Feedback on draft ‘Digital Personal Data Protection Bill 2022’
Executive Summary
- Introduction of
Consent Manageris unique as it providesdata principal(Individual) the ability to manage her consent centrally, the same needs to be strengthened by means of bindingdata fiduciaries(entities that collect data) to go through authorized and registeredConsent Managerswhen seeking consent. - The draft bill gives wide powers to corporate over personal data of employees which can be misused for espionage over employees. The same needs to be severely restricted to specific and legal requirements only.
- The draft bill mentions network and information security under the clause of
public interest, the same is recommended to be removed as it can be misused by private entities for targeted advertising and network profiling without the consent ofdata principal(Individual). - The draft bill has a clause for penalizing individuals providing false data even to private entities. This is contrary to the idea of
privacyand can be misused for spamming and nuisance. Rather there is need to introduce the concept of revocable temporary details as in case with VID of Aadhaar. - The draft bill allows processing of publicly available personal data by search engines under the clause of
public interest. This is likely to put individuals whose data has been lost in a public data breach at severe risk and also is in contravention to the clause oferasure of personal data. The search engines should rather be brought under the gambit of clause forerasure of personal data.
Section wise Feedback Comments
Section 2: Definitions
Subsection 18
(18) “public interest” means in the interest of any of the following:
(a) sovereignty and integrity of India;
(b) security of the State;
(c) friendly relations with foreign States;
(d) maintenance of public order;
(e) preventing incitement to the commission of any cognizable offence relating to
the preceding sub-clauses; and
(f) preventing dissemination of false statements of fact.
Comments
Sub-clause (f) to be deleted as preventing dissemination of "false statement of facts" is very wide in scope and gives unbridled power to the state and can be misused to control the flow of information. The concerns of security and public order have already been well addressed in sub-clauses (b), (d) and (e).
Section 7: Consent
Subsection 6
(6) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager
Comments
The concept of "Consent Manager" is unique and needs to be strengthened to enable data principal to manage his consent at one central location. Data Fiduciary should be bound to give option to the data principle to select any of the consent managers registered with the Board. Also the data principal should be given option to port consent from one Consent Manager to another.
Section 8: Deemed consent
Subsection 7
(7) for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance;
Comments
Following is recommended to be deleted: including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information.
This will provide an unbridled power to the corporate to spy over the digital avatar of the individual. For example: The corporate may ask for the Facebook, twitter and all other social media accounts of the employee and spy over the activities of the employee in the garb of prevention of corporate espionage.
Subsection 8
(8) in public interest, including for:
(a) prevention and detection of fraud;
(b) mergers, acquisitions, any other similar combinations or corporate
restructuring transactions in accordance with the provisions of applicable laws;
(c) network and information security;
(d) credit scoring;
(e) operation of search engines for processing of publicly available personal data;
(f) processing of publicly available personal data; and
(g) recovery of debt;
Comments
In sub-clause (a) suffix "by state" may be inserted. This will make sure that personal data is not misused by private entities in the name of prevention and detection of fraud.
Sub-clause (c) be deleted as it can be misused by private entities for targeted advertisements and profiling of individuals without the consent of the data principal.
Sub-clause (e) and (f) should be deleted as it is in contravention to the ‘privacy’ and ‘erasure of personal data’ as mentioned in Section 13.
For example A lost his data in a data breach and now it is publicly available. the search engines will then be able to index and search such a data.
In another example say B has committed some crime and has been punished for the same, when he comes out from jail he is not able to lead a normal life as his personal data is indexed and available through search engines.
Sub-clause (d) and (g) are sufficiently covered in other banking laws and need not be mentioned here under the public interest section.
Section 16: Duties of Data Principal
Subsection 3 and 4
(3) A Data Principal shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address, furnish any false particulars or suppress any material information or impersonate another person.
(4) A Data Principal shall furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.
Comments
Both the subsections should be deleted as it puts the onus of providing accurate data on the data principle, whereas she may not be comfortable in sharing the correct details due issues such as privacy, spam calls, data breach. The act should provide provision for giving revocable temporary details like in case of Aadhaar card, wherever the data principle is not sure of the usage of the data. The penalty of Rs 10K is too harsh on the individual and should be done away with.
