Key Features of the Digital Personal Data Protection Bill, 2022
We Indians live digital lives in vast numbers. Internet users in India have been growing astonishingly, and each digital transaction leaves a trail of information or data vulnerable to misuse. It is not an overstatement to say that privacy is an immense perplexity of our age. Ever since the right to privacy was recognised as a fundamental right by the Indian Supreme Court in 2017, Indian lawmakers have sought to develop a comprehensive data protection framework. After much consultation on the matter, on November 18th, 2022, The Ministry of Electronics and Information Technology (“MeitY“) released the fourth version of India’s data protection bill entitled “Digital Personal Data Protection Bill, 2022” (“DPDP Bill” ). The DPDP Bill seeks to supplant the earlier Personal Data Protection Bill (PDP Bill).
How different is this latest iteration from the earlier drafts? Does it adequately protect the use of personal data? Does it bestow satisfactory rights on individual users? How does it impact businesses? These are some of the questions this article endeavours to answer by discussing and analysing the key features of the DPDP Bill.
Key features of DPDP Bill
1.Important definitions under the proposed law
To comprehend the nuances of the DPDP Bill, let’s first understand specific core definitions which constitute the basis of the proposed data protection law.
- Personal Data: It refers to any data which identifies an individual by or in relation to such data.
- Data Fiduciary: It denotes a person who decides the purpose and means of processing personal data, either independently or in conjunction with other persons.
- Data Principal: It represents the individual to whom the personal data relates. In case of children, it includes parents and legal guardians of the child.
- Data Processor: It depicts a person who processes personal data on behalf of a data fiduciary.
- Significant Data Fiduciary: It is a Data Fiduciary notified by the Central Government after considering factors such as the volume of personal data processed, risk to electoral democracy, security of State, and public order, among others.
- Data Protection Officer: It refers to an individual appointed by a Significant Data Fiduciary who shall be responsible to its Board of Directors and function as a point of contact for redressing any grievances that may arise.
2. Applicability and Scope
The DPDP Bill applies to personal data, which is processed digitally, whether collected online or if collected offline, is digitized subsequently. The proposed law also extends its reach to process digital personal data outside the Indian territory, provided such processing concerns profiling a Data Principal in India or offering goods or services to such an individual. Thus, the DPDP Bill would also apply to foreign entities if the said condition is satisfied.
However, the following forms of data have been kept outside the purview of the DPDP Bill:
- Personal data processed through non-automated means.
- Offline personal data.
- Personal data processed for domestic or private purposes.
- Personal data that has been recorded for at least 100 years.
3.Rationale for processing personal data
The proposed law allows data fiduciaries to process personal data for any lawful purpose (i.e., purposes not explicitly forbidden by law), provided the Data Principal has consented or is deemed to have given consent to it.
4. Pre-conditions for processing personal data
Before collecting personal data, the Data Fiduciary must issue an itemised notice(i.e., displayed as a list of individual items) to the Data Principal in a plain and cogent language, specifying the “kind” of personal data sought to be collected and the “purposes” of processing such data. The Data Principals may prefer the notice to be delivered in English or any of the regional languages stated in the 8th Schedule of the Indian Constitution.
A Data Fiduciary can process personal data only after receiving valid consent from the Data Principal. The consent will be valid only if it is free, specific, informed, and unambiguous. Moreover, it must be expressed via an ‘affirmative’ action by the Data Principal to signify their agreement to the data processing for the purpose specified in the notice. The DPDP Bill also enables the Data Principals to withdraw his consent (through a consent manager) any time, in which case they shall be obliged to cease processing the personal data within a reasonable time.
- Deemed consent
Although consent is and continues to remain the foremost requirement for processing personal data, the DPDP Bill introduces the concept of deemed consent which permits such processing without the express consent of the Data Principal. Some of the instances where a Data Principal is deemed to have given consent include:
a)Data Principal voluntarily provides personal data.
b)Processing data is necessary for providing any service or benefit to the Data Principal by the State.
c)Processing data is crucial to comply with any law or judgment.
d)Processing is in connection with employment purposes.
e)Processing is essential for ensuring public interest.
- Responsibilities of data fiduciaries
The DPDP Bill imposes certain obligations on data fiduciaries to ensure the security of personal data. The rationale is that the Data Fiduciary shall be primarily responsible for compliance with the DPDP Bill, irrespective of any contract to the contrary or any action taken by the Data Principal. A summary of the obligations is given below:
a)To make reasonable efforts to uphold the accuracy and completeness of data processed by them.
b)To enforce appropriate technical and organisational measures to ensure compliance with DPDP Bill.
c)To take reasonable security safeguards to protect personal data and prevent a data breach.
d)To notify instances of data breach to the regulatory body proposed under the DPDP Bill, i.e., the Data Protection Board of India and the affected Data Principal.
e)To cease retaining personal data as soon as the purpose of retention is completed.
f)To publish the business contact information of the Data Protection Officer or any other authorised person to answer queries of Data Principals.
g)To provide an effective grievance redressal procedure.
h)To share personal data with a Data Fiduciary or processor only with the consent of the Data Principal and only under a contract.
- Rights and Duties of Data Principals
The DPDP Bill provides certain rights to the Data Principal concerning their personal data, which are enumerated below:
a)Right to information: Data principals have a right to obtain confirmation that their personal data is being processed, a summary of the data being processed and the identities of data fiduciaries accessing such personal data.
b)Right to correction and deletion: Data principals may not only seek correction of their personal data but may also request the erasure of such data, which is no longer needed for the purpose for which it was processed.
c)Right to redress grievances: Data Principals can register their grievances with data fiduciaries. In case of an unsatisfactory response or lack of response within 7 days, the Data Principals can register a complaint with the Data Protection Board of India.
d)Right to nominate: Data Principals can nominate any person to exercise the rights mentioned above in case of their death or incapacity.
e)Duties: The DPDP Bill also imposes certain duties on Data Principals to prevent misuse of their rights. These include the duty not to furnish false details, suppressing material information, or impersonate another person while providing personal data to data fiduciaries. They are also prohibited from filing false and frivolous complaints with the Data Protection Board of India.
- Data Protection Board of India
As highlighted in the clauses above, the DPDP Bill provides for the constitution of an independent Board, namely, the Data Protection Board (the “Board”), to function as an adjudicatory body to enforce the provisions of the Bill. The Board is tasked with enforcement, including determining non-compliances, imposing penalties, issue directions to ensure compliance with the law. The Board is enshrined with powers of a civil court and appeals against its decisions lie to High Courts. The Board also can direct alternate dispute resolution, such as mediation, to resolve disputes between parties.
- Processing children’s data
The DPDP Bill treats everyone under 18 years as a “child”. The Bill requires data fiduciaries to seek verifiable consent from the parent/lawful guardian before processing the child’s personal data. The Bill also restricts entities from tracking children or targeting advertisements at them.
The DPDP Bill imposes penalties ranging from INR 50 crores to INR 250 crores for non-compliances that are “significant” in nature. These include failure to prevent a data breach, failure to notify the Board and affected Data Principals of such data breaches, and non-compliance with obligations imposed on Significant Data Fiduciaries, among others. In aggregate, the penalty levied on a single entity for numerous non-compliances has been restricted to INR 500 crores. Interestingly, the Data Principals may also be subject to penalties of up to INR 10,000 for not following their duties.
- Cross-border personal data transfer
After receiving immense pushback from industry stakeholders on the burdensome conditions for cross-border data transfers and the necessity of data localisation, the DPDP Bill seeks to find a balance between data sovereignty on the one hand and enabling unrestricted transfer of personal data on the other by easing localisation requirement. The Bill permits the transfer of personal data outside India to countries that the Central Government may notify. While this would further enable ease of doing business in India, it probably wouldn’t mean data transfer to all countries is kosher. The Central Government may consider relevant factors, such as diplomatic relations and geo-political issues while notifying such countries.
The need of the hour is to have a robust data protection culture in the country. The key to allowing a piece of legislation to last long enough to be effective is to ensure that it is established on sound principles that can be enforced through astute regulation. The DPDP Bill has been drafted keeping in mind certain underlying principles such as lawful and fair data processing, data minimisation, and accuracy of personal data, among others. The government believes that as the digital ecosystems evolve, the Bill in its present form provides ample room for adaptation. While the businesses and the start-up community have expressed optimism about the simple language and proposed comprehensible clauses, the critiques have voiced reservations on matters such as lack of adequate timelines, broad definition of public interest, excessive delegation, and exemptions. It is noteworthy that the Bill is still nascent, and its true efficacy and effect will have to be seen as time progresses.
SimplyBiz Private Limited provides managed services in the field of Advisory, Transactions, Business Setup, Compliance, Accounting, and Taxation. SimplyBiz has its Head office in Hyderabad and branch offices in Bengaluru, Chennai, Mumbai, and National Capital Region.