A Ready Reckoner on proposed Data Protection laws in India: Comparative Analysis
Through the years, there have been several iterations of the Data Protection legislation floated in the public domain. Digital rights have witnessed an exponential growth in relevance due to the increased digitization of citizens’ daily activities. To effectively regulate such increased digitization, several versions of the Data Protection legislation have been put out for consultations.
While the previous Data Protection bills included many significant developments in terms of rights, duties and grievance mechanism, the Digital Personal Data Protection Bill, 2022 introduced several important changes to key areas included in the previous bills.
SFLC.in has prepared a comparative analysis of the Digital Personal Data Protection Bill, 2022 with the previous Bills, i.e., The Personal Data Protection Bill, 2018; The Personal Data Protection Bill, 2019 and The Data Protection Bill, 2021. The comparison has been undertaken on the basis of the most significant changes to the key areas of the data protection framework, including the Scope of application, Data Protection Principles, Rights of the Data Principals, Obligations of the Data Fiduciaries, amongst others.
The complete Ready Reckoner is available here:
A brief summary with major takeaways has been presented here:
Statement of Object and Reasons
The Statement of the current Bill indicates that the Bill’s objective is to balance the processing of (digital) personal data in a manner which can navigate the necessities of protecting personal data and its processing for lawful purposes. Among other objectives, the Bill prescribes the institutional ecosystem for the redressal of data-related harms, and the promotion of a culture which seeks respect of informational privacy. The need for accountability of all institutions involved in the processing of personal data was also a given objective.
Commencement clauses are important to lay out the State’s plans for implementation of a particular Bill’s provisions. It often lays out the timeline for the implementation of the Bill. In essence, it establishes the time period within which citizens can exercise the rights laid out under the statute, the time from when obligations for the State and private parties come into force, and the moment from when remedies are made enforceable under the Bill. The current Bill vests the power in the Central Government to give force to the different provisions of the Bill as and when they may choose of notify it. This differs from the Bill proposed by the Justice B.N. Srikrishna Committee in 2018, which laid out specific deadlines within the legislation itself, providing certainty to all stakeholders affected by the Bill.
The practice in the current Bill was followed by the Joint Parliamentary Committee, and the Personal Data Protection Bill, 2019. Chapter XIV of the Personal Data Protection Bill, 2018 was notified to come into force as and when notified by the Government. This Chapter was titled ‘Transitional Provisions’. Here, the Bill laid out strict deadlines within which the relevant entities must take action within a certain period after a provision is notified. For example, although the 2018 proposed Bill stated that the establishment of the Data Protection Authority would happen within a ’notified date’, it required the Authority to prescribe the grounds of processing personal data “no later than twelve months” from the date of its notification.
Scope of Application
The present Bill applies to the processing of “digital personal data” which has been collected online, and the digitized version of personal data collected offline. Where the processing happens outside the territory of India, the provisions of the Act will apply if the processing is being undertaken for the purposes of profiling, or if it is in regard to the “activity of offering goods or services”). The previous versions of the Bill were expansive in detailing the entire data ecosystem in the context of its ambit.
Previous versions of the Bill subjected all personal data which was collected, stored, disclosed, shared, or processed in India. The present Bill also applies to the processing of data under Indian law. It further categorically excludes offline personal data, and personal data processing which does not rely on automated systems. Where the data is processed for personal or domestic purposes, the provisions of the Bill shall not apply. This is in contrast to the exceptions of the previous Bills. Apart from including non-personal data as an area to which the Bill would apply (JPC version, 2021), the earlier Bills excluded the processing of anonymized data from its ambit (PDP, 2019, and 2018 Bill).
The present Bill has brought about significant changes to the Definitions clause compared with the previous Bills which were proposed. This is largely due to narrowing of the ambit of the Bill, and (as emerges from a full reading of the Bill) an increased deference to empower the Government to define certain important aspects by Notifications.
The present Bill does not define biometric data, de-identification, explicit consent (defined in JPC), financial data, health data, genetic data, non-personal data (defined in JPC), re-identification, sensitive personal data, and significant harm. Previous Bills sought to provide legislative guidance to the Executive, to aid in a more enhanced protection of data rights. In detailed definitions, the Bills sought to avoid ambiguity, which could lead to abuse of power. New concepts of harms and gains have been introduced in the current Bill, in order to protect rights and prevent violations in their context with clarity. However, the definition of ‘harms’ has been shrunk. Each successive version of the previous Bill made amends to define different types of harms in detail, in keeping with their objectives to provide remedial measures and systems. This is absent in the 2022 Bill.
The present version of the Bill does not define ‘sensitive personal data’, an important classification which was present in the previous versions of the Bill. Importantly, the Bill defines ‘public interest’, which is absent in the previous versions of the Bill. This definition is used in the case of exceptions, where the violation of rights is permitted in the ‘public interest’. Although the provision states the grounds on which ‘public interest’ can be claimed, such provisions of exceptions are frequently subjected to debate since their breadth leaves possibility for misuse of the provision.
Principles of Data Protection
Purpose Limitation principle requires the Data Fiduciary to limit the processing of data to a clear and specific purpose, or for an incidental purpose, for which consent has been given. The 2018 and 2019 Bills had clear manifestations of this principle. However, the 2021 Bill, after deliberation by the JPC, departed from the earlier position and stated specific purpose as a ground for process.
The current Bill makes no mention of the same and only states that Consent must be given for a specific purpose.
The Storage Limitation principle prescribes that the Data Fiduciary must stop retaining the personal data of a Data Principal once the purpose for which the personal data was collected is achieved/satisfied.
Previous Bills have adopted the principle; however, Clause 6 of the current Bill has diluted the principle. It states that the Data Fiduciary has to either delete the data once the purpose is achieved or anonymise the personal data.
Data Minimisation principle of data protection entails that only that data which is considered necessary must be collected from a person for the purpose of processing. This principle was followed in the previous Bills, however, the current Bill has failed to incorporate it.
The principle of Accuracy entails that it is the obligation of the Data Fiduciary to ensure that the data collected must be accurate, updated, verifiable and actually belongs to the Data Principal.
Clause 9(2) of the current Bill lays down the Accuracy principle. The current Bill removes the terms “not misleading and updated”. It also omits the requirement of the Data Fiduciary to notify the Data Principal in case the personal data is disclosed to another entity and finds such fiduciary does not comply with the Accuracy principle. An exception to this clause was added in the JPC Report, 2021, in case such a notification would deny the purpose of such sharing. This exception has also been deleted. Further, the current Bill does not contain the additional safeguards added by the JPC report 2021, which barred data fiduciaries from sharing, transferring or transmitting the personal data to any person as part of any business transaction.
The current Bill does not have a separate chapter on accountability, which was present in the previous Bills. However, the Principle of Accountability can be seen to be flowing through certain clauses. The previous Bills made mention of separate chapters on ‘Transparency and Accountability’, which covered provisions on reporting, data protection impact assessment, maintenance of records, and audits.
The current Bill does not have a separate chapter on Transparency, which was present in the previous Bills. However, the Principle of Transparency can be seen to be flowing through certain clauses such as Clause 9(5) and 9(7) of the current Bill.
The previous Bills made mention of separate chapters on ‘Transparency and Accountability’, which covered provisions on Transparency in processing of personal data.
The Security principle of data protection entails that the data must be stored and processed in such a manner that the confidentiality and integrity of the data is maintained.
Clause 9(4) of the current Bill [obligations of data fiduciaries], lays down the security principle for data protection. The previous Bills provided for certain fundamental measures such as de-identification, encryption, etc. that must be adopted as security safeguards. The clauses also mentioned the obligation of the data fiduciary to conduct a review of the security safeguards periodically. This has been omitted in the current Bill.
Consent as a Ground for Processing
The current Bill provides for Consent and Deemed Consent to be the grounds for processing of data for any lawful purpose. Here the Bill defines lawful purpose as anything which is not prohibited by law.
The current Bill has introduced a deeming fiction for consent. According to Clause 8, consent will be deemed, when the Data Principal voluntarily provides personal data to the Data Fiduciary and there is a reasonable expectation of giving the data, for the performance of any function under any law or for receiving any benefit or service etc., for compliance with a judgement or court order, and for responding to a medical emergency, among other grounds.
The concept of deemed consent replaces the grounds for processing of personal data without consent, however, the current Bill borrows heavily from the previous clause related to processing of data without consent. The current Bill has certain structural changes which lead to an expansion of subjects for which consent can be deemed and dilution of checks on processing without consent. The previous Bills stated that the personal data can be processed if such processing is necessary for a function of the State authorised by law for, provision of any service or benefit etc. or for issuing any certificate, license etc.
In the 2018 Bill and 2019 Bill, these two grounds were exhaustive. However, the 2021 Bill recommendation made these two grounds non-exhaustive by adding the word “including”. In the current Bill, clause 8(2) states that consent can be deemed for performance of any function, OR any provision of service, benefit, license, certificate etc., by the State or any instrumentality of the state. This means that processing of data is not only limited to any function pursuant to provision of benefits or issuance of certificate, it can be pursuant to any function given under a law.
This is also wider than the ground provided in Clause 12(b) of the 2019 and 2021 Bills, which states that data can be processed if it is necessary under any law. As this clause would require the processing of data itself to be mandated by the law. On the other hand, Clause 8(2) gives wider discretion to the State and its instrumentalities as only the function requires to be mandated by the law and not processing of data.
Another change that has been brought, is deeming consent for processing of data for public interest. Clause 17 of the 2018 Bill, and Clause 14 of 2019 and 2021 Bills allowed processing of data for reasonable purpose which included prevention and detection of unlawful activity including fraud, mergers and acquisitions, processing of online search engines using publicly available data etc. Further, this processing was based on fulfilment of five conditions. In the current Bill, public interest is the same as the reasonable purpose in the previous Bill but now the processing can be done without fulfilling these five conditions. Moreover, there is an additional ground of ‘fair and reasonable purpose’ under Clause 8(9) of the current Bill, which allows for processing of data for any fair and reasonable purpose if it satisfies the following conditions:
a. whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal;
b. any public interest in processing for that purpose; and
c. the reasonable expectations of the Data Principal having regard to the context of the processing.
Clause 6 of the current Bill provides for Notice. It states that the Notice must be given at the time of requesting consent. The notice must be itemised, and it must contain,
(i) description of the personal data to be collected, and
(ii) purpose for which the data is being collected.
It also provides that where the consent has been taken before commencement of the Act, the Data Fiduciary must give a notice to the Data Principals.
The provision relating to Notice in the current Bill is substantially different from the previous Bills and has removed several mandatory requirements. Another notable change is connecting the requirements of notice to “consent” and not to “processing of data”. Earlier Bills required information on the following,
- the nature of data to be processed,
- identity and contact details of the data fiduciary,
- right to withdraw the consent,
- information of other data fiduciaries with whom the data may be shared etc.
Clause 7 of the current Bill provides for Consent. The clause defines valid consent, provides for the right to withdraw consent and the consent manager. The consent provision is substantially similar to the previous Bills.
The current Bill now requires an affirmative action by the Data Principal. It also puts the burden of withdrawal of consent on the Data Principal. Earlier the burden of consequences was borne by the Data Principal only in case of withdrawal for invalid reasons.
Rights of Data Principal
Right to Confirmation and Access
Clause 12 of the current Bill provides for Right to information about the personal data. It borrows heavily from the Right to Confirmation and Access under the previous Bills. The current Bill does not mention that the information has to be provided in clear and concise manner. Additionally, it has provided for a separate Right to Nominate which was added by the 2021 Bill as a part of the Right to Confirmation and Access. This provision enables the Data Principal to nominate any person to exercise the rights of the Data Principal on her behalf in case of death or incapacity. Here, “incapacity” has been defined as unsoundness of mind and body. The procedure for such nomination will be given through rules yet to be presribed.
Right to Correction and Erasure
The grounds for Correction and Erasure of personal data under the current Bill are ‘inaccuracy’, ‘to complete incomplete information’, ‘updation’, and ‘erasure of data which is no longer necessary for the purposes for which it was required, unless retention is necessary for legal purposes’. While the grounds on which a Data Principal may request correction or erasure have remained the same, changes have been made in the previous Bills in the context of the rights of Data Principals, and the duties of Data Fiduciaries.
The current Bill differs from the previous versions in the clarity of procedure with regard to claiming the Right to Erasure, and the duties and obligations of the Data Fiduciary. In the previous Bills, for example, the Data Fiduciary may contest the request of the Data Principal, and procedure therefrom is provided for. Furthermore, the requirement of the Data Fiduciary to notify all relevant entities or individuals with whom such data has been shared about the changes made, which is absent in the present Bill.
The Digital Personal Data Protection Bill, 2022 makes no mention of data portability. It is explicitly absent from the legislation. This right allows users i.e., Data Principals to request and receive their data stored with a Data Fiduciary in an easily usable and machine-readable format. Data portability gives users more control over the data shared with the Data Fiduciary.
In the 2018 Bill, Clause 26 provided the right of data portability and the same was not available in cases of trade requests and in instances where compliance with such request was technically unfeasible.
In the 2019 Bill, Clause 19 provided the right to data portability, but the same was not available in cases of trade requests and in instances where compliance with such request was technically unfeasible.
In the 2021 Bill, the Committee laid down that the right to data portability cannot be denied on grounds of trade secrets and the decision of determining whether claims of technical feasibility are valid has been left to the data fiduciary in such manner as may be specified by regulations [Clause 19(2)(b)].
Right to be Forgotten
The Right to be Forgotten has been deleted in the 2022 Bill. The provisions in the previous Bills have remained substantially the same, however, it finds no mention in the 2022 Bill. The Bill provides that rules relating to the right to erasure shall be prescribed as per law by the Government in due course.
Right of Grievance Redressal
The access to grievance redressal by a Data Principal, to enforce their rights as a Data Principal, had been introduced in the Bill of 2018. It allowed them to file a grievance report to either a Data Protection Officer or a designated Officer, as the case may be, in the situation that they are aggrieved by the functions of a Data Fiduciary while handling, storing, processing, etc. the personal data of a Data Principal. This further extended to the opportunity of seeking appeal by filing a complaint to the Authority.
However, this process faced a fundamental transition from being an optional part of the grievance mechanism to an enforceable right under the Bill of 2022. Clause 14 of the current Bill entitles the Data Principal to the right of seeking redressal by registering a grievance with the Data Fiduciary. In the case of a lack of response or pro-active measures undertaken to rectify the Principal’s concerns, a complaint may be filed with the Board.
Duties of Data Principal
The current Bill is the first to introduce duties on data principals, which places obligations on them to comply with the following:
- The duty to comply with the provisions of all applicable laws, while exercising their rights under the current Bill
- The duty not to register any false or frivolous grievances with the Data Fiduciary or the Board,
- The duty not to furnish any false particulars, suppress any material information or impersonate another person, while applying for any document, service or proof of identity or address
- The duty to only furnish such information which is verifiably authentic, on enforcing their right to correction or erasure under this Bill
In the failure of compliance with their duties, Data Principals can be penalised up to INR 10 thousand under Schedule 1 of the Bill.
The mechanism proposed under the current Bill is identical to that of the 2019 Bill and the BN SriKrishna Committee Report, where the obligation to report personal data breaches would only arise in cases where a likelihood of harm is posed to the rights of Data Principals. Following the breach, a detailed report must be furthered with the Authority, which shall determine whether the Data Principal is to be notified and the requisite remedial actions to be adopted.
Report of the breach to the Authority must include the following particulars:
- Nature of the personal data breached
- Number of data principals affected
- Possible consequences of the breach
- Remedial action undertaken by the data fiduciary
A data fiduciary is obligated to adopt reasonable security safeguards in order to prevent or mitigate the risk of a breach.
In the event of a data breach, the data fiduciary or data processor must notify the following entities:
- The Data Protection Board, along with
- Any data principal, to whom any personal data relates or pertains to, which has been affected in the breach. This mandate lies contrary to the previous iterations of the Bill as the discretion of notifying the personal data breach to a Data Principal, and its manner and recourse, lay with the Authority.
A Data Fiduciary may be instructed by the Board, as per its discretion, to adopt any urgent measures to remedy such breach or mitigate the harm caused to the Data Principals, keeping in consideration the Data Principal's rights.
Under the 2021 Bill, the Data Fiduciary was responsible for providing reasons for delay in notifying the Data Principal for any breach. This provision for instilling accountability for delays in a Data Fiduciary has been eliminated from the current Bill. Similarly, the compliance mechanism towards periodically reviewing a data breach by the Authority through a log regularly maintained by the Data Fiduciary in order to assess any patterns and shortcomings, if any, has also been omitted.
Clause 10 of the current Bill provides for processing personal data of children. It provides for obtaining verifiable parental consent before processing of data. It also prohibits processing of data which is likely to cause harm, or behavioural monitoring or targeted advertising. Sub-clause 4 of the Clause provides for exemption for parental consent and behaviour monitoring which will be done by rules. The previous Bills required the Data Fiduciary to verify age of the child as well. Additionally, the previous Bills provided for exemption only in case counselling or child protection services, which has been removed now.
Classification of Significant Data Fiduciaries
The current Bill provides a classification for Significant Data Fiduciaries on the basis of certain factors such as the volume and sensitivity of personal data processed, risk of harm to the Data Principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, public order, and other factors.
Previous Bills also included other factors, which while not explicitly mentioned in the Bill, might be incorporated at a later stage. Those factors are - sensitivity of personal data processed, turnover of the data fiduciary, use of new technologies for processing, any social media platform with users above such threshold as may be prescribed.
Clause 18 of the current Bill provides for exemptions under the Act. Clause 18 in the current Bill, by far, provides for the widest exemptions and has diluted the safeguards which were first seen in the 2018 Bill. The 2018 Bill provided exemptions pursuant to a law and in accordance with the procedure established by such law and withstanding the proportionality requirement [See clauses 42 and 43 of the 2018 Bill]. These requirements were further diluted by the 2019 and 2021 Bills, where Government was given the power to exempt any agency of the government through a direction and not a law and such exemption could be made for the entire Act. The 2021 Bill added the requirement of procedure of processing to be fair, reasonable and proportionate.
The current Bill takes a step further, it has removed the requirement for the exemption to be arising out of a law and the procedure to be fair, reasonable and proportionate. Sub-clause 2 of Clause 8 exempts the State instrumentalities from the entire Act on default and there is no need of a direction by the government or a law. Clause 18(3) entails that certain Data Fiduciaries, which will be prescribed by the Government, will be exempted from the notice requirement, the obligation to maintain accuracy of data being processed, limitation of data retention, obligation of Data Fiduciary for protection of children’s data, additional obligations of Significant Data Fiduciary and the obligation to provide information about personal data. It also exempts the State or any instrumentality from the limitation of data retention by default. Pertinently, these exemptions in the current Bill do not withstand the proportionality test propounded in the Puttaswamy Judgement, which laid the foundation for the drafting of the Bill.
The current Bill institutes a Data Protection Board of India (‘DPBI’, ‘the Board’). Primarily, the function of the Board shall be to give effect to the provisions the of 2022 Bill. It shall also be the public-facing authority, which can provide remedies to the aggrieved. Previous Bills established a Data Protection Authority, whose primary objectives were similar. However, the powers of the body, its composition, its members, procedure, etc. were defined in great detail. Greater deference to the Executive on the question of the Adjudicating Authority (DPBI) is worryingly noticeable in the current Bill.
The previous Bills gave detailed descriptions of the set-up and functioning of the authority set up to enforce the provisions under the Bill, which included minimum qualifications (technical expertise, legal expertise, independent experts, etc.). A selection Committee was also set up in the previous Bill, which consisted of members from diverse authorities (members from all three branches of the Government, and independent individuals). The present Bill provides complete deference to the Government to select and appoint members to the Board. The procedure for removal of members from the authority and their salaries and allowances, which are equally important for independent functioning of the authority, which is a stated objective in the 2022 Bill.
In addition, the codes of practice for the authority, which previous Bills laid down, provided a standard to ensure that impartiality, equity are inherent in the procedures. The provisions which spoke to the functions of the Board envisioned a greater role, in which the Board would, apart from implementing the Act, monitor technological developments, prescribe standards, to protect the interests of data principals, classify data fiduciaries, advise the Governments, etc. The functions of the Board, in comparison, have been severely restricted, while also empowering the Government to prescribe functions in the future.
The current Bill does away with the requirement for Data Localisation. Clause 17 of the current Bill mentions that it will release a list of countries and territories to which personal data might be transferred, after an assessment of certain factors.
The 2018 Bill mandated that every Data Fiduciary should keep one serving copy of personal data in India. It notified categories of data to be classified as ‘critical personal data’ which could only be processed and stored in India. Certain data, excluding ‘sensitive personal data’, could be exempted by the Government from localization requirements.
The 2019 Bill allowed for ‘sensitive personal data’ to be transferred out of the country, as long as it was stored in India. Whereas, critical personal data was to be processed only in India. The conditions for transferring sensitive personal data, after acquiring explicit consent of Data Principals were listed out. Such transfer was allowed on the condition that the data would be afforded adequate levels of data protection.
The 2021 Bill allowed for sensitive personal data to be transferred out of the country, as long as it was stored in India. Critical personal data was to be processed only in India. A caveat was added to the transfer of sensitive personal data, and would not be allowed when the transfer was against public policy or State policy. Such transfer was allowed on the condition that the data would be afforded adequate levels of data protection.
The current Bill did away with the requirement of Data Localization entirely.
It allows for the transfer of personal data to countries based on an assessment of certain factors. These factors will be notified by the Government.
The limit of the financial/civil penalties imposed have been increased significantly under the current Bill to strengthen the enforcement of its provisions. Further, contrary to the position established in the previous iterations, the scope of criminal liability has been eliminated.
The 2018 Bill was of the view that civil penalties are sufficient in ensuring deterrence, hence eliminating any criminal liability, in order to restrict it to financial penalties based on a Data Fiduciary's worldwide turnover or a fixed amount set by the law, whichever is higher. The contrary to this was notably added in the 2019 Bill, where the offence of re-identification of de-identified data without the consent of a Data Processor/Fiduciary, could attract the imprisonment of a term not exceeding three years or with a fine extending to INR 2 lakhs or both. With the passing of the current Bill, not only has the offence of re-identification of de-identified data has been removed, criminal liabilities all together. The current Bill proposes to only penalize defaulters of the offences mentioned under it.
Specific carve-outs for corporate liability and state liability had been introduced through the 2019 Bill. Corporate liability extends to any person who was responsible for the conduct of a company while the offence was committed, unless it was done without their knowledge and was followed by exercising due diligence. State liability, on the other hand, states that the liability/culpability of any offence committed by a department, authority or body of the State extends to the head of such department/authority/body and any other person who had attributed to the commission of that offence. However, both of these provisions governing corporate and state liability have been removed from the current Bill, limiting the liability to data processors, fiduciaries and principals.
The cap of the penalties have been multiplied significantly. For example, the penalty to be imposed in the failure of adopting reasonable security practices in preventing or mitigating a breach of personal data has been increased fifty-fold from INR 5 crores (as proposed in the 2019 draft Bill) to INR 250 crores.
The current Bill is the first to introduce penalties on Data Principals. In the failure of compliance with their duties, Data Principals can be penalised up to INR 10 thousand, which includes (but not limited to):
- the duty not to register any false or frivolous grievances with the Data Fiduciary or the Board,
- the duty not to furnish any false particulars or suppress any material information, and others.
In order to entitle the Data Principals to appropriate recourse, the 2018 Bill suggested that joint and several liability to pay compensation would be attached to the Data Fiduciary and their Processors. Further, the 2021 Bill proposed a new provision to codify the right of a Data Principal to file a complaint/application and simplify the procedure under which a Data Fiduciary may approach the Authority to enforce their rights. However, in the current Bill, the scope of seeking compensation by a Data Principal who has suffered harm as a consequence of a Data Fiduciary or Data Principal's violations of any provisions of the Bill eliminated, along with a complaints mechanism driven by the principal’s rights.
Further proposed by the 2018 Bill that all entities affiliated to or associated with the defaulting Data Fiduciary, who have benefited from any unlawful processing undertaken by the fiduciary, would be susceptible to be penalized, the same loses its essence.
Power to Make Rules
The Clause under the current Bill does not specify what the Rules to be made are.
The previous Bills make provisions to specify what matters the Rules are to be made for. In the current Bill, inspite of there being various instances where there has been power granted to the Government to prescribe Rules, there has been no consolidation in a clause, unlike most other Acts.
Power of the Central Government to Amend Schedules
The Central Government has been granted the power to amend Schedules under Clause 27. The Notification cannot amend the Schedule to prescribe a penalty which is more than double the penalty at the time of enactment. A power and limitation of this sort was absent from earlier legislations.
Amendment to IT Act
The current Bill amends the Information Technology Act, 2000 (IT Act) in the following ways. Section 43A, is omitted; in section 81 of the IT Act, in the proviso, after the words and figures “the Patents Act, 1970”, the words “or the Digital Personal Data Protection Act, 2022” is inserted; and clause (ob) of sub-section (2) of section 87 of IT Act is omitted. This removes the provision on the reasonable security practices and procedures and sensitive personal data or information under section 43A and the SPDI Rules made under. It also means that the Draft Bill will have an overriding effect on the IT Act.
Under the 2018 Bill, Section 43A and 87 (2) (ob) of the IT Act were omitted. This meant that the SPDI Rules, 2011 would be omitted as well. The same was done under the 2019 Bill.
The 2021 Bill too made the same omissions, Further, another addition was made to the IT Act which specified that the Data Protection Bill would have an overriding effect on the IT Act.
Under the current Bill, similar omissions were made. However, the omissions as a consequence resulted in the deletion of the term ‘Sensitive Personal Data’ from all IT related legislations entirely.
Amendment to the RTI Act, 2005
The current Bill amends the RTI Act, 2005 to bar the disclosure of personal information and deletes the proviso as well.
The 2018 Bill amended the RTI Act to exempt from disclosure information which would be likely to cause harm to data principles. The current Draft Bill completely bars the disclosure of personal information, completely take away limitations on the restrictions to disclose personal information. It removes the powers of the Public Information Officers to allow disclosure in the public interest as well.
The current Bill doesn’t mention surveillance as a harm that can be suffered by Data Principals. The same was present under the 2019 Bill. Further, the JPC Report also specified that the Government’s surveillance on data stored in India must be strictly based on necessity as laid down in the legislation.
The chronology of surveillance through the last 4 Bills is as follows.
The 2018 Bill had the widest definition of what ‘Harm’ meant. It covered both restrictions suffered due to surveillance, as well as surveillance which would not be expected by Data Principals. The 2019 Bill brought forward the same definition of harm as the previous version.
The 2021 Bill under the JPC Report narrowed the scope of harm, by eliminating the clause on restrictions suffered due to surveillance. The JPC Report on The 2019 Bill also specified that the Government’s surveillance on data stored in India must be strictly based on necessity as laid down in the legislation, and that the same must be incorporated into the text of the Bill.
The current Bill makes no mention of the harms that can potentially be caused by surveillance activities. Surveillance, in fact, is found nowhere in the entire text of the Bill.