DPDPB 2023- Some issues

Posted on August 4, 2023 by Vijayashankar Na

Following the presentation of the DPDPB 2023, several comments have been published in different publications.

Penalty

NDTV carried the following interview in which the upper limit on the penalty came for discussion. The interview clarifies a number of doubts that the opposition has raised yesterday and has been carried through by the Soros group of media.

One of the issues Mr Rajeev Chandrashekar has stated is about the total penalty. Even earlier he had made a statement that the penalty may be imposed for “Each Instance”.

Currently the Bill speaks of 7 types of penalty. Each of this is a different type of breach. Earlier there was a Rs 500 crore upper limit which seems to have been removed. Hence the possibility of 7 different parts of the penalty table could be aggregated and the total penalty may exceed Rs 500 crores.

Now he has even mentioned that breach of each set of personal data may be considered as a separate breach. This sort of interpretation was being used under HIPAA earlier. Now we may see that there could be a discretion for the Board to consider 7 different types of breach as well as the number of data sets breached. This could mean that we may not be far behind the GDPR which has imposed a fine of US $1.2 billion.

However our law is also considerate to state that the penalty will be proportionate and take into account the likely impact of the imposition of the monetary penalty on the person. Hence it is unlikely that the Board will impose fines which are not sustainable in the appeal stage.

RTI

The second most important objection is on “Dilution of RTI”. Mr Chandrashekar has also rightly answered it in his interview . RTI is not to be misused to harness personal data. Any data released under RTI also becomes “Public Data” and therefore there is a clear danger of RTI being misused. In my view the power of refusal of personal data was already available under RTI and hence the new provision is not significant.

Government Powers

The next objection is that the Bill will provide too much power to the Government and creates two kinds of data fiduciaries namely Government and the others. This also appears to be unfounded and is a speculation that can be made on any legislation. From the same yardstick, any law including IPC can be considered as adversely affecting the fundamental rights.

However the right to privacy itself is not considered “Absolute” and reasonable restrictions are in order.

DPDPB 2022 under Section 2(i) defines a Data Fiduciary without distinguishing the Government or non Government. Hence the Act applies to the Government subject to the exemptions and legitimate uses.

Exemptions are provided under Section 17 and Legitimate uses are indicated in Section 7. Legitimate use provides that a data fiduciary may process the personal data for the following uses.

(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––

(i) The data principal has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––

(i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or

(ii) such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.

(c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;

(d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force;

(e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;

(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public
health;

(h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.

These legitimate reasons (a) (d), (e) (f) (g) (h) are all are generally available for all Data Fiduciaries.

(b) and (c) are exclusive to Government and related to Government functions. Hence no objection can be raised on the same.


Exemptions under Section 17 apply to instances including the above cases where the “Consent” may be not required.

Exemptions under Section 17 applies excepting two sub sections of Section 8, the chapter on Rights and the transfer of data outside India.

Section 8 has 11 sub sections out of which the following donot come under exemption.

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor

A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
Rights and Duties of Data Principal

Out of the six sub sections of Section 17(1), (a) relates to legal right or claim applicable to all, (b) applicable to judicial bodies, (C) applicable to law enforcement, (d) relates to BPOs, (e) relates to mergers etc and (f) relates to credit recovery. None of these make any exclusive provision in favour of the Government.

Subsection 17(2) applies to the Government and we may look at it in detail.

17(2) (b) relates to research and archiving which is mostly cases of anonymised information. Section 17(2)(a) relates to “Sovereignty and integrity of India, Security of State, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence” all of which fall under reasonable exceptions under Article 19(2). The procedural aspects required to claim this exemption is through creation of an “Instrumentality” and it cannot be arbitrarily exercised by any official. The “Instrumentality” may be subject to judicial review.

Under 17(3) Government may exempt Start Ups and other private data fiduciaries from certain provisions like notice, data retention and accuracy of data.

Exemption to Government is limited to data retention and erasure and data retention.

In view of the above the objections raised on Government having been exempted is in correct.

Composition of DPB

One more objection is that the DPB will be a Government body. This is an empty charge since any such body has to be appointed by the Government and whether it is SEBI or TRAI or IRDAI or RBI, all appointments cannot be made by involving CJI and LOP . Already the SC has become an extended executive and it is unfair to expect that LOP will now be allowed to take all decisions on appointment. We know in the case of CBI or other appointments that the LOP never agrees with the PM and hence such involvement of opposition which is fundamentally interested in not allowing the Government to work is not required.

Money Bill.

There is also a comment on why the Bill is considered as a money Bill. We donot know what will be the view of the Speaker in this regard but it is clear that the Bill envisages a debit to Consolidated fund of India for setting up of DPB and credit of penalties into the Consolidated fund of India. For this purpose and since these expenditure and revenue is not included in the annual budget it is correct to consider this as a “Money Bill” only.

Though Mr Ashwin Vaishnaw and Rajeev Chandrashekar have both confirmed that the Bill has been introduced as a general bill, it would be appropriate to consider it as a money bill only.

In case the Bill can be classified as a Money Bill and passed quickly it should be welcome.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.