New draft data protection bill evokes mixed reactions

19th November 2022
New draft data protection bill evokes mixed reactions
Image: kalhh from Pixabay

November 19, 2022 ( updated November 25): The government of India has published the draft of the Digital Personal Data Bill, 2022.
The aim of this Act is to provide regulation around digital personal data. It recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.

The Union Minister for Railways, Communications, Electronics and Information Technology Ashwini Vaishnaw tweeted yesterday: "Seeking your views on draft Digital Personal Data Protection Bill, 2022."
The previous Data Protection Bill was revoked earlier this year, during the parliamentary Monsoon Session. Now the ministry has renamed it to Personal Data Protection Bill, which emphasizes solely on laws around user data.
Some of the most notable inclusions in this draft is revolves around social media and other tech companies. The Bill  states that the entity that collects data must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data  Principals, as soon as it is reasonable to assume that the primary purpose has been satisfied.It also states that the data of the user should not be retained if it is not necessary for legal or business purposes.
The new Personal Data Protection bill also gives the owner of biometric data complete authority. Even if an employer needs an employee's biometric data to mark attendance, they will explicitly need consent from the employee.
The newBill will affect KYC data. A ban needs to complete the KYC process every time a savings account is opened. The data collected under this process also comes under the ambit of the new data protection bill. The bank will be required to maintain KYC data for a period beyond six months of closing the account. 
There's also a new set of rules for collecting and maintaining personal data of children. The entity asking for data will require the consent of the parents or the guardian to access the data. Social media companies will also have to make sure that Children's data is not being tracked for targeted advertisements. Source: Business Today
Expert reactions
Abhishek Tripathi, Managing Partner, Sarthak Advocates & Solicitors: The new bill appears to be an over-simplified version of the PDP Bill 2019. While certain essential tenets as to consent requirements for the processing of personal data have been retained from the earlier version of the bill, the distinction between sensitive personal data and personal data has been done away with. Deemed consent provisions particularly those arising out of public interest may also raise eyebrows, besides the extent of exemptions allowed. An important change relates to the substitution of earlier suggested Data Protection Authority of India with Data Protection Board of India. The functions, and most importantly composition of the Board are to be determined by the Government through delegated legislation. This may face constitutional challenge as it is arguably a case of excessive delegation.
Rupinder Malik, Partner, J. Sagar Associates: (a leading national law firm in India): The 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions. Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill. The legislative intent appears to be tech and IT business friendly, focused on facilitating cross-border data flows. Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights. The positive bit is that the Bill has been drafted in a simpler manner, with less ambiguities.
Abhishek Malhotra, Managing Partner, TMT Law Practice: The draft Bill has watered down the objective of a data privacy and protection framework. It appears to give a simpler framework for people to be able to adopt it seamlessly. Unfortunately, however, the scope and applicability provisions have also been curtailed and limited to where collection is online or digitized and where Indians are targeted for profiling. This is a departure from where the focus was on the entities, their activities and presence.  The qualified title adding “Digital” to the bill, does not add any value to the nature of the legislation but just seems to be one shot amongst a slew of “digital India” policies and legislations that the government intends to roll out.
One welcome aspect is that along with rights of the data principals prescribed within the Bill, there is explicit mention of the duties that the Digital Nagrik will have to adhere to. This is likely to bring in welcome reinforcements to the onerous obligations of the data fiduciaries.
Media reactions
Financial Express (November 19 2022): The Digital Personal Data Protection Bill 2022 is undoubtedly a simpler piece of legislation than its earlier iterations. It does away with a lot of irritants for large corporations and has put in caveats for data on children. With contentious clauses relating to mirroring of data and data localisation being dropped, global Big Tech corporations will be relieved…However, the provisions of the Bill that are indeed worrying relate to the government retaining the right to not comply with the rules in certain situations.. Under Section 35, the central government can exempt any government agency from all or any of the provisions relating to the processing of personal data. This leaves room for misuse of power—data processing should be permitted only when the security of the nation is threatened.
Communications Today: A bill giving the govt vast powers: Is that what we need?  It reduces the protections to an individual’s data online to near nullity…It allows the government vast unguided powers to exempt itself and its agencies  from the law.
The Hindu: A Bill protecting state surveillance (oped)…. The concentration of power with the executive .. creates a lack of accountability and enables abuse..
(Editorial): The new draft Bill continues the wide-ranging and vaguely worded exemptions and instruments, allowing for the executive to collect information which could amount to mass surveillance.
Deccan Herald ( editorial): Designed to enable a Surveillance State: The broad-brush exemption for government agencies is certain to be misused for violation of privacy and would enable the growth of a surveillance state. The bill seems designed not to protect citizens’ personal data and privacy against all potential invasions but to give the government powers and legitimacy to have unhindered visibility into citizens’ data, activities and lives. It may be best to discard this draft, too.
The Telegraph ( editorial):  The draft bill gives the State and federal agencies exemption from the rigours of its provisions. This amounts to an egregious invasion of personal privacy and flies in the face of the Puttaswamy verdict and the recommendations of the JPC. 
New Indian Express ( editorial) Data protection at government’s mercy:  Personal privacy and data protection is too serious a matter to be left to the discretion of the government alone, given the kind of power the state has over individuals… Hopefully, experts and activists will raise these concerns and force the government to re-think the provisions to exempt itself from the scope of the law or at least force a compromise.
Andy Mukherjee in  Bloomberg ( Oped in Deccan Herald: Call it the Big Brother bill): Government agencies can ask for whatever personal data catches their fancy, keep it as long as they want, use it as they deem fit, and share it with anyone in the name of “sovereignty and integrity of India, security of the state, friendly relations ... all that remains is the label on the bottle. It still reads “data protection,” though the pill inside has changed to legalized mass surveillance.