Digital Personal Data Protection Bill 2022: Not Everyone’s Unhappy

Data Protection Bill: It's a principles-based draft, and will do the job, argues Trilegal's Rahul Matthan.

<div class="paragraphs"><p>(Source: Unsplash)</p></div>
(Source: Unsplash)

Too vague, too much left to rule-making, too wide in terms of exemptions for government agencies. These are some of the criticisms that experts have voiced against the Digital Personal Data Protection Bill, 2022.  

The bill mentions the phrase “as may be prescribed” 18 times. This is symbolic of the vague and unchecked powers that the government has retained for itself to frame rules at a later stage in the absence of legislative guidance, says the Internet Freedom Foundation.  

The devil lies in its silence, points out Vidhi Legal’s Alok Prasanna Kumar, arguing that while the Bill provides for the creation of a Data Protection Board of India, it is shorn of details on what such a board will look like and what it will do. 

But not everyone is seeing the Digital Personal Data Protection Bill, 2022 in this light.

Rahul Matthan, partner at Trilegal, who has been closely associated with India’s data protection journey, told BQ Prime that the proposed bill is good law.

According to him, when the Justice Srikrishna Committee floated its draft, the first thought was, ''Why are you giving us something so complex? We are just starting out into this data protection journey in this country, and you're giving us a GDPR style law and then every successive draft has become more and more complex''.  

Now, we have got something simple, and everyone is saying it's too simple. We will never find the perfect medium between too complex and too simple. This is a law that covers the things that it needs to cover.
Rahul Matthan, Partner, Trilegal

The second thing is that we tend to forget that when you regulate technology, more detail is worse because technology, as we have seen in so many instances, far outstrips the ability of lawmakers to legislate on, he said.  

“For a while, I have been talking about principle-based legislation; that we have got to legislate principles and then have agile governance in order to deal with evolving technologies, and so, for a principle-based framework, you need to have simple laws that can then be acted upon in response to the changing directions in which technology moves.” 

But what about the fears that the government has given itself too much power to exempt its agencies from the rigors of the law? 

Matthan says that nothing this law does or does not do is going to erode the rights that individuals have under the Constitution.

He highlighted that the government has to follow the oversight mechanism and guidelines that the Supreme Court has laid down in the Puttaswamy judgment, which interpreted the fundamental rights.

My point is not to minimise this. My point is just to say one, exemptions exist in every law. To now fight over the exact language, you know, do we have reasonable not reasonable here or not, doesn't matter. You (the government) have to act reasonably. That's what the Supreme Court says.
Rahul Matthan, Partner, Trilegal

There is nothing that will be harmed by the fact that the word reasonable (in the way the government applies the exemptions) is not in this legislation, he said.

“You may say that it points to intent. Okay. But then, don't catch them on this imagination that they have this intent. The first time the government does something wrong, go after them, go to court.” 

That said, from a data principal or user's perspective, there are two rights which the government should consider adding—the right to data portability and right to compensation for any harm that's caused by a data fiduciary, Matthan suggested.

This right to data portability exists in Europe's General Data Protection Regulation. Even before that, this concept existed and, as a strategy, Europe is doubling down on the right to data portability. California, too, has got a strong data portability provision. The OECD has got working groups on data portability, he said.

So, to find that missing in this Bill, it was a bit of a disappointment. Particularly, since India has got powerful digital data transfer infrastructure, like Data Empowerment and Protection Architecture and ONDC; we really need to have a right to data portability in the law.
Rahul Matthan, Partner, Trilegal

Two, right to compensation should be there, not just for data breach, but compensation also for any harm that's caused. ''I think when we have a good definition of harm, it will be nice to see some consequences. Right now, there are just penalties but the people who are harmed don't really get anything out of it," he said.

Watch the full interview here:

New Data Protection Bill Is Here: Up To Rs 500 Crore Penalty For Non-Compliance And Other Highlights

Edited excerpts from the interview:

The Bill covers personal data which has been collected online, and offline personal data which has been digitised. It exempts non-automated processing of personal data. What is the thought here? 

Matthan: It's not a departure from the way the rest of the world thinks about it. We have been collecting data of all sorts since Harrapan times. It's just the nature of commerce, it's the nature of our interactions in society. But none of that data is dangerous because you are not using it at scale.

Once we digitised data, we had the ability to use the data at scale and it is at that point in time, with the invention of the calculating machines by IBM, that you started to see regulations come in to do something about its use. It wasn't called big data in those days, but certainly digital data.

I think there's always been an exception for domestic processing. There's always been an exception for manual processing. The example that I often give is that if I am putting together a birthday party for my child, I will be collecting data of all the people that I am going to give return gifts to. I can’t be now classified as a data processor. That's a manual process and that's very much part of the ordinary interaction with people.

But when you collect digital data, that's when you can exploit it at scale and that's when individuals need to be protected and data fiduciaries need to be curbed. 

The Bill proposes the concept of consent and then there is a deemed consent. What are the practical implications now of this distinction? 

Matthan: Around the world, it is well recognised among data protection practitioners that consent cannot be the only grounds for processing. One of the failings of the earlier drafts was that we had too much of an emphasis on consent as the primary and I would argue in later drafts the only grounds for processing. But as a matter of fact, there are various instances where reasonable processing is accepted.

If you look at the illustrations that are provided in the Bill, it talks about if you call a restaurant and make a reservation, there is a deemed consent. That information which you gave, your telephone number, can be used by the restaurant to call you back and say look, yes, your reservation is confirmed or, it's cancelled or where are you. Then, you can't as someone who has voluntarily provided your number, go to the Data Protection Board and complain that your privacy has been violated because the restaurant called you to tell you that your reservation is canceled or whatever.

Now that's one example. But there are many such examples of legitimate interest and this is something that anyone who has been in the field actually found lacking in all our previous versions of the Bill.

I think the problem really is that we are using this word 'deemed consent' because that sounds like you are usurping my autonomy and assuming consent on my behalf. But if you look at the way the clause is drafted, the substance of the provision aligns much closer with the concept of legitimate interest and if you have to interpret it on the basis of the substance, I don't have this fear. If you have to interpret it based on the title, which is deemed consent, of course, there is the fear because it sounds deeply creepy.

If this Bill in this shape becomes the law, how will it improve the rights of the users or the life of the users? Today, we are just mindlessly giving access to a lot of our personal data.

 I am sorry to say I don't think it's going to stop. When Europe's GDPR, which is one of most detailed, onerous regulation in the world, was enacted, we all got little pop-ups saying please accept.

After the first three or four times, we all accept it. We didn't take it any more mindfully and we still do it with the cookie popups. So, this is the fundamental problem with a consent-based framework, and if you are expecting this Bill to be a magic bullet, I don't think it's going to be that from an autonomy perspective.

But, I think the fact that we will have a law which has some teeth, it actually has consequences and there are various compliance obligations for Data Fiduciaries, is going to make our lives safer.

I think from here, we need to see what the Data Protection Board will do because a lot of the implementation, guidance of this Bill is going to come from it. At the very least there will be a proper statute, which has got a regulatory framework and it has got consequences. That to my mind is enough.