A new draft of the much-awaited data protection Bill, the Digital Personal Data Protection Bill (DPDP Bill) 2022, is now open for public comments. The Government had previously withdrawn an earlier draft by averring that it would come up with a “comprehensive legal framework” on data privacy and Internet regulation, and this draft seems to be a standalone attempt at bettering its previous iterations. There are only 30 clauses, for simplicity, but resulting in aspects of privacy protections remaining under-clarified. A case in point is how clauses define the need for consent from data principals for data fiduciaries to process their personal data. Now, a notice is to be provided for the consent of the data principal, and the withdrawal of consent should allow for fiduciaries to remove any such data stored or is to be shared with others. The new draft, unlike the 2018 version, does not refer to key data protection principles such as collection limitation — obligations on the data fiduciaries to collect only such personal data that is required for the purpose of processing. It also does not include obligations on data fiduciaries to inform principals about data sharing recipients, duration of storage, etc. Thus, the comprehensive protection to data principals in the form of the information provided on their personal data and processing by data fiduciaries, is now missing. It does, however, include a crucial clause on fiduciaries notifying principals and the data protection authority about breaches in stored data.
The new draft proposes the establishment of a Data Protection Board of India, whose strength and composition, the process of selection, etc. will be prescribed by the Union government. As with the earlier versions, this diverges from the Srikrishna Committee Draft which allowed for judicial oversight in the selection process of the data protection authority. It is a concern that the proposed board will not have sufficient independence from the Union government; the state is also a data fiduciary which collects vast amounts of individual data. The 2018 Bill allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process their data in the case of matters related only to the “security of the state”, and also called for a law to provide for parliamentary oversight and judicial approval of non-consensual access to personal data. But the new draft Bill continues the wide-ranging and vaguely worded exemptions and instruments, allowing for the executive to collect information which could amount to mass surveillance. Public scrutiny notwithstanding, Parliament should work towards tightening the provisions in the data protection Bill and providing for a robust data protection law.