central Information Commissioner Shailesh Gandhi has expressed concerns at this proposal, which he opined will result in “significantly weakening the RTI Act” says LiveLaw..

“This will make RTI Right to Denial of Information. Most information relates to a person and thus could be denied. Even now many PIOs, Commissions and Courts deny personal information. What has been de facto is being converted into de jure. This is the biggest step to weaken RTI and its potential to curb corruption and wrongdoing. Citizens must protest and send their objections”, he said.

Union Minister for Electronics and Information Technology Ashwini Vaishnaw has shared the draft of the bill in Twitter for public feedback.

MeitY has invited feedback from the public on the draft Bill by December 17, 2022. The feedback can be submitted on the MyGov website

Seeking your views on draft Digital Personal Data Protection Bill, 2022.

Link below: https://t.co/8KfrwBnoF0

— Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022

Related:

New data protection law comprehensive but full of exemptions

Why Centre withdrew Data Protection Bill 2019 and what is in the offing

The post Digital Personal Data Protection Bill seeks to amend RTI Act to bar disclosure of personal information appeared first on SabrangIndia.

New Delhi: Data protection is among the most significant issues being debated in public space due to the growing role of technology in the lives of people and the government has decided to withdraw the Personal Data Protection Bill, 2019 and come up with more comprehensive legislation.

The issue has several dimensions and the Joint Committee of Parliament which scrutinised the bill made major recommendations making it necessary for the government to have a relook at the bill.

Union Electronics and Information Technology Minister Ashwini Vaishnaw on Wednesday moved a motion for withdrawal of the bill in Lok Sabha. The government is likely to come up with more comprehensive legislation in the winter session of Parliament.

The 2019 bill had come under criticism from some civil society groups who said that considerable exemptions have been given to the government and its agencies. Some foreign tech companies apparently had issues with provisions concerning data localisation.

The 2019 bill was also deliberated after considerable deliberation. Ashwini Vaishnaw on Thursday explained the reason behind withdrawing the Bill asserting that the aim is to bring new compressive legislation at par with the technology landscape which is changing rapidly.

He said the Joint Committee of Parliament recommended 81 amendments in that Bill that had 99 sections which practically meant overhauling the Bill.

Speaking to ANI, the Union Minister said, the Joint Parliamentary Committee recommended major changes in the Bill, which was like rewriting the entire Bill.

“The Joint Parliamentary Committee did very extensive work. They consulted a very large number of stakeholders. After it, the Joint Committee of Parliament gave a very comprehensive report which recommended 81 amendments in a Bill that was of 99 sections, it was practically rewriting the entire bill. Apart from the amendments, they were some 12 major suggestions were there from the committee,” he said.

The minister said that it was important to withdraw the old Bill to come up with a contemporary and modern legal framework to tackle the challenges of coping with the rapidly changing technology.

Apart from the new Data Protection Bill, there is also a Telecom Bill and the amended IT Act of 2000 – all of which are expected to create the legal framework for India’s digital economy.

“To make sure that we do a compressive Bill it was important to do withdraw the old Bill and very soon we will be coming out with a new Bill. With the whole digital economy that we have and the way the technology landscape is changing rapidly, we need a very contemporary and modern legal framework. Today telecom is the primary method by which data is consumed,” he said.

“Our focus on making social media accountable has given good results. There is a good response to any law enforcement agency request which comes. No question of coming under any pressure, it is a very conscious decision (of withdrawal) and a well-thought-out process,” he added.

The government had July 31, 2017, constituted a “committee of Experts on Data Protection” chaired by Justice BN Srikrishna to examine the issues relating to data protection. The committee examined the issues on data protection and submitted its report on July 27, 2018.

The 2019 Bill sought to bring a strong and robust data protection framework for India and to set up an Authority for protecting personal data and empowering the citizens’ with rights relating to their personal data ensuring their fundamental right to “privacy and protection of personal data”. The Bill also sought to create a policy framework for data usage, including by tech giants such as Meta and Google.

The bill was sent to a Joint Committee of Parliament which gave its report on December 16, 2021.

Courtesy: The Daily Siasat

The post Why Centre withdrew Data Protection Bill 2019 and what is in the offing appeared first on SabrangIndia.

An individual’s right to privacy was re-affirmed by the Supreme Court in 2017 in the Justice Puttaswamy case in which concerns were raised pertaining to violation data privacy caused due to collection of data under the Aadhaar scheme. At one point the government had sought to make mandatory linking of Aadhaar to every service, but the Supreme Court made linking of Aadhaar voluntary, except for availing benefits under government schemes. It also made linking of PAN Card and Aadhaar card mandatory, in order to avoid tax frauds.

It was due to this case that the need for a legislation to regulate data protection and to safeguard people’s right to privacy arose. In the above-mentioned case, the Supreme Court had reaffirmed right to privacy to be a fundamental right. A committee was set up by the government in 2017 under chairmanship of retired Supreme Court Judge Justice Srikrishna. The report of the committee has been in deliberation since it was submitted to the government and finally this draft bill has been presented.
 

The bill in brief

The bill includes many recommendations from the report as provisions. It has some salient features such as definition of personal data, sensitive personal data and handling of data of children, it also provides for withdrawal of consent and seeking of express consent. The bill imposes a lot of regulations on social media aggregators/intermediaries which may have significant impact on electoral democracy, security, public order, sovereignty and integrity of India designating them as significant data fiduciaries. Thus, bringing companies like Google, Facebook, Twitter, Whatsapp under its ambit.

As a whole, the bill seems to be giving protection of people’s data high priority and is also making entities possessing such data accountable, by imposing severe penalties for acting in contravention to provisions pertaining to protection of data, informing on breach of data and so on. It also provides for creation of an Authority to deal with complaints against breach of data and any other complaints against data fiduciaries as also an Appellate Authority for faster redressal of complaints.

The bill covers all personal data collected or shared by the State or any company or citizen or body corporate even outside the territory of India which carries out business in India or one which engages in profiling of data. On technical terms, the bill seems robust and comprehensive, especially in the definitions it has accorded to different categories of personal data; thus, indicating that the Ministry has taken due note of the Justice Srikrishna report and based the law purely on its findings, albeit not completely.

The main issue being, it gives the government certain exemptions from having to abide by the provisions on several counts which are arbitrary and vague in their definition and which could be misused by the government from time to time, to justify its actions of breaching people’s data and for doing away with seeking consent.
 

Waiver of consent

Section 11 of the bill provides for processing of data only by the consent of the data principal, i.e. the person to whom the data belongs. Section 12, however, waives this consent for the government enabling it to process data without the consent of the data principal. It provides that this can be done by the government for performance of its functions for provision of service or benefit, for compliance with order/judgment of any court, to respond to medical emergency, to provide health services and to undertake measures to ensure safety during a disaster or breakdown of public order.

Further, it allows formulation of any regulations under the law to waive off consent for “reasonable purposes” while taking into consideration certain factors such as public interest, interest of data fiduciary and so on. Reasonable purposes may include prevention and detection of unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available data, operation of search engines.
 

Rectification of Data

Section 18 speaks about rights of the data principal to correct inaccurate data, complete incomplete data, updating data and erasing data that is no longer necessary for the purpose for which it was processed. The same section gives the data fiduciary the authority to reject such an application made by the data principal for making changes in his/her own data, while providing reasons for such rejection.
 

Right to receive one’s own data

Section 19 provides for receipt of data by data principal which is process by automated means. Within the same section the State is exempted if the processing is done for functions of the State or in compliance of any law and if such compliance to data principal’s request would reveal a trade secret of a data fiduciary.

Blanket exemption

Section 35 gives an almost blanket exemption to the government to deal with the data principal’s data , without having to follow the provisions of the law, if such processing of the data (which includes sharing) is in the interest of sovereignty, integrity and security of the state, if it affects friendly relations with a foreign state, for preventing incitement of commission of cognizable offence relating to the aforementioned. There is also exemption of certain provisions if data is processed in interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law; if disclosure is necessary to for enforcing legal rights; if it is necessary for any judicial function; if processing is necessary or relevant for journalistic purpose.
 

Exemption for purposes of research, archiving or statistical purposes

Section 38 provides that if data processing is necessary for research, archiving, or statistical purposes then it shall be exempt from application of provisions of this law if the compliance with the provisions of the law might disproportionately divert resources from such purpose; purposes of processing cannot be achieved if the personal data is anonymised; if data processed does not cause significant harm to data principal and so on.

It is hoped that the joint select committee that examines the law comes up with some suggestions and recommendations that do not expose people’s personal data to be exploited by the government under these ‘exemptions’ which they are mostly likely to misuse and use as a defence for breaching people’s data.

The complete bill as presented in the Lok Sabha may be read here.

The post New data protection law comprehensive but full of exemptions appeared first on SabrangIndia.