its interesting that anonymisation is entirely missing from this Act, particularly given the general belief among policymakers that anonymisation is the panacea to all privacy evils.

Generally not well equipped to be an independent adjudicatory + investigatory body, but hopefully better than the adjudicatory authorities under the IT Act. Remember those?

kya hai iska matlab bhai.

GDPR Chapter 6 - Independent Supervisory Authorities. Note the emphasis on independent, although the GDPR gives a lot of leeway to member states to determine the appointment of members and functioning of the authority, Article 52 establishes principles for their independence.

The Bill was passed with no amendments, it is now the Digital Personal Data Protection Act, 2023. Congrats.

GDPR - Art 6(f) and Art. 23 have VERY LIMITED EXEMPTIONS for state processing

DJ: Mockery of the Puttaswamy judgement, and the very notion of consent. Consenting once to any state instrumentality now means that any part of the government can process and use your data without consent? And personal data once digitised does not only for the purpose of government processing need to meet the same standard?

Processing in the public interest is important, and challenging, and requires well tailored and limited exemptions, where consent is not possible or not appropriate. This is not it. Provisions like this penalise poverty and subject the poor to routine and intrusive surveillance.

GDPR Art. 23 allows states to legislate for restricting its application in the context of law enforcement, but the more complete picture is only by looking at the Law Enforcement Directive (2016/680), which imports substantial data protection commitments to the field of law enforcement.

When certain ministers claim 'GDPR has exemptions too', it is either ignorant or duplicitous. Apart from constitutional safeguards and limited applicability of the Code of Criminal Procedure, India has no data protection obligations for law enforcement, and this is a problem.

GDPR Art. 2 on scope, and Article 23 on restrictions of Data Subject rights.

Not sure what the purpose of this language is (also applicable for the right to rectification in Section 12). Imports GDPR Art. 22 language on 'decision' which has been incredibly vague and unhelpful.

GDPR Art. 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

This is ridiculous. No clarity or proscription on what counts as a start-up. No justification for why they should be exempted. Some 'startups' (think clearview AI) are some of the most egregious, experimental technologies violating privacy, and the government intends to give them a complete opt-out of data subject rights and obligations.

means if government has made data access request they wont tell you.

What does this mean. It is a process-based clause. What does it mean to not apply?

GDPR Chapter 5 - Transfer of Personal Data to third parties.

DJ: Blacklisting provision, no localisation mandates - good.

What is 'material information'? Ripe for misuse. There are already laws against misrepresentation, fraud, etc. with substantial jurisprudence.

No other data protection law in the world prescribes 'duties' for data subjects, some laws have provisions against vexatious complaints etc.

GDPR Art. 77 - Data subjects can seek remedies from DPA in addition to any other remedies under law.

Additional hurdle to be crossed before seeking redress. Good to have alternative grievance forum, not good to have it nested in this manner. 'Exhausting' the opportunity is vague - no timelines prescribed for process, only for 'response', shifts burden on consumers / data subjects.

GDPR Art. 16 and 17,

What does this mean? What law?

GDPR Art. 15 - Right of Access

DJ: Limited to DFs that process based on consent or 'deemed consent', but not for other grounds including or publicly available data or public purposes. GDPR is broader, more detailed.

GDPR Chapter 3

'Significant' departure from the GDPR and previous drafts which specified special category data. SCD / sensitive data has been a bit of a minefield under GDPR, but shows again limitations of narrow definitions of personal data, need to consider data protection contextually and relationally.

This is, again, somewhat arbitrary - instead of capturing all controllers whose processing activities have significant effects (as in GDPR), the Central Gov has to notify first. In essence, the structural protection mechanisms for egregious privacy harms, audits and DPIA, which are some of the only protections that go beyond individual-centric consent and access/correction mechanisms, have been seriously limited through this change.

DJ: Arbitrary. Why central gov. What is verifiably 'safe'. What is the role of the DP Board exactly?

Wish i was a child

DJ: Age-gating has so far been a bit of a technical minefield.

GDPR Art. 8 - Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. 2Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. 3Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

This occurs a few times. What are these classes? Is it just significant DF vs regular DF?

GDPR: Art. 5(1)(e) aka storage limitation - Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”

DJ: Tricky, ripe for contention.

GDPR Art. 33

DJ: Missed this earlier, edited. Security breach notifications also exist under other rules (CERT-IN Rules most prominently), will they be harmonised?

Art. 40 GDPR - Codes of Conduct.The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

DJ: What does 'appropriate' mean? Earlier drafts had rules on codes of practice to be established by the DPA, as a possible co-regulatory exercise.

GDPR Art. 33 covers security breaches.

DJ: There is no security breach notification requirement under this law, which is regressive. (Although these exist under other laws like CERT-IN Rules, but for different purposes). Anyway, these geniuses have removed/repealed the law that defined 'Reasonable Security Practices' (Section 43A IT Act), so who knows what this means now.

GDPR Art. 6(f) has a somewhat nuanced version of this clause.

DJ: This is shocking and dangerous drafting, essentially the 'deemed consent' provision from earlier bills. After providing for consent as a basis for processing, it now shifts the burden entirely on the 'data principal' to show that they did not provide information 'voluntarily' and that they intended to not consent?

GDPR : Employee data sometimes covered under Art. 6 (consent or legitimate interest).

DJ: This wording is too broad to be useful to protect the interests of employees from workplace surveillance.

DJ: Consent managers seem like a bit of a dark horse. Given current trajectories, I would assume its being done to push through AA / similar mechanisms to promote greater anonymised / pseudonimised data aggregation through infrastructural intermediaries.

Srikanth / @logic has the best explanations of how this works.

DJ: Might lead to one of those situations where compliance requires far more data collection than warranted.

GDPR Art. 12 and 13 - much more detailed notice and transparency requirements.

Article 6 GDPR -

DJ: This is...odd. Necessity principle is introduced in this example / provision, but it is unclear as to what counts as 'necessary' grounds for contractual processing.

Article 7, GDPR.

DJ: This is a good definition, could be clearer with reference to the Contract Act which has years of jurisprudence on contractual consent.

DJ: Going to test this.

Art. 5 GDPR - principles for the processing of data are much more detailed, includes fairness and transparency as a standard.

GDPR - No exemptions for publicly available data.

DJ: This is ridiculous and flies in the face of any contemporary idea of privacy and data protection. Puttaswamy has clarified that privacy is context-based and not place-based. Data protection scholarship and literature for three decades has accepted that contextual integrity needs to be the basis of thinking about these things. Horrible, dangerous provision, feeds into the data broker machinery that preys on people in India today.

Also, no context about what 'publicly available' means - does it have to be openly accessible to qualify? Even if some exemption for public data makes sense, it needs to be qualified.

Art. 3 GDPR - Territorial Scope - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.

DJ: Definition leaves out a number of processing activities, is open to interpretation on what counts as 'offering of goods or services' (Sale of Goods Act definitions very narrow, Consumer Protection Definition maybe?).

Art 4(1) GDPR - ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

DJ: DPDP Bill definition covers all unlawful processing, but has no specific personal data breach notification process. Unlike the GDPR (See Art. 33).

See notes on Clause 8 of DPDP Below.

superfluous/ bad drafting.

Bad drafting. This is the totality of 'digital data', and the distinct definitions are superfluous / redundant.

See 'personal data' above.

GDPR, Art 4(7) - ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Q: What is 'identifiable in relation to such data'?

Art. 4, GDPR: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

GDPR Art. 4(1) - ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person