Digital Personal Data Protection

The latest draft of India’s Digital Data Protection Bill, 2022, stands out for its simplicity and new concepts like “voluntary undertaking” and official recognition of “consent managers.” However, it omits features like data portability and the right to be forgotten. Critics argue the draft lacks safeguards and over-delegates legislative authority, particularly around the concept of “deemed consent.” But the principles-based approach it espouses could ensure agile and enduring data protection regulation.

This article was first published in The Mint. You can read the original at this link.

Last Friday afternoon, the latest version of India’s privacy law was released for public consultation. Having already studied more versions of the law over the past five years than should have been necessary, I was resigned to having to read through yet another variation on a familiar theme.

A cursory glance was all it took to see that this draft was markedly different from those that had come before it.

Simplicity

What immediately strikes you about the Digital Data Protection Bill, 2022, is its simplicity. Its definitions are concise—limited to only that which is necessary. Clauses are terse and peppered with illustrations that explain, by example, how they should be interpreted. It is a refreshing change from the increasingly complex formulations we’ve had to wade through in every successive draft that followed the original version put out by the Justice Srikrishna Committee. By starting afresh, the draft has shaken free of the constraints of form and substance that previous versions had to contend with.

The result is an all-new draft law that has little in common with those that preceded it. Many of the more worrisome concepts that had found their way into earlier drafts are gone—from the misguided attempt to bring non-personal data regulation under the ambit of the privacy law to the attempt to create a new category of “critical” personal data (whatever that meant). data localisation seems to be a thing of the past, with transfers freely permitted to all countries notified in a separate schedule.

New Concepts

The draft also introduces a number of new concepts. There is the notion of a voluntary undertaking—an option that transgressors can avail to be forgiven in exchange for a commitment to make appropriate amends. We also have official recognition of consent managers—the central feature of India’s Data Empowerment and Protection Architecture (DEPA)—as platforms registered with a proposed Data Protection Board through which consent could be given, managed, reviewed and withdrawn.

To be clear, there are concepts missing from the draft. I was surprised to find that both the right to data portability and the right to be forgotten, two features present in most modern data protection laws, had not been included. But not nearly as (pleasantly!) surprised as I was by the exclusion of “sensitive” personal data as a distinct category entitled to enhanced protections. That said, the most important thing at this stage is to create a culture of data protection in the country. Once we have done that, we can introduce greater differentiation in data categories and offer more sophisticated rights.

Civil Society Reactions

By Friday evening, social media was buzzing with comment on the draft. To my surprise, some of the loudest voices were critical of the brevity I thought was its finest feature. They alleged that, in attempting to draft a simple law, the government had denuded the bill of many of its safeguards that earlier versions had carried.

They took particular offence to the fact that the term “as may be prescribed” has been used 18 times in the 2022 bill, arguing that this indicated the extent to which the government had delegated its legislative authority to the executive.

But most of all, they were appalled by the notion of “deemed consent”, viewing it as an unacceptable incursion into our autonomy over our personal data.

And so I took a closer look at the specific section of the draft law that proposed the concept of “deemed consent” to try and figure out what I had missed. I found that if you read past the ominous title, there is little in the substantive provisions of Section 8 that leads to such a conclusion.

What the section refers to is no different from the processing permitted under Europe’s General Data Protection Regulation (GDPR) for contractual necessity, in the legitimate interests of the data fiduciary or other specified grounds, such as in the public interest, and to protect the vital interests of the data principal. These are all widely recognised around the world as legitimate grounds under which personal data may be processed without consent. To say that processing data in this manner erodes the autonomy of individual data principals suggests a less than complete appreciation of the practice of data protection law.

Principles Based Regulation

As I listened to shrill reactions to the draft bill, I couldn’t help but recall how many of the most vociferous complaints about previous versions had been that they were too complex. What precise formulation would it take, I wondered, to satisfy everyone.

The fact is that technology regulation is hard. More often than not, the time between enactment of a law and its rapid descent into obsolescence is shorter than we appreciate. The only way to ensure that a piece of technology legislation lasts long enough to be effective is to ensure that it is based on principles that can be enforced through agile regulation.

This is the concept of Principle Based Regulations, which has featured in the pages of this column more than once. It is, I believe, the only sensible approach one can take to enact an effective data protection regulation in the country.

As for the 18 times that the term “as may be prescribed” has been used, I checked for myself, and barring maybe 3-4 instances, the term has been used to prescribe things like the form of notice, technical conditions for the registration of consent managers and other similar details that should rightly be left for later. Including such details into the main body of the law would, under all circumstances, have been wholly unwarranted.