Panel on Digital Personal Data Protection Bill, 2022
17 December, 2022
The Draft Digital Personal Data Protection Bill, 2022 (“Bill”), has been released recently by the Central Government, which has entered the stage of public consultations initiated by the Ministry of Electronics and Information Technology. The Bill is one of the most consequential and anticipated legislations to be introduced in a long time and has come under immense scrutiny for its all-exempting provisions for the government, its deemed consent regime, and the new Data Protection Board that it constitutes. In leading the discussion on digital privacy, the Law and Technology Committee, in collaboration with the Indian Journal on Law and Technology, organized a panel discussion to address the Bill’s shortcomings and suggest a way forward. The panel comprised the finest minds in the technology law sector, having the following members:
Ms Sriya Sridhar, Legal Manager at Setu.
Ms Malavika Raghavan, Senior Fellow at the Future of Privacy Forum.
Mr Vivek Reddy, Senior Advocate, Supreme Court of India and Telangana High Court.
Mr Divij Joshi, Doctoral Researcher, University College London.
Mr Jaideep Reddy, Counsel in the TMT Division, Trilegal.
Divij Joshi moderated the panel, whose discussions covered the following three broad themes:
Scope and Definitions of the Bill
The Deemed Consent Regime
The Data Protection Board (“DPB”)
This report will first provide an Executive Summary of the discussion, followed by providing a structured report of each speaker’s main ideas.
(Click here for the full conference report)
The panel began on a comparative note, with each panellist comparing the Bill to previous iterations of data protection regulations introduced in India. While there existed unanimity among the panellists that the Bill provided a much-needed departure from the overly prescriptive nature of its previous iteration, multiple concerns were brought to light. While some panellists highlighted a lack of conceptual clarity in the expansion of the scope of delegated legislation, others brought out concerns regarding potential sectoral conflicts between the Bill and other entities such as the Reserve Bank of India (“RBI”) and the Securities and Exchange Board of India (“SEBI”) that have already constituted their own data protection regime. In introducing their concerns, the panellists agreed that the Bill has been perceived positively by the corporate sector due to the rolling back of various regulations present in the previous iterations, given that compliance costs would reduce.
First, the panel discussed the Bill’s scope and applicability. Mr. Jaideep Reddy expressed that High Courts may ultimately shape several aspects of the scope and definitions of the Bill, given that they are the DPB’s appellate authority. In his remarks, he discussed the inclusion of automated processing of digital personal data in the Bill and the potential exclusions from that scope. Ms. Raghavan stated that the introduction of concepts like “deemed consent” and “automated processing of digital personal data” introduce serious ambiguities that limit application to both the number of people and the types of data processing included under it.
Second, the panel discussed the implications of the package of rights contained in the Bill on common people. Mr. Vivek Reddy and Ms. Sridhar spoke on this topic and had unanimity over two issues. First, they agreed on the demerits of a drastic change, instead proposing iterative steps towards long-term change to be a better way ahead. Second, they agreed that while the Bill makes some progress on certain longstanding issues, it leaves out key things such as the right to be forgotten or algorithmic fairness. Mr. Vivek, however, proposed that some issues left out in the Bill could be addressed in the upcoming Digital India Act.
Third, the panel discussed the deemed consent regime contained in the Bill. The panellists agreed that the deemed consent regime was flawed. Ms. Sridhar argued that this regime would be prone to exploitation, given the availability of a residuary mechanism of taking deemed consent u/s 8(9) of the Bill. She highlighted that deemed consent would only increase confusion in regulation. Finally, she also pointed out how the same could be irrelevant for certain sectors such as fintech who never take refuge under such a provision. Mr Vivek Reddy also argued that the open-ended meaning of the term “public interest” in the provision, along with the expansive scope of delegated legislation is undesirable. Further, he highlighted the inconsistency between requirements of notice and the provisions on deemed consent. Ms. Raghavan added to this criticism, highlighting the importance of the regulatory structure that the Bill proposes. Finally, she concluded that enforcement will be the true test of the bill.
Lastly, the panel discussed the Bill’s regulatory structure. Mr. Jaideep Reddy highlighted the lack of suo moto powers available with the DPB, along with the possibility of using the DPB as a sandbox for the general digital functioning of tribunals. In addition to the lack of suo moto powers, Ms. Raghavan listed areas of improvement in the structuring of the regulator under the Bill. For this purpose, she used the example of SEBI to highlight how successful regulators have a quasi-judicial body separate from the executive, which is absent here. She concluded that the structure of the regulator was not a result of state capacity but rather political will. Ms. Sridhar also highlighted the need for harmonizing legislations in the future to prevent a tussle between data regulators and other sectoral regulators such as RBI and SEBI.
The panel then answered questions from the audience, followed by a vote of thanks from the Convenor and Joint Convenor of the Law and Technology Committee.