|

Understanding the Digital Personal Data Protection Bill, 2022

In 2017, the Supreme Court ruled that the right to privacy is a fundamental right under the Indian constitution. Subsequently, in 2018, the first draft of the Personal Data Protection Bill was prepared by an expert committee set up by the Ministry of Electronics and Information Technology (MeitY). The aforementioned Bill, post certain changes, was introduced in the Parliament in 2019 as Personal Data Protection Bill, 2019 (“PDP Bill”) and was referred to a Joint Parliamentary Committee. The PDP Bill was then tabled in the Parliament in 2021 and after undergoing dozens of amendments and recommendations, the MeitY withdrew the PDP Bill, stating that a more comprehensive legal framework will be worked upon.

Now, the MeitY has released a draft of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) and has invited public consultation on the provisions by December 17, 2022. The DPDP Bill aims to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their Personal Data, the need to process Personal Data for lawful purposes and for other incidental purposes.

The DPDP Bill is premised on seven major principles which are summarized below:

  1. The usage of Personal Data by organisations must be done in a lawful, fair, and transparent manner.
  2. The use of Personal Data is limited to the purposes for which it was collected.
  3. Data minimisation – only those aspects of Personal Data required for the specific purpose must be collected.
  4. Reasonable effort must be made to ensure that the Personal Data collected is updated and accurate.
  5. Personal Data must not be stored in perpetuity. It must be stored for a limited duration as necessary for the purpose at hand, and not retained beyond that.
  6. To prevent a Personal Data breach, reasonable safeguards must be taken to ensure that no unauthorised collection or processing of data occurs.
  7. To ensure accountability, the person who decides the purpose and means of processing a certain kind of Personal Data must be held accountable for such processing.

Following are the key elements of the DPDP Bill:

  1. Definitions under the DPDP Bill

 

  • Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of the processing of Personal Data.
  • Data Principal: The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.
  • Personal Data: Any data about an individual who is identifiable by or in relation to such data.
  1. Applicability of the DPDP Bill
  • The DPDP Bill will apply to the processing of Personal Data collected within the territory of India where: (i) such Personal Data is collected from Data Principals online; and (ii) such Personal Data collected offline, is digitized.
  • The DPDP Bill will also apply to processing of Personal Data outside of India, if such processing is in connection with profiling people in India or offering goods and services to Data Principals in India. Profiling here means “any form of processing of Personal Data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.”
  • The DPDP Bill does not apply to: (i) non-automated processing of Personal Data; (ii) offline Personal Data; (iii) Personal Data processed by an individual for any personal or domestic purpose; (iv) Personal Data about an individual that is contained in a record that has been in existence for at least 100 years.
  1. Obligations of Data Fiduciaries 
  • Seek Consent: Personal Data can only be processed with consent or deemed consent. When seeking consent, or as soon as it is reasonably practicable, Data Fiduciaries must give the users a notice that describes what Personal Data will be collected and for what purpose. The consent given by the Data Principals must be freely given, specific, informed and unambiguous indication of the Data Principal’s agreement to the processing of its Personal Data for the specified purpose. Data Fiduciaries cannot seek consent for anything that will infringe the provisions of the DPDP Bill. The contact details of a data protection officer must be mentioned when seeking consent.
  • Withdrawal of Consent: Users should have their right to withdraw consent at any time with the same ease as they were able to give consent.
  • No Conditional Services: If a Data Fiduciary has a contract with a user to deliver a service or good, the same cannot be made conditional on the consent to the processing of any Personal Data not necessary for performing that contract.
  • Accuracy of Data: Data Fiduciaries are required to make reasonable efforts to ensure that Personal Data processed by or on behalf of the Data Fiduciary is accurate and complete, especially if the Personal Data is to be used to make a decision that affects the Principal or if it is to be disclosed to another Data Fiduciary.
  • Notifying Data Breaches: In the event of a Personal Data breach, the Data Protection Board and the concerned Data Principals must be notified in such manner as may be prescribed.
  • Retention of Personal Data: A Data Fiduciary must cease to retain Personal Data, or remove the means by which the Personal Data can be associated with particular Data Principals, as soon as it is reasonable to assume that the purpose for which such Personal Data was collected is no longer being served by its retention and retention is no longer necessary for legal or business purposes.
  • Appointing a Data Protection Officer: Data Fiduciaries must publish the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of its personal data in a format, as may be prescribed.
  • Grievance Redressal Mechanism: Data Fiduciaries must have in place a procedure and effective mechanism to redress the grievances of Data Principals.
  1. Processing Children’s Data 

Data Fiduciaries must obtain verifiable parental consent, before any Personal Data of a child is processed. Data Fiduciaries shall not undertake any processing of Personal Data that is likely to cause harm to a child.

  1. Rights of Data Principals
  • Right to Information: The Data Principal has the right to know: (i) if a Data Fiduciary is processing or has processed their Personal Data; (ii) if yes, a summary of the Personal Data being processed and the processing activities undertaken by the Data Fiduciary; (iii) the identities of all those with whom Personal Data has been shared along with the categories of Personal Data so shared.
  • Right to Correction and Erasure of Personal Data: The Data Principal has the right to request for correction and erasure of its Personal Data in accordance with the applicable laws and in such manner as may be prescribed. Erasure requests can be denied if data is necessary to be retained for legal purposes.
  • Right of Grievance Redressal: Data Principals have the right to register a grievance with a Data Fiduciary.
  1. What is Deemed Consent?

A Data Principal is deemed to have given consent to the processing of its Personal Data if such processing is necessary for the following purposes: (i) when the Data Principal voluntary provides their data to the Data Fiduciary and it is reasonably expected that they would provide such Personal Data; (ii) when the state or its agencies need to perform any function under any law, provide any service or benefit to the Data Principal, or issue any certificate, license, or permit for any action or activity of the Data Principal; (iii) for compliance with any judgment or order issued under any law; (iv) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; (v) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; (vi) for taking measures to ensure the safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order; (vii) for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance; (viii) for the sake of public interest and for any fair and reasonable purpose as may be prescribed.

  1. Transfer of Personal Data outside India

Data Fiduciaries can transfer Personal Data outside of India to countries or territories that have been approved by the central government in accordance with such terms and conditions as may be specified.

  1. Data Protection Board of India (“DPBI”)

The DPDP Bill provide for establishment of the DPBI, an independent body, to inter alia, determine non-compliance with the provisions of the DPDP Bill and impose appropriate penalties. In the event of a Personal Data breach, the DPBI can direct the Data Fiduciary to adopt any urgent measures to remedy such breach or mitigate any harm caused to Data Principals.

  1. Penalties and Offences

The DPDP Bill prescribes the following penalties for non-compliance under the DPDP Bill:

Subject Matter of Non-Compliance

 

Penalty
Failure to take reasonable security safeguards to prevent Personal Data breach.

 

Upto Rs. 250 Crores
Failure to notify the Board and affected Data Principals of a personal data breach.

 

Upto Rs. 200 Crores
Non-fulfilment of additional obligations in relation to processing data of children.

 

Upto Rs. 200 Crores
Non-fulfilment of additional obligations of Significant Data Fiduciary.

 

Upto Rs. 150 Crores
Violation of user duties

 

Upto Rs. 10,000
For all other non-compliances under DPDP Bill

 

Upto Rs. 50 Crores

 

While the DPDP Bill has retained and modified some of the provisions from the earlier draft legislations, there are certain fresh provisions as well that are sought to be introduced. A data protection legislation has been in the works for many years now and the trajectory of data protection in India has taken many turns and it will be interesting to see these draft legislations culminate into the final law of the land.

LEAVE A REPLY