By Aihik Sur
In what could be a major win for civil society organisations, the Union government, in the fresh version of the the Digital Personal Data Protection (DPDP) Bill, may expand the scope of deletion of user data to not just personal data, but all forms of data stored with a company.
This comes at a time when the draft DPDP Bill has been approved by the Union Cabinet, clearing its way to be tabled in the Monsoon Session of the Parliament set to begin on July 20. The government has made several changes to the bill after rounds of consultation with industry and academia. The fresh draft, which was approved by the cabinet, has not been made public yet.
In regards to deletion of user data, under the previous (2022) draft, if a user in India asks a major social media platform to delete data stored with them, the platforms could have just opted to only erase their personal data, and keep the rest of the data in a deanonymised format.
“Earlier businesses were very happy with this arrangement because it meant that they could just de-link one’s personal identifiable information (PII) from a dataset irreversibly, and keep the rest of it in a deanonymised form,” said a source aware of the developments.
Section 12 (2) (d) of the DPDP Bill 2022 says that if a data principal (user) asks a data fiduciary (any body that processes personal data) to erase their data, then the body will “erase the personal data of a data principal that is no longer necessary for the purpose for which it was processed….”
Changes made
However, there was criticism regarding this specific clause. For instance, CUTS-CCIER, a civil society body looking into competition issues and consumer awareness, had urged the government to amend this specific clause and instead introduce Right to be Forgotten clause — the right to remove or erase content so that it’s not accessible to the public at large.
It is also important to remember that the now withdrawn Personal Data Protection Bill 2021 too had clauses on Right to be Forgotten, which was done away with in the DPDP Bill 2022. The previous bill was withdrawn last year and the government had reasoned that the bill had become compliance heavy, and that it had gone beyond its scope.
“There was a lot of criticism from civil society regarding the clauses of data erasure in the previous draft. This has now been restricted to complete erasure — that erasure does not mean anonymisation of data,” said a source.
This is the latest in the string of changes that the government may have made in the undisclosed, new draft of the DPDP Bill.
For instance, Moneycontrol reported how in the fresh draft of the bill , the government may introduce an appellate body for customers to appeal decisions of the Data Protection Board. This will be a significant change from the 2022 draft, where only the Data Protection Board (DPB) could conduct proceedings or inquiries and give their decisions while dealing with user complaints related to data breaches and so on.
When the Monsoon Session begins on July 20, and once the bill is tabled, it can either be passed by the two houses of the Parliament, and following the President’s signature be enacted into law; or it may also be possibly be referred to a Parliamentary Committee for it to be studied further.
When asked about this earlier, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology had said, “I don’t think there is a need for it. (But if) the standing committee or someone wants to take a look at it, the government is fine with it. Our Prime Minister’s view on this type of legislation is that it should be as widely consulted as possible… Now, if the Parliament decides that they want to sit down and think about this for a lot longer, that’s fine.”