In another illustration, the draft Bill proposes that if a data principal shares their name, mobile number and personal bank account number with a government department for direct credit for an agriculture scheme, the user will also be deemed to have shared the data for purposes that can include credit of fertilizer subsidy, compliance with a judgment or order issued under any law, responding to a medical emergency and for taking measures to provide medical service.

In a third example, it states that if a data principal shares biometric details with their employer, they shall be understood to have given their consent “in public interest for prevention and detection of fraud, whistle blowing, network and information security, credit scoring, operation of search engines for processing of publicly available data, and recovery of debt”.

This manner of determining consent is reflected in other sections of the draft law which dealt with conditions under which personal data can be processed. As part of the 2019 draft bill, personal data could be processed and accessed for “the purpose consented to by the data principal or which is incidental to said purpose”.

The new version of the draft said that the data may be accessed for a “lawful purpose” or an “incidental lawful purpose in a privacy preserving manner”, seemingly doing away with the “said” purpose, the one for which the data was sought.

“If indeed deemed consent forms part of the latest draft Data Protection Bill, the same in effect would negate the very purpose of the enactment. It would give free rein to one and all to collect data through the Hobson’s Choice of ‘take it or leave it’ and militates against the letter and spirit of Puttaswamy’s privacy judgment,” said Supreme Court lawyer and founder of Cybersaathi NS Nappinai.

According to people aware of the matter, a version of the bill has also removed the categorisation of sensitive, personal and critical data, referring only to digital personal data, that could be used as an umbrella classification. Previously, sensitive and critical personal data had some elevated protections.

But, there seemed to be some inconsistency, with a separate section on cross-border transfer of personal data mentioning sensitive personal data as needing to require to be stored in the country, but without elaborating on what the classification included.

“The current law has a delineation mandating stricter rules for sensitive personal data. If categorisations are being removed, then rights of data subjects even to their personal data would have to be raised to that of sensitive personal data. It cannot be that existing rights qua SPD will stand diluted,” said Nappinai.

On Wednesday, there was strong speculation that the Union ministry of electronics and information technology (Meity) was about to introduce the latest version of the data protection bill, being referred to as the Digital Personal Data Protection Bill, 2022. But the government cancelled IT minister Ashwini Vaishnaw’s press conference at the last minute, an official familiar with the matter said, asking not to be named.

When asked about why the press conference was cancelled, Vaishnaw told reporters at the Rail Bhawan that the data protection bill was a work in progress. “It’s like building a temple, you have to build it one block at a time,” he said.

Union minister of state for electronics and information technology Rajeev Chandrasekhar on Wednesday also shared his past tweets with the hashtag #PersonalDataProtectionBill, triggering conversation about the changes in the new draft that was expected to be out on Wednesday.

The bill is being redrawn after being withdrawn in Parliament by the government during the Monsoon session. HT reported in August that government was planning to replace the data protection authority with a new appellate body, now being referred to as the Data Protection Board. It also reported that initially the ambit of the Bill will apply only to digitised data, with legacy provisions being introduced in the Bill.

Nappinai added that the purported proposal to remove the data protection authority and convert it to “a Board substantially diluted the powers originally vested with such authority. This is not on par with GDPR”. Her reference is to the General Data Protection Regulation, the EU law on privacy and security that is universally considered the benchmark for such laws.

The government set up a committee under Justice BN Srikrishkna to draft the first version of the Bill in 2017. The Puttaswamy judgment further reaffirmed the same year that privacy was a fundamental right. In 2018, the Sriksrishna Committee submitted a 176-page report, the first draft version of the Bill.

The version was revised and introduced in Parliament with leeways for the government in 2019. Immediately after, the JPC was set up in 2019 to take up the matter after parliamentarians were divided over several provisions of a law that is meant to put a legal shape to the Right to Privacy and will have far-reaching impact on industry.The committee was given at least four extensions before it finally submitted its report, only for the bill to be pulled out entirely this year.