Does the Digital Personal Data Protection Bill 2022 Sacrifice the Protection of Sensitive Personal Data in the name of Simplicity?

In the digital age, users share information, from their name, phone number, and age to political opinions, beliefs, and health records, which get processed through numerous channels in exchange for access to various services. It is the role of law and policy to keep track of such user-specific data and to ensure that the appropriate balance is struck between facilitating commerce and protecting privacy. The Digital Personal Data Protection Bill is the latest in a series of statutes and regulations put in place to classify, process, handle and safeguard personal data.

The Digital Personal Data Protection Bill (also known as the “DPD Bill, 2022”) was introduced on November 18, 2022, by the Ministry of Electronics and Information Technology (MeitY). It is noted that the DPD Bill, 2022, replaces the previous Personal Data Protection Bill, 2019, and the Data Protection Bill, 2021. Notwithstanding the wide-ranging overhaul of the last draft, the DPD Bill 2022 has surprisingly stayed true to its underlying principles while reducing complexity.

Data aggregating technologies such as the Internet of things may necessitate the classification of sensitive personal data, including information about a person’s race or ethnicity, political views, religious or philosophical ideas, trade union membership, and specifics about their health and sexual preferences. An excellent example of this movement is the rules and protections imposed by the EU’s General Data Protection Regulation of 2016 (“GDPR”). The GDPR provides a wide-ranging code reflecting the European stance that the right to privacy and the appropriate handling of personal information is akin to a human right.  In both this regime and many others, sensitive personal data requires further protection than personal data.

In the Indian scenario, the previous Data Protection Bills of 2019 and 2021 had provisions identifying and protecting the sensitive personal data of data principals. In the present DPD Bill, 2022, there is a single blanket definition under Clause 2 (13) – “personal data”, meaning any data about an individual who is identifiable by or concerning such data, but there is no proviso defining sensitive personal data which consequently brackets it under the same protection provisions. 

Contextually, the previous iterations of data protection laws suggested separate consent to process personal and sensitive personal data. The importance of separate consent is also highlighted in the GDPR, wherein different protection standards are applied for sensitive personal data. The DPD Bill 2022 also adopts the concept of “deemed consent” under Clause 8, i.e., when data would be processed without explicit consent where it is “reasonably expected that the Data Principal would provide such Personal Data”. 

The practical impact of the lack of mandatory data classification is that companies will not opt for data classification at all. The world is expected to produce 94 zettabytes of data in 2022 alone (that’s 1021 bytes!), so there is a strong argument for simplification. Conversely, we are left to ponder whether rapid technological strides enable us to take a more granular view of personal data and consider the option of further classification. At the end of the day, our legislature is simply providing a common solution that should be workable for all, whereas companies are free to take such additional steps as they see fit.  In this respect, we would not be surprised to see this approach leading to industry guidelines where different sectors develop solutions that best fit the sensitivity of the data they collect.

Furthermore, federal organizations such as the RBI are being progressive with their policies, i.e., the introduction of Aadhar Vault to safeguard the employees’ Aadhar details by encrypting data, installing firewalls, and adhering to multiple technical Standards. However, the DPD Bill 2022 is more favorable to tech businesses due to its ease of implementation compared to the previous iterations of privacy bills in India and as seen in the GDPR. However, query whether privacy advocates will find the exclusion of classification of sensitive personal data, an unhappy compromise.

Written by: Rishab Kaushik