In 2010, personal data belonging to millions of facebook users was collected without their consent by a British Consulting firm called “Cambridge Analytica”. It was revealed to have heavily influenced the US presidential elections in 2016 and Brexit in Britain.
It gathered the attention of the whole world and is considered as one of the largest data breach in the history. As much as the internet has been a boon for people, it has also exposed them to newer risk and presented challenges for the authorities.
To control the flow of the personal data and prevent it from falling into wrong hands, governments around the globe have come up with stringent laws and policies for protection of the personal data of its citizen.
Recently, the Government of India has published “The Digital Personal Data Protection Bill, 2022” with a view of setting up privacy legislation that is more comprehensive and is in line with the global practices.
Before we de-code the new bill, we feel it is important to understand why this bill was introduced in the first place.
Currently a standalone and comprehensive privacy law does not exist in India. The provisions regulating the subject matter have been outlined in the Information Technology Act 2000 read with supplementary Rules.
Further, the 2017 landmark judgement pronounced by the Supreme Court of India[i] declaring the right to privacy as a fundamental right under the framework of the right to life (Article 21) as per our Constitution acted as a cornerstone to ensure the protection of personal information.
However, the said provisions were fragmented and thus a need for a consolidated and comprehensive legislative structure was felt.
The proposed bill will be applicable to processing of digital personal data within the territory of India where such data is collected online or is a digitised version of the offline collected data.
Further, it shall also apply to processing of digital personal data outside the territory of India if processing of data is in connection with any profiling of any activity of offering goods or services within the territory of India.
Like the earlier drafts, entities and persons have been categorised as per the following heads.
Each of the above are entrusted with their set of rights and duties. Most being centric around the ‘Data Fiduciary’.
Consent of the data principal forms the basic premise for collection and processing of personal data. On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and plain language containing a description of personal data sought to be collected and the purpose of processing of such personal data. The request shall contain the contact details of a Data Protection Officer or a person who is able to answer on behalf of the Data Fiduciary. The bill also mentions cases of “deemed consent”.
The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager;
The Consent Manager shall be an entity that is accountable to the Data Principal and acts on behalf of the Data Principal. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. However, the Rules and Regulations in this regard are yet to be published.
In the earlier draft versions, entities were not allowed to transfer customer’s data outside India, they were further directed to store the data in India only. In the present draft bill, the Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions.
The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as “Significant Data Fiduciary”, on the basis of an assessment of relevant factors, including:
The Significant Data Fiduciary shall:
“Data Protection Impact Assessment” means a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed.
Verifiable parental consent is required for collection of children’s personal data. The Bill also prohibits profiling of children or behavioural monitoring or targeted advertising to children.
Here, ‘child means an individual who has not completed eighteen years of age;
In the earlier draft, non-compliance with any provision of the proposed law was to attract criminal penalties i.e. imprisonment as well as monetary penalty.
In the new draft, the same has been replaced by “Financial penalty”. Now, if the concerned authority determines on the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose not exceeding rupees five hundred crore in each instance.
The draft bill is far simpler in language compared to its predecessors and has addressed the concerns relating to cross-border transactions. It offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations which is likely to foster country-to-country trade agreements.
The bill also recognises the data principal’s right to post mortem privacy (Withdraw Consent).
While the new bill has addressed the concerns that arose during the previous drafts viz, data localisation and cross-border transactions, it still has host of issues it needs to deal with. It fails to mention anything on the personal data that is being maintained in a non-digital format. There is also no clarity on how the data can be processed, and if there is any mechanism the data principals are required to establish. Concerns have also been noted on the exemptions granted to central and state agencies.
All in all the proposed law is in its nascent stage and it is hoped that the government rolls out further clarifications for a better understanding soon.