Personal Data Protection Bill: No More Deemed Consent, TDSAT To Hear Appeals

The Digital Personal Data Protection Bill, 2023, will now provide a negative list of countries to which data cannot be transferred, the Ministry of Information Technology said in its response to queries raised by a parliamentary committee evaluating the privacy law.

This is a significant change in the ministry's stance from an earlier draft, which proposed the notification of a 'white list' of countries to which data will be allowed to be transferred.

The Union Cabinet had recently approved a Draft Digital Personal Data Protection Bill, scheduled to be tabled in the ongoing monsoon session of Parliament.

A draft version of the Bill was published for public consultation in November 2022.

On Wednesday this week, opposition members walked out of a meeting of the Parliamentary Standing Committee, objecting to the panel’s adoption of a "laudatory" report on the new Bill, the Indian Express has reported.

According to the publication, "The Bill was never formally referred to the committee. The Opposition MPs said none of them were aware that such a report about the Bill was in the works; the draft report was only circulated on the eve of the meeting."

While the Cabinet-approved version of the 2023 Bill is yet to be made public, the ministry's responses in this report to the queries raised by the parliamentary committee offer glimpses of what's coming.

BQ Prime has seen a copy of this 40-page report.

The 2022 version of the Bill provided for a Data Protection Board, which will be responsible for determining non-compliance under the legislation and imposing penalties.

The 2023 version has now proposed an appeal process.

It said that the Board will have the power to give directions for remediating or mitigating data breaches, inquire into data breaches and complaints, and impose financial penalties.

It would be empowered to refer complaints for alternative dispute resolution, accept voluntary undertakings from data fiduciaries, and advise the government to block the website, app, etc., of a data fiduciary found to repeatedly breach the provisions of the bill.

Any appeal will lie with the Telecom Disputes Settlement and Appellate Tribunal.

The Cabinet-approved version of the bill has done away with the concept of deemed consent.

The 2022 version envisaged the use of personal data without explicit consent in certain circumstances. For instance, an individual who gives his data to an e-commerce site in order to reserve tables at a restaurant

The 2023 version proposes to do away with deemed consent.

In the modified draft of 2023, personal data processing is envisaged for certain legitimate uses, namely:

• In the interest of the sovereignty and integrity of India and the security of the State.

• For the issue of subsidies, benefits, services, certificates, licences, permits, etc.

• To comply with any judgement or order under law.

• To protect, assist, or provide service in a medical or health emergency, a disaster situation, or to maintain public order.

• In relation to an employee.

One of the biggest criticisms of the 2022 version was that it gave the government extensive rule-making powers.

The committee, too, raised this concern with the ministry.

In response, the ministry said that the bill has been prepared to keep pace with the dynamic nature of the subject and to provide it with sufficient adaptability. The rules, it said, will be laid down in Parliament, as was mentioned in the 2022 version as well.

"The delegations are more routine in nature and are provided in every legislation to make implementation practical and feasible."

Based on this response, the committee has urged that the provisions that cannot be fully defined within the scope of the bill can be addressed through rules, which are subsequently presented to Parliament.

The ministry has clarified that there will be no provision in the bill granting compensation for data breaches. It said that individuals who suffer a civil wrong on account of a violation are free to approach the civil court for compensation under the tort law.

Such individuals could also cite any penalty imposed by the Data Protection Board for non-compliance as material in support of the claim, the ministry told the committee.

After considering the responses tendered by the ministry, the committee noted some significant inconsistencies in the Digital Data Protection Bill with the existing Information Technology Act.

To align both laws, the committee has recommended modifying the existing IT Act. Recommendations are also made to modify the Right to Information Act and any other relevant acts that might be inconsistent with the proposed law.