India’s Digital Personal Data Protection Bill: What works, what it lacks

Experts say there is no clarity on what constitutes user consent and no compensation in case their data is misused.

Network World: IoT Hacks [slide-06] > Lateral Attacks > Network access via a single breach point

A new draft of India’s data protection bill is set to be debated in Parliament, but even before discussion begins, privacy and security experts are saying that the proposed legislation lacks clarity on key issues.

The Ministry of Electronics and Information Technology has prepared a draft of the Digital Personal Data Protection Bill 2022 and invited public feedback as part of its public consultation exercise. The government is expected to introduce the bill in Parliament in the budget session of 2023, though the precise date for discussion of the draft has not been set.

The bill is the fourth version of the proposed data protection law. In 2018, the Srikrishna Committee introduced the first draft of the law, called the Personal Data Protection Bill. In 2019 the government made revisions to this draft and introduced another version of the bill. Two years later, in December 2021, the third version of the bill was introduced. Then, in August 2022, the bill was withdrawn. The current version of the bill is a slimmed down version, focusing on digital data only. 

A simplified version of the bill was needed, experts say.

“In India, bringing stringent privacy will not work as it does not have a privacy-aware culture,” said Dr. Prashant Mali, a cybersecurity advocate.  

Clarification sought on date-use consent

The bill requires organizations to provide users with a notice that itemizes and describes the personal data sought by them and the purpose of processing the data. The bill also mentions cases where “deemed consent” is applicable. Deemed consent occurs when users of a service are asked to provide personal information, but are not explicitly asked for consent. In such cases, when users provide the requested information, they are considered to be giving consent for the data to be used by the service.

Industry experts, however, say there is a need for clarification over consent. One issue is whether users need to be presented with options to consent to each specific item requested in an itemized notice.  

“In areas such as itemized notice, a clarity is needed in its role in the consent,” said Vinayak Godse, CEO of the Data Security Council of India. 

In addition, the bill does not specificy when consent is needed from the user — for example, whether consent is required for collection of information for internal use, or only when data is being sold to third parties.

“Industry is cautiously examining the idea of consent manager, a solution suggested in the draft,” Godse said.

There is also confusion regarding the issue of deemed consent. The first clause in the bill regarding deemed consent says that it occurs “when a user voluntarily provides data and it is reasonably expected that she would provide such personal data.” Such a situation would occur when, for example, a restaurant website requests information to make a dinner reservation.  

The second clause pertaining to deemed consent, however, is much broader, stating that deemed consent would be considered “for the performance of any function under any law, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State.”

But this definition of deemed consent may clash with the way other countries define it.

“By putting it all under deemed interest, it is confusing for an organization that is implementing because the first clause is what we typically call business as usual. But the rest of the clauses are generally under other legal bases by other jurisdictions across the world,” said Shivangi Nadkarni, CEO and co-founder of Arrka, a company that helps organizations comply with privacy laws across the world.

“There is a need for more clarity and a little more alignment with what is typically associated and equivalent in other laws,” she added. “Organizations may have business in Europe as well as India. If deemed consent is interpreted differently in India than in Europe, it would cause implementation problems.”

Transfer of data outside India

One of the main issues in the previous bill raised by industry representatives was that data localization guidelines contained in the proposal would hinder business. The current bill  states that data can be transferred outside the country. However, the new draft also states that the Indian government may, after an assessment of factors it may consider necessary, notify the countries or territories outside India to which Indian businesses may transfer personal data.

While this is a welcome move, experts say there needs to be some indication of the countries to which data transfer will be prohibited. “Most organizations have data which is spread out across the world. They have multinational operations, they have an architecture which is multi-locational, etc.,” Nadkarni said.

“For organizations to change the places where the data is stored requires re-architecting, and re-engineering their technology deployment, which is a year to two-year project. It is not something that they cannot do overnight. So, some indication of the timeline and some sense of which countries are going to be an absolute no-no is required,” Nadkarni said. 

However, it does make sense to have data transfer rules that apply to different countries, according to Mali, the cybersecurity expert. That’s because different countries have different regulations for data privacy.

“In the US itself there are different rules for different countries. So it makes sense to have a country-specific rule for a specific country. This will give us more compliance than bringing in a general law,” Mali said, adding that once a country-specific rule is made, there will certainly be time given for compliance.

Big penalties, but no compensation for users

Another point that was raised time and again after the bill was made public was the high penalty for non-compliance, with a maximum penalty of Rs 5 billion. However, the bill fails to recognize or mention what compensation user would receive, in cases where their personal data has been affected be. 

“These fines are levied on the organizations and go to the government [but] if the user has been harmed, what happens to them?” Nadkarni said. “There should be something that the user also gets out of it.”

Other issues may come up during Parliamentary discussion. Mali lists a range of topics not covered in the draft bill, including: how the country will increase privacy awareness; a strong regulator; a strong grievance address system; an online dispute redressal system; and governments accountability to privacy. 

Given the confusion and questions surrounding the draft law, there is sure to be intense discussion about the bill once it is introduced in Parliament.

Copyright © 2023 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)