Express Computer

Home  »  Guest Blogs  »  Absence of special categories of personal data in India’s digital personal data protection bill, 2022 simplicity at the cost of efficacy?

Absence of special categories of personal data in India’s digital personal data protection bill, 2022 simplicity at the cost of efficacy?

Guest BlogsNews
By Express Computer
0 317

By Gaurav G. Arora, Partner at JSA and Aditi Richa Tiwary

With the exponential rise in the magnitude of data proliferation globally, the governance of citizenry and stakeholders through an evolved data protection regime is imperative. The Digital Personal Data Protection Bill, 2022 (“2022 Bill”) has been designed in furtherance of the efforts of the Ministry of Electronics and Information Technology to build a comprehensive legal framework on the digital ecosystem and is a step forth in the evolution of India’s data protection regime. While it is undeniably simpler than its previous versions, much of its simplicity and brevity appear to have been achieved by compromising crucial aspects of informational privacy, a glaring example of which is the absence of recognition of special categories of personal data.

Special Categories of Personal Data: Meaning, Necessity and Position in Significant Jurisdictions
The General Data Protection Regulation of European Union (“GDPR”) recognizes special categories of personal data as innately sensitive data in relation to the protection of privacy and other fundamental rights. Examples of such data include a person’s biometric information, health-related information, genetic information, political opinions, religious or philosophical beliefs etc.

Given the sensitivity of special categories of personal data, processing of such data is prohibited, subject to certain exceptions mentioned in the GDPR. As explicated in the GDPR, the need for recognizing special categories of personal data, and the consequent necessity of having additional safeguards protecting special categories of personal data stem from the risks to the right to privacy and other fundamental rights and freedoms associated with such data.

While the components forming special categories of data, in addition to the nomenclature employed by different jurisdictions to enunciate such data might differ across jurisdictions, data protection laws of major jurisdictions accommodate such categories. In addition to GDPR, the proposed American Data Privacy and Protection Bill (United States) also recognizes the concept of special categories of personal data in the form of “sensitive covered data” and imposes additional compliances concerning its collection, processing, and transfer.

As another example, Japan’s Act on the Protection of Personal Information (“APPI”), which provided limited protection to the concept of special categories of personal data until June 2020 despite identifying the same as “special care-required personal information” in 2017 contemporarily ensures additional protections concerning the acquisition of such data, thereby aligning itself with the international practice concerning the recognition of special categories of personal data adopted by many jurisdictions globally.

Special Categories of Personal Data vis-à-vis India’s Contemporary Regulatory Design
As India awaits a robust data protection regime, the Information Technology (Reasonable Security Practices and Procedures and  Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), framed under the Information Technology Act, 2000 form the contemporary legal landscape concerning data protection. SPDI Rules recognise sensitive personal data as information inter alia relating to passwords, medical records, health etc., and contain provisions including disclosure requirements, restrictions on third-party sharing, consent-obtaining mandates etc. While the contemporary regulatory design of SPDI Rules might appear to be all-encompassing, it has considerable shortcomings in terms of insufficient categories of personal data enlisted as sensitive personal data, weak notice and consent standards, and lack of an efficient operational mechanism, thereby calling for a regulatory overhaul.

Evolution of India’s data protection regime vis-à-vis special categories of personal data

India’s Personal Data Protection Bill, 2019 (“2019 Bill”) recognized special categories of personal data as “sensitive personal data” and “critical personal data”, and provided additional safeguards concerning the processing of such data. While the 2019 Bill reserved the components of critical personal data to be notified in the future, it enlisted certain categories of personal data within the ambit of sensitive personal data in the form of an inclusive list, having greater scope and gravity in comparison with SPDI Rules due to the presence of components such as information concerning religious and political beliefs, caste or tribe, etc.

The 2019 Bill was majorly based on the recommendations of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (“Srikrishna Committee”) that explained the necessity of accommodating sensitive personal data in the Indian data protection regime. Srikrishna Committee described the significance of stringent data protection mechanisms for certain categories of personal data by relying on a four-fold test comprising of the likelihood of harm, degree of expected confidentiality, probability of discerning a distinct class prone to suffer a common loss, and the level of adequacy of general rules applicable on such personal data. The components of sensitive personal data determined by way of the four-fold test inter alia included biometric data, financial data, data concerning religious and political beliefs, health data, genetic data etc. The 2019 Bill included all the categories of personal data identified as sensitive personal data by the Srikrishna Committee and retained the four-fold test for prospective identification of components of sensitive personal data.

The significance of sensitive personal data was also affirmed in Data Protection Bill, 2021(“2021 Bill”) recommended by the Joint Parliamentary Committee (“JPC”) formed to review the 2019 Bill.. JPS’s affirmation of the concepts of critical personal data, sensitive personal data, corresponding compliances, and the four-fold test is reflected in the 2021 Bill. However, the 2022 Bill, to dilute the apparent complexities associated with its previous versions, presents a much simpler draft, devoid of recognition of the concept of sensitive personal data, or any other special category of personal data, consequently depriving the citizenry of the additional protections corresponding to such categories of data.

The way forward

While the 2022 Bill simplifies many complexities of its previous versions, the absence of recognition of special categories of personal data compromises the efficacy in personal data protection concerning Indian citizenry. Certain categories of personal data, due to their integral association with the identity of individuals are relatively more susceptible to privacy infringements than other categories. Consequently, such categories solicit an increased degree of protection vis-à-vis other categories, thereby necessitating the accommodation of special categories of personal data in data protection laws. The necessity of according enhanced protection to special categories of personal data is affirmed by international practice and is also in alignment with India’s evolution concerning data protection laws as reflected by the recommendations of the Srikrishna Committee and JPC. Considering India’s evolutionary journey and international standards concerning data protection, the 2022 Bill calls for appropriate amendments aimed at retaining the concept of special categories of personal data, thereby ensuring the efficacy of data protection in India.

Get real time updates directly on you device, subscribe now.

Express Computer

Express Computer is one of India's most respected IT media brands and has been in publication for 24 years running. We cover enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments. Additionally, we also report on the fast emerging realm of eGovernance in India.

You might also like More from author
Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 
Powered by Convert Plus
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image