Introduction
The draft of the Data Protection Bill, 2023 has come out for public consultation in early August. In this piece, the author dissects the various provisions of the Data Protection Bill, 2023 in its comparison to the previous version of 2022 and points out its flaws and strength. The author proceeds to examine the Digital Personal Data Protection Bill, 2023 by focusing on various key aspects such as the processing of personal data, data localisation, promotion of the ADR Process and the powers of the Data Protection Board of India. The author concludes that though Digital Data Protection Bill, 2023 makes some improvements in comparison to the previous version of the Data Protection Bill, it needs to incorporate various changes in order to realise the vision of making India a full-fledged digital economy.
Processing of personal data
The statement of objectives and reasons states that the purpose of the Digital Personal Data Protection Bill, 2023 is to provide for the processing of personal data in a manner which recognises the right of individuals to protect their personal data and secondly, for processing the need to process such personal data for lawful processes. Though in the Bill, the definition of what is meant by personal data has been provided, it once again fails to distinguish between personal data and sensitive personal data. Thus, one has to rely on rule 3 of Information Technology Rules,2011 in order to understand the meaning of sensitive personal data. Considering the fact that the Digital Personal Data Protection Bill, of 2023 has already amended the provisions of the IT Act, of 2000, it could have further provided the definition of Sensitive Personal Data by amending Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Further, the Bill fails to provide any understanding of how two important concepts, ie Pseudonymization and Anonymisation will be implemented. In simple terms, Pseudonymization refers to the processing of personal data in such a way that the identity of the data recipient cannot be uncovered unless the same is accompanied by any additional data. In contrast, anonymisation refers to the processing of personal data in such a way that it completely hides the identity of the data recipient. The European Union has clearly been evolving the usage of pseudonymisation of data, with a recent judgment of the EU General Court holding that ‘pseudonymised data’ is not personal data. The Bill could have clarified how an organisation can use pseudonymised data and anonymised data, and the failure of defining such important terms leave it susceptible to different interpretations. At the same time, Section 27 of the Digital Personal Data Protection Bill,2023 makes it extremely difficult to prosecute the Central Government or any members of the Data Protection Board if any act has been committed in good faith. Though clause 22 of the General Clauses Act defines the meaning of good faith as where any fact is done honestly, irrespective of negligence, it makes prosecution of the Data Protection Board of India or the Central Government challenging and onerous since what constitutes an act being done honestly is difficult to define.
Data Localisation and transfer of data outside countries
Section 17 of the Digital Personal Data Protection Bill,2023 lays down the procedure on how to transfer the data outside India. Further, Section 17(2) of the Digital Personal Data Protection Bill prohibits the transfer of certain categories of data outside that require a higher degree of protection. Though there is a clear expansion of the procedure on how the transfer of personal data will take place outside India in comparison to the Digital Personal Data Protection Bill of 2022, there is no clarity on what kinds of data require a higher degree of protection. For example, the Digital Personal Data Protection Bill, of 2023 could have made a clear prohibition on the transfer of sensitive personal data, but due to a lack of incorporation in the Bill of what is the meaning of sensitive personal data, the bill fails to make any distinct segregation between which kinds of personal data will be transferred and which kind of personal data will not be transferred. There were also reports of the Central Government releasing a report of ‘trusted nations’ where the transfer of personal data will be allowed. However, the bill nowhere mentions anything about ‘trusted nations’, making it again difficult for companies to realise how they can transfer personal data.
Promotion of ADR Process
Section 24 of the Digital Personal Data Protection Bill provides a way for the parties to settle the dispute by Alternate Dispute Resolution. This has been a consistent feature, and it was also present in Section 23 of the Data Protection Bill,2022. This is a positive step and the author hopes that the parties will be able to effectively utilise this provision in order to settle their disputes amicably. A report by WIPO highlights that the ADR process can help to quickly settle disputes, for example, in cases of data exchange agreements, Intellectual property valuations and so on. Thus, ADR Process can prove to be a good step in solving disputes amongst various companies on a host of issues.
Powers of the Data Protection Board
Unfortunately, like the Digital Personal Data Protection Bill of 2022, the Data Protection Board has once again been conferred with a significant amount of power. For example, under Section 19, the Chairperson and members of the Data Protection Board of India are to be elected by the Central Government. Thus, such a move raises the question about the independence of the Data Protection Board. At the same time, the Data Protection Board has been given powers under Section 26 along with the Schedule attached to the Bill, to impose hefty fines on companies which fail to comply with the Data Protection Bill. For example, a penalty of rupees 250 crore has been proposed in case of any data breach by a data fiduciary. Such a hefty fine also fails to distinguish between various kinds of companies, for whom it may not be possible to incur such an amount of fine. In order to ensure a levelling field, the Digital Personal Data Protection Bill,2023 could have proposed to impose these kinds of huge fines on companies which are proposed to be designated as ‘significant data fiduciaries’ under Section 11 of the Data Protection Bill, 2023. These ‘significant data fiduciaries’ can be designated on the basis of sensitive and personal data handled by them, risk to electoral democracy and so forth. Such a proposal would have ensured that there are no unnecessary burdens on emerging startups and companies which do not have huge turnovers.
Conclusion
Though the Digital Personal Data Protection Bill, 2023 improves on various aspects such as the designation of ‘significant data fiduciary,’ giving discretion to lowering the age of children, promoting the process of ADR while resolving disputes related amongst companies dealing with data, there is still a long way to go. It has already been reported that Opposition has walked out of the Joint Session on Digital Personal Data Protection Bill due to concerns about the new Bill infringing privacy of the individuals and giving too many powers to the Data Protection Board. The independence of the Data Protection Board of India needs to be ensured in order to make it immune from the interference of the Central Government.
In order to realise the true potential of an effective Digital Data Protection Bill, 2023 it is important to introduce various concepts such as the meaning of anonymised data, and pseudonymised data in order to ensure that there is an easier facilitation of movement of data amongst different companies. Lastly, the author expects the Central Government to release the list of ‘trusted nations’ and conditions through which there can be seamless data transfer amongst various nations.
(This post has been authored by Siddharth Chaturvedi, a student at DNLU, Jabalpur.)
Cite as: Siddharth Chaturvedi, ‘Digital Personal Data Protection Bill, 2023: An incomplete development’ (The Contemporary Law Forum, 15 August 2023) <https://tclf.in/2023/08/15/digital-personal-data-protection-bill-2023-an-incomplete-development/> date of access.