Tag: data rights

IT Standing Committee’s Review of MeitY’s Response to Its Recommendations on Citizens’ Data, Privacy

In its report published last week, the Committee reviewed MeitY’s action taken notes and further urged the Ministry to adopt its recommendations on certain pressing themes.

The IT Standing Committee has released its 55th report reviewing action taken by MeitY on the observations and recommendations the Committee made in its 48th Report on ‘Citizens’ Data Security And Privacy’. It covers issues with the DPDP Act and Rules, their effect on IT Act, their consent framework, broad exemptions, and excessive rule-making. It urges MeitY to expedite passage of the DPDP Rules and “DIA” – we review these recommendations and urge MeitY to place meaningful public consultations and deep research at the heart of lawmaking. The blog includes excerpts from the reports, IFF’s past analysis on these issues, and naturally, some Taylor Swift songs.

Who is Parliamentary Standing Committee anyway?

An extended arm of the legislative, Parliamentary Standing Committees (“PSC”) (which include departmentally related standing Committees, finance Committees and administration Committees) keep a check on parliamentary affairs and give recommendations on complex law-policy issues to aid policy-making and reform. While a significant amount of Parliament’s work gets done on the floor of the House, it is difficult for the legislative to scrutinise all ongoing government activities during short parliamentary sessions. PSCs were constituted to ease this burden by reviewing and issuing detailed observations and recommendations on proposed legislation, government policies, the legal environment, and union accounts and expenditure. Each Committee has a systematic deliberation process wherein they can invite inputs from experts and stakeholders, and even publish dissenting opinions as part of the Committee’s composite reports. Read more about the role of PSCs in legislative processes here.

After examining certain laws, policies or issues, PSCs come up with a consolidated report and table them in the parliament. Subsequently, they also submit Action Taken Reports which show how many of their recommendations have been accepted by the government, and the progress made on them. The report being analysed in this blog is one such action taken report.

IT Committee’s 55th Report: a list of would’ve, could’ve, should’ves

On February 08, 2024, the Parliamentary Standing Committee on Communications and IT (“Committee”) published its 55th report, reviewing the action taken by the government, in this case, the Ministry of Electronics and IT (“MeitY”) on the observations and recommendations the Committee made in its 48th Report (dated August 01, 2023) on ‘Citizens’ Data Security And Privacy’. Reports of the Committee can be read here.

In its original report, which predates the Digital Personal Data Protection (“DPDP”) Act, 2023 in its current form by a mere 10 days, the Committee raised a list of concerns to MeitY on the rising risk of misuse of personal data and outdated provisions of the Information Technology (“IT”) Act, 2000, highlighting that a data protection law must be urgently introduced, and citizen awareness and empowerment in data security should be prioritised. One member of the Committee submitted a dissent note regarding the rule making powers of the central government, exemptions to government agencies, and non-inclusion of non-personal data. MeitY has since submitted action taken notes to the Committee, responding to its recommendations and submitting updates on if they have been accepted or followed. In this report, published on February 08, 2024, the Committee reviews MeitY’s action taken notes and further urges the Ministry to adopt its recommendations on certain pressing themes.

Also read: Digital Personal Data Protection Law Raises Questions About Consistency With Right to Privacy Ruling

Diving into the report

Here, we break down what the Committee said about actions taken by MeitY so far:

On DPDP Act: not a lot going on at the moment

The Committee passed its original report before the introduction of the current DPDP Act in the parliament. Many of its recommendations on the data protection environment predate the Act, but principally still hold some value. On provisions of the DPDP Act relating to consent mechanisms and notice requirements, the Committee reiterated the importance of providing consent and notice in languages specified in the Eighth Schedule to the Constitution to ensure accessibility, clarity and comprehension. The Committee further noted that the default consent settings under the Act should be designed to extend benefits to data principals, especially those with low levels of digital literacy. For this, the Committee suggests MeitY can incorporate visual elements for consent and notice, promoting easier understanding, accessibility, and inclusive digital access while defining the prescribed methods for obtaining consent and delivering notices.

To this, the Ministry responded that has noted the suggestions and is taking steps to ensure they reflect in the Act through the DPDP Rules. The Committee, unsatisfied with the response, noted that MeitY has not furnished any information on the present status of this action and merely parroted what the Committee suggested, and urged urgent action.

The second issue raised by the Committee on provisions of the DPDP Act is the ‘deemed consent’ clause, which was present in the draft DPDP Bill, 2022 and has since been removed based on public consultation and feedback from stakeholders. Instead now, under the DPDP Act, personal data can now only be processed without consent “for certain legitimate uses”. The exemptions listed in Section 7 are limited to the State and its instrumentalities to “perform functions under law or in the interest of sovereignty and integrity of India and security of the State, to provide or issue subsidies, benefits, services, certificates, licences and permits that are prescribed through rules, to comply with any judgement or order under law, to protect or assist or provide service in a medical or health emergency, disaster situation or maintain public order and in relation to an employee.”

In its original report, the Committee expressed concerns that there is still a possibility of these exceptions being misused, and strongly recommended the Ministry to devise a mechanism to ensure that these exceptions “do not become the general rule and are used only in exceptional circumstances, with the aim of promoting ease of living and the digital economy.” The Ministry’s response to this was evasive and vague. It listed Section 7 requirements again, said it “is aware” that it can be misused… and said nothing else. The Committee notes this in the current report and again strongly urges MeitY to act and update them about their plans.

Not only is a vague and broad exemptions clause in the DPDP Act dangerous in its current form, the rule-making powers conferred to the executive by the Act as a whole makes it a tool for potential misuse as well. The union reserves the right to exempt any of its department or a third private party it is contracting with, from consent provisions under the Act. If this is the case, no matter how strong and expansive consent and other rights framework is under the data protection legislation, overbroad executive control and excessive future lawmaking powers can eventually render it meaningless. Additionally, it is difficult to meaningfully engage with and analyse provisions of the Act, because it has not been enacted and remains to be operationalised through Rules (coming soon?).

On DPDP Rules: Death by a thousand “as may be prescribed”s

In its original report, one of the many concerns on the DPDP Act that the Committee noted was the rule-making powers it confers on the union government. While the digital landscape remains dynamic and ever-evolving, it noted that rule-making powers must be used judiciously and with utmost care and responsibility by MeitY. In response, the Ministry assured the Committee that rule-making powers were a routine part of policymaking and necessary to make the implementation of the Act practical and feasible in the long run.

The Committee, unsatisfied with MeitY’s response, reiterated the need for responsible and judicious use of rule-making powers, adding that the rules formulated must be presented to the Parliament for scrutiny and discussion. It noted that the Ministry has merely outlined the established practice for rule-making without providing clarity on when the DPDP Rules will be finalised. According to established norms, it stated, rules under an Act should be framed within six months of its commencement. Since the data protection law was notified on August 11, 2023, the Committee expects that the Rules in this regard should be nearing completion.

The Committee further believes that the lack of properly framed rules has prevented the notification of essential components of the data privacy law, including the Data Protection Board, which is mandated to investigate privacy breaches and impose penalties as outlined in the Act. It urged the Ministry to prioritise the finalisation and introduction of the DPDP Rules within the prescribed period of six months, and avoid seeking an extension on this front. It added that the rules drawn up must be simple and easy to understand and administer. The Committee asked to be informed of the efficacious steps taken by MeitY in this regard.

The DPDP Act, 2023 lists 25 specific situations for which the union government will notify rules at a later stage and also gives itself the leeway to notify rules at a later stage for “any other matter which is to be or may be prescribed”. Such excessive rule-making has severely limited the ability of stakeholders to meaningfully engage with the DPDP Bill, 2022 and Act, 2023, and for data principals and fiduciaries to understand and prepare for how the legislation will impact their rights, obligations, and conduct of business. While in some instances, procedures and specificities have to be left on future rule-making, these must not completely hamper the operationalisation of the parent law and must be accompanied by relevant safeguards to protect against arbitrary rule-making. The DPDP Act has not been enacted yet, and several of its procedures including on consent mechanisms and setting up of the statutory Data Protection Board cannot be operationalised without notifying specific rules. We agree with the Committee’s concerns about the overreliance on rule-making and the need to use these powers responsibly.

We also agree that the rules thus drafted must be simply written and easy to understand and administer, without compromising their substantive quality or scope. However, what causes some worry is the pressure from the Committee to expedite rule-making. Any legislative process must be preceded by extensive consultation with experts, civil society and the public, and must fall squarely within the mandate of the Constitution. Though MeitY officials have indicated that the DPDP Rules will be put for public consultation, news reports say that the time given for the public to respond will be 45 days. It is worth noting that the Ministry invited feedback and public comments on the draft Digital Personal Data Protection Bill, 2022 for 30 days. Where on one hand the Ministry provided stakeholders an entire month to send comments on a bill that was only 24 pages long, on the other it is considering a mere 45-day public consultation period for 21 draft rules for a key piece of legislation. Further, some news reports said they would be out before January 31, 2024. Some say not before the conclusion of the 2024 general elections.

Amid confusion, delays, and an inadequate consultation process, the DPDP Rules have a significant responsibility of operationalising the Act. Though deep research and nuance in lawmaking takes time and delays can be justified in certain circumstances, the contradicting statements from officials and rumours about a worryingly small consultation time frame are definite causes for concern. Thorough public consultation process forms the foundation of any democracy and is an effective means for the public to participate in policy-making and exercise their constitutional rights. MeitY must release the Rules for consultation with an ample time frame for the public to respond in.

On the “DIA”

In its original report, the committee “strongly urged” the Ministry to “promptly finalise the framework of the Digital India Bill and expedite its enactment without any undue delay”. MeitY simply replied to this descriptive and long suggestion with…

The Committee, understandably, reiterated its concerns more emphatically, stating that the outdated IT Act, 2000, which is now 24 years old, needs to immediately be replaced with a new “Digital India Act” (“DIA”). The Committee urged the Ministry again to “promptly conclude the framework for the Digital India Bill and expedite its enactment without unnecessary delays.” The curt response from MeitY did not help, as the report notes the lack of specified timelines for rolling out the “Digital India Act” and no indication of introducing it in the Budget Session of Parliament. The Committee notes that the Ministry has had ample time to release the draft bill for public consultation before its presentation in Parliament, but did not do so. The Committee reiterated the prompt action required and closed the review by stating “the earliest action in this regard would be appreciated.”

The “DIA” so far has been all bark, no bite. As we spoke about at length in our blog posts here and here, MeitY officials have been talking to the media about the law at length and teasing its release, but no official notification or indication has come from the Ministry. As per media reports from May 2023, the consultation on the DIB was supposed to begin on June 7, 2023 and the draft was “likely to be ready by early July”. Then on June 30, 2023 the Minister of State admitted to the delay in the release of the Bill, and promised that it would be released “very soon”.

While we believe that a clear, concrete timeline helps prepare stakeholders for a bill with such significance and alleviates a lot of mystery-led misery around the bill, we also consider deep consultations and consensus around the legislation from all stakeholders as equally important as the timelines by which the legislation is enacted. The only available resources include a powerpoint presentation shared by MeitY officials, which we have already performed post-mortem on (in this blogpost here). Several questions remain unanswered about the “DIA”, its ambitions and its mystery digital ecosystem “reform”. Until then, while we share the Committee’s frustrations with still not having a law, we hope due process is followed by MeitY in opening it up for consultations and engaging with stakeholders more meaningfully.

On the IT Act

Some provisions of the two-decade old IT Act, 2000 will become redundant with the enactment of the DPDP Act. The Committee noted that the DPDP Act will overhaul IT Act Sections 43A, 81 and 87, and also affect disclosure provisions under the Right to Information Act. The Committee urged MeitY to proactively revisit the provisions of and notify amendments to all affected legislations and provisions, specifically in the IT Act. In response, MeitY noted the recommendation and listed the following amendments to the IT Act:

  1. The removal of section 43A.
  2. In section 81, the inclusion of the phrase “or the Digital Personal Data Protection Act, 2023” after the words “the Patents Act, 1970” in the proviso.
  3. In section 87, the omission of sub-section (2), clause (ob).

The Committee seemed satisfied with MeitY’s response, but the reforms brought in by the DPDP Act undermine other digital rights and freedoms in and out of the IT Act. For instance, it weakens the right to receive information from public authorities by removing the public interest exception to disclosure of personal information under the Right to Information Act, 2005, thereby diluting the Act. It further dilutes the scheme of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, which accords a higher degree of protection to the processing, sharing and storing of sensitive personal data than other personally identifiable data, by removing the categorisation of “sensitive personal data” from the DPDP Act itself. Such data, including health, sexuality, financial and biometric data, will now be processed with no more procedural requirements than data relating to home addresses, phone numbers, etc. This is one of the many failures of the current DPDP Act.

MeitY, are we out of the woods yet?

While many of the Committee’s recommendations are useful requests, we reiterate that MeitY must place meaningful public consultations and deep thematic research at the heart of lawmaking. Issues like consent and bridging the digital divide are complex and can benefit greatly from expert insights and stakeholder consultations. In fact, the “DIA” is chalk full of complicated themes and globally debated issues, so “hurrying up” may not be solid advice. Instead, a comprehensive and well-thought out timeline for legislative processes, which is published by MeitY after talking to each other may be the better solution for now.

This article first appeared on the Internet Freedom Foundation’s official website. Read the original here.

Civil Society Organisations Urge G20 to Stop Talks on Cross-Border Free Flow of Data

‘The G20 is not an appropriate forum to discuss the issue of digital data governance where majority of G20 developing countries, like South Africa, India and Indonesia, in particular, are still refusing to buy into this new term.’

New Delhi: Multiple civil society organisations have urged the G20 countries to stop talks on the free flow of data, highlighting the fact that many of the developing countries within the group, including new G20 president India, are lagging behind when it comes to recognising the issue of digital data governance.

The G20 is an intergovernmental forum of 19 countries and the European Union.

“We, civil society organizations, urge the G20 Developing Countries to not continue the discussion on Data Free Flow with Trust (DFFT) to promote the free flow of Data at the G20 meeting, especially under the Presidency of India,” 12 organisations have written in a press release.

The G20 presidency – which rotates every year – is India’s for 2023.

The signatories are:

  1. Asia-Europe Peoples Forum (AEPF)
  2. Focus on the Global South
  3. Seattle to Brussels (S2B) Network
  4. Transnational Institute (TNI)
  5. Global Justice Now (GJN)
  6. IT for Change India
  7. Indonesia for Global Justice (IGJ)
  8. Sahita Institute (Hints)
  9. Fresh Eyes (UK)
  10. Pakistan Rabita Committee
  11. FIAN (Indonesia)
  12. Indonesian Human Rights for Social Justice (IHCS)

The Data Free Flow with Trust or DFFT initiative, the groups say, does little to quell developing countries’ concern that its agenda is of economic expropriation, and that it has little to do with privacy and security.

The G20 Bali Declaration, they say, is “still pushing the commitment of all G20 members to continue the discussion” on DFFT, despite there being no agreement between the member countries on pursuing this.

“The G20 is not an appropriate forum to discuss the issue of digital data governance where majority of G20 developing countries, like South Africa, India and Indonesia, in particular, are still refusing to buy into this new term.

“This is because their main issue with the original ‘free flow of data’ doctrine was not as much to do with privacy and security as it was about economic expropriation, given that data is the most valuable resource today. The new concept of DFFT did nothing to address this central concern of developing countries.”

Developing countries’ main problem with cross-border free flow of data comes from fears of digital colonisation, the statement notes, adding that DFFT will not guarantee economic growth for developing countries.

India last month proposed a new data privacy law that will allow companies to transfer some users’ data abroad, while giving the Union government powers to exempt state agencies from the law in the interests of national security.

Also read: Through Successive Attempts, the Data Protection Bill Is Now Its Own Caricature

The proposed law would be the latest regulation that could impact how tech giants such as Facebook and Google process and transfer data in India’s fast-growing digital market. It comes after the government, in August, withdrew a 2019 privacy bill that had alarmed companies by proposing stringent restrictions on cross-border data flows.

The latest privacy bill relaxed certain stringent norms on cross-border transfers proposed earlier, with the government saying it could specify countries to which entities managing data can transfer personal data of users.

Whoever controls data controls the digital domain too, the signatories of the letter, stress. Big technology companies, therefore, are keen to maintain their hold on data.

“Data is the key resource in a digital society and economy. Most of the data value is extracted by one or two big techs superpowers who control most of the global digital platforms and infrastructure. The big problem is, today’s big techs companies are benefiting greatly from the expansion of economic digitisation with controlling the data in the global world. The top of the list was the right to Control Data, and who controls data essentially can dominate the digital domain. And, so they wanted absolute rights to control the data generated in the business. 

“The big tech companies have been lobbying the states to regulate the free flow of data so they can keep the data monopoly. Trade rules are being used to leverage this influence as a vehicle for expanding the big techs power and influence. We are increasingly seeing the incorporation of ‘digital chapters’ in trade agreements and negotiating E-commerce Agreement at the WTO

Earlier this year, WTO members reached a provisional deal to extend a moratorium on applying duties to electronic transmissions until the next ministerial meeting, likely to be in 2023, Reuters had reported. The moratorium has exempted data flows from cross-border tariffs since 1998.

‘Need to go beyond trade’

“We support the call by the UNCTAD for developing a ‘global data governance framework’ that addresses both non-economic and economic aspects of data,” the civil society organisations say.

The UNCTAD’s 2021 Digital Economy Report states that as data and cross-border data flows become increasingly prominent in the global economy, there is an urgent need to properly regulate them at the international level. “Thus, when addressing how to regulate cross-border data flows, the international community will need to go beyond trade and consider them in a holistic manner,” they observe.

The statement also strongly demands that the developing G20 countries take concrete action beyond the G20 forum to “develop a just global digital and data governance and framework based on south-south solidarity principles.”

Such action should be taken by an independent and representative multilateral mechanism, backed by an international treaty (or human rights treaty), the groups urge. It should also ensure that global digital and data governance and its framework would not be governed by any international trade rules – either WTO or bilateral and regional Free Trade Agreements.

The groups say that cross-border data flows should be based on a “comprehensive rights-based approach” that includes the civil and political, social and economic, and the right to development branches of human rights.

“Economic data rights of individuals, communities and workers are important to ensure equity and justice, nationally and globally. It is important that cross-border data flows are based on social and economic justice, and observe principles like fairness and justice, transparency, lawfulness, and reciprocity in relation to data-related benefits. Therefore, we need to develop a just global digital and data governance framework with an independent, representative,” the groups say.

Government Withdraws Personal Data Protection Bill, Plans New Set of Legislations

The withdrawn Bill had, controversially, sought to provide the government with powers to exempt its probe agencies from the provisions of the Act.

New Delhi: The government on Wednesday withdrew the Personal Data Protection Bill from the Lok Sabha and said it would come out with a “set of new legislation” that will fit into a ‘comprehensive legal framework’.

IT minister Ashwini Vaishnaw said this while moving for withdrawal of the Bill in the House, according to news agency PTI.

The withdrawn Bill had proposed restrictions on the use of personal data without the explicit consent of citizens. It had, controversially, also sought to provide the government with powers to exempt its probe agencies from the provisions of the Act, a move that was strongly opposed by opposition MPs who had filed their dissent notes.

The government would hold a wide public consultation before putting the new legislation to parliament, official sources said.

According to PTI, the Bill could be replaced by more than one Bill, dealing with privacy and cyber security and the government may bring the new set of Bills in the winter session of Parliament.

The government circulated among members a statement containing reasons for withdrawal of the Bill, which was introduced on December 11, 2019 and was referred to the Joint Committee of the Houses for examination. The report of the Joint Parliamentary Committee (JCP) was presented to Lok Sabha in December 2021.

The withdrawal of the Bill was made part of the supplementary agenda of Lok Sabha Wednesday afternoon.

Also read: What the JPC Report on the Data Protection Bill Gets Right and Wrong

According to the statement circulated to Lok Sabha members on August 3, the 2019 Bill was deliberated in great detail by the JCP, which proposed 81 amendments and 12 recommendations for a comprehensive legal framework for the digital ecosystem.

“Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new Bill that fits into the comprehensive legal framework,” the statement said.

After the Bill was withdrawn, minister of state for IT Rajeev Chandrashekhar tweeted that this will soon be replaced by a comprehensive framework of global standard laws, including digital privacy laws for contemporary and future challenges, and catalyse Prime Minister Narendra Modi’s vision.

He said the JCP report on the Personal Data Protection Bill had identified many issues that were relevant but beyond the scope of a modern digital privacy law.

“Privacy is a fundamental right of Indian citizens & a Trillion-dollar Digital Economy requires Global std Cyber laws,” he said in another tweet.

The withdrawn Data Protection Bill had also proposed the setting up of a Data Protection Authority.

It had also proposed to specify the flow and usage of personal data, protect the rights of individuals whose personal data are processed, as it works out the framework for the cross-border transfer, accountability of entities processing data, and moots remedies for unauthorised and harmful processing.

According to the Indian Freedom Foundation, India desperately needs a data protection legislation, especially considering the rush in which digital policies are being introduced in the country. However, the Data Protection Bill, 2021, which should empower the user with rights surrounding their own personal information, has failed to prioritise the user. It, instead, benefits the government and large corporations way more than it benefits users.

JPC members welcome decision

Members of the erstwhile JPC on Wednesday welcomed the government’s move to withdraw the legislation, saying it was better to bring a new legislation after more than 80 amendments suggested by the panel.

BJP MP P.P. Chaudhary, chairman of the parliamentary committee, said after so many amendments suggested by the panel, it makes more sense to bring a new legislation which will be comprehensive and will include all suggestions made by the committee.

Echoing similar sentiments, BJD MP Bhartruhari Mahtab, who was also a member of the parliamentary committee, said with the vast number of amendments the Bill required an overhaul and it can be done only by bringing a new law.

(With PTI inputs)