The Union Government introduced the Digital Personal Data Protection Bill before the Lok Sabha on Thursday. The bill has been through many rounds of revisions and this is the 4th iteration of the same. In November last year, the bill was open to public consultation and received criticism for giving considerable powers and exceptions to the central government.

After significant changes to the bill, the opposition still raised concerns about it. There was an uproar by Congress Minister Manish Tewari who  protested the bill’s classification as a Money bill. The IT Minister, Ashwini Vaishnaw clarified that it is an ‘ordinary bill’. 

What has changed?

There are multiple changes from the previous draft of the bill. One of the essential differences is the definition of ‘processing’ has been updated to include data that has been wholly or partly automated. This comes after significant developments in generative AI.

Another significant change in the scope is related to profiling of citizens of the country. In the 2022 version, any foreign entity processing data of Indian people, such as analysing the behaviour, would be subject to the law. However, the 2023 version has removed this rule. Now, the law doesn’t apply to “profiling” that happens overseas. 

The government was supposed to notify countries where data can be sent for processing. Now in complete reversal the bill has decided to grant relief to the industry. It will now be notifying countries only where personal data cannot be sent for processing. 

Exemptions for startups

Startups can also breathe easy knowing that the bill introduces exemptions for them to reduce compliance burdens. The Central Government has the power to exempt certain categories of businesses, including startups, from specific compliance requirements  like providing prior notice before obtaining consent, ensuring data accuracy, erasing data after its purpose is served and other obligations related to significant data fiduciaries. 

Appeal system and Penalties 

In terms of grievance redressal, the new Bill provides for a tiered mechanism. Individuals with grievances must first approach the data fiduciary’s grievance redressal mechanism. If they are not satisfied with the outcome, they can then approach the Data Protection Board. Appeals from the Board will be handled by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT)

The penalties for non-compliance have been revised in the 2023 Bill. Interestingly, the maximum penalty, which was earlier capped at 500 crore rupees, has now been done away with, in addition to no criminal consequences for the action. There is no upper limit now as far as the penalty is concerned. Shahana Chatterji, partner at Shardul Amarchand Mangaldas & Co says, “In the earlier iteration it was more of a drafting issue and the intention was not to create a cap on the penalty that could be imposed. Now, a whole schedule of penalties can be imposed depending on what the non-compliance is. And, in fact, the board has to consider various factors when it is imposing this penalty. I think they have done away with some of the confusion that was arising from the drafting in the earlier iteration.

She further says that the penalty framework moving away from a criminal prosecution is a fantastic move. “It’s very much aligned with the Jan Vishwas Bill. I think it’s very consistent with the way in which data privacy frameworks globally operate as well.” she concludes. 

The new Bill retains the concept of deemed consent but applies it to specific legitimate uses. Data can be processed without explicit consent as long as it’s given voluntarily and is for a “legitimate purpose” provided under the Bill. Entities collecting data see reduced compliance and in the final version has done away with the need to seek consent for the transfer of personal data to a third entity for processing.

Consent is considered given if the individual has not explicitly indicated refusal, or for certain situations like issuing subsidies, benefits, services, etc., where consent was previously obtained by a state instrumentality for a digital purpose. It also includes situations related to national interest, compliance with judgments, medical emergencies, disaster response, public health threats, and health services during epidemics. However, the extent of consent is limited to the specific purpose for which it was given.

The government had received considerable feedback on a clause in the earlier draft, which required entities to seek consent from parents while processing personal data of children. It has now been tweaked a bit. If the government is satisfied that the personal data of children is being handled securely, it may prescribe an age beyond which the entity collecting data may no longer require parental consent. This benefits corporations, where previously dealing with such consent was a logistical nightmare. 

Sweeping powers to the government

The 2022 draft provided the Data Protection Board with protection from prosecution, suits, or legal proceedings as long as actions were done in good faith. The new Bill extends this immunity to the central government as well. Any action taken by the government, intended to be done in good faith, will be protected from prosecution.

In a couple of additions: the government has given itself the power to block certain entities; the government has also given itself the power to seek any data from entities for purposes of this act.

In another tweak to the earlier draft, the final version of the bill gives the central government immunity from lawsuits. This is in addition to the immunity enjoyed by the data protection board, its chairperson, and its members.

Finally, decisions of the data protection board can now be challenged before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). As per the earlier draft, it could be appealed only before high courts, but now on.

India isn’t getting it right

With such a large concentration of powers with the government, the opposition is also unhappy with the bill. The Internet Freedom Foundation has written a list of grievances which echo their previous concerns which haven’t been addressed. 

The government has made more exceptions for itself, which could lead to increased state surveillance. There are also concerns about unclear rules on important matters left for future decisions. Changing the Right to Information Act weakens its strong nature. Moreover, the government has too much control over the Data Protection Board, and there are strict duties and penalties for Data Principals.India isn’t getting it right

Amit Jaju, Senior Managing Director, Ankura Consulting Group (India) compares the bill with the European Union’s GDPR, stating there are several similarities, such as the emphasis on consent, rights of the data subject (similar to Data Principal in the Indian bill), and penalties for non-compliance. “However, there are also differences. For instance, GDPR has stricter regulations on data transfer outside the EU and has provisions for the “right to be forgotten”, which allows individuals to request the deletion of their data under certain circumstances. The Indian bill, on the other hand, has a focus on the establishment of a Data Protection Board, which is not a feature of the GDPR.”

The post The New Bill Doesn’t Protect Citizens’ Privacy appeared first on Analytics India Magazine.