The Deemed Data Protection Bill 2022

The Boring Part: DPB 2019

The Data Protection Bill 2019 (DPB 2019) was introduced in the lower house of the Indian parliament, the Lok Sabha, on December 11, 2019. It sought to provide a framework for the regulation of data processing activities in India. It was criticized by privacy advocates for its weak protections for data subjects and its failure to address key concerns related to data governance. The bill was pending before a parliamentary committee, but was withdrawn on August 3, 2022.

The DPB 2019’s (promised) key features were:

1. Establishing the Data Protection Authority of India (DPAI) as the primary regulator of data processing activities in India.
2. Vesting the DPAI with the power to issue guidelines, conduct investigations, and impose penalties for violations of the data protection regime.
3. Requires data processors to take reasonable security measures to protect data from unauthorized access, disclosure, or destruction.
4. Requiring data processors to provide data subjects with access to their data upon request and to allow them to correct or delete inaccurate data.
5. Exempting certain data processing activities from compliance with the data protection regime, including activities relating to national security, law enforcement, and research.
6. Including specific provisions for the transfer of data to foreign jurisdictions.
7. Imposing fines of up to Rs. 5 crore (approx. US$700,000) or 2% of a data processor’s global turnover, whichever is higher, for violations of the data protection regime.

Critics were quick to point out many issues with the DPB 2019. For instance, it did not require companies to get consent from individuals before collecting, using or sharing their personal data. It also did not place any restrictions on how companies could use or share individuals’ biometric data, or even require companies to disclose data breaches to affected individuals. It did not give individuals the right to know what personal data is being collected about them (which makes sense given they were classified as data ‘subjects’).

Fast forward to 2022: the government seems to have taken heed of some these concerns while drafting the Data Protection Bill 2022. Or it least it says so.

The Brief Story of a Failed Rebranding: DPB 2022

On November 18, 2022 the legislature proposed a new bill which is now under civil society review (yes, I do secretly hope this CSR catches on). Its USP is that it would require data handlers (not a legal term yet) to take steps towards the protection of personal data of Indians and would give individuals the right to know what personal data is being collected about them, the right to change their consent for the collection and use of their personal data, and the right to file a complaint if they feel their rights have been violated.

And since no Indian legislation is complete unless it sets up its own governing authority, the DPB 2022, just like its predecessor, promises to establish a data protection authority to oversee the implementation of the law. But relax, it’s called a ‘board’ now. And remember the data ‘subject’? She’s been rebranded as the data ‘principal’. Hare Krishna! What could possible go wrong?

In a word…lawyers. The government is a disguised army of lawyers (I’ll rant about this some other time because it has to do with HLA Hart). As tweefolk have already started noticing, the DPB 2022 plays the ambiguity card well. It tries to preserve the real rule-making powers to itself through transparency-deferral-devices such as ‘deemed consent’ and ‘as may be prescribed’. The long and short of it is that the DPB 2022 guarantees nothing on any of its key promises. In fact, it seems to tilt the scales more heavily in favour of big tech than previously.

Sample this, there are new obligations on data principals for inaccurate information, and a total cap of 500cr INR (Zuck’s revenue from India last year was worth almost thrice this amount) for breaches by data fiduciaries. Moreover, there are explicit provisions permitting the free global transfer of data with little to no protection (PWC say that data localisation principles have been ‘eased out’). There’s a lot more detail but I think you get the big picture. My favourite part? ‘consent managers’, go figure.

Whataboutery Blockchain

So if GDPR is the gold standard in terms of data protection laws, we can firmly say that the DPB 2022 is swiggy – promising much, delivering nothing. Seriously, this was the government’s chance to showcase that Digital India is a forward looking venture, not some back-office-hack-job for big tech. There is zero mention of leveraging new or emergent technologies for protecting personal data. Instead, the government chose to bury or defer all the important decisional criteria and facilitate a market for Indian citizens’ personal data.

Does this have any direct implications for the blockchain industry? Sure. Depending on the protocol and its function, it may incur obligations, liabilities, and rights of data processors or fiduciaries. Conceptually speaking, if it is fully decentralised, then these obligations would be hard to pin down on one person. And just like in the Ooki DAO case, the Data Protection Board may find itself chasing a bunch of code.

What I find truly surprising/distressing is the lack of coordination between government departments, and their mutual blindness. On the one hand, ethical AI and blockchain technologies are being promoted, while on the other its genuine potential to create public good is being overlooked.

Let there be no confusion about this, the DPB 2022 is not badly drafted, it is just anachronistic. Its aim is to resuscitate big tech in an age when we should be giving it some more milk of the poppy.