What’s new in the Digital Personal Data Protection Bill, 2022?

7 January 2023 • Muskan Sinha

Recommended

What’s new in the Digital Personal Data Protection Bill, 2022?

7 January 2023 • Muskan Sinha

Overview

In 2010, personal data belonging to millions of facebook users was collected without their consent by a British Consulting firm called “Cambridge Analytica”. It was revealed to have heavily influenced the US presidential elections in 2016 and Brexit in Britain.

It gathered the attention of the whole world and is considered as one of the largest data breach in the history. As much as the internet has been a boon for people, it has also exposed them to newer risk and presented challenges for the authorities.

To control the flow of the personal data and prevent it from falling into wrong hands, governments around the globe have come up with stringent laws and policies for protection of the personal data of its citizen.

Recently, the Government of India has published “The Digital Personal Data Protection Bill, 2022” with a view of setting up privacy legislation that is more comprehensive and is in line with the global practices.

Before we de-code the new bill, we feel it is important to understand why this bill was introduced in the first place.

Existing regime

Currently a standalone and comprehensive privacy law does not exist in India. The provisions regulating the subject matter have been outlined in the Information Technology Act 2000 read with supplementary Rules.

Further, the 2017 landmark judgement pronounced by the Supreme Court of India[i] declaring the right to privacy as a fundamental right under the framework of the right to life (Article 21) as per our Constitution acted as a cornerstone to ensure the protection of personal information.

However, the said provisions were fragmented and thus a need for a consolidated and comprehensive legislative structure was felt.

Key aspects of the new bill                                                                       

The proposed bill will be applicable to processing of digital personal data within the territory of India where such data is collected online or is a digitised version of the offline collected data.

Further, it shall also apply to processing of digital personal data outside the territory of India if processing of data is in connection with any profiling of any activity of offering goods or services within the territory of India.

Like the earlier drafts, entities and persons have been categorised as per the following heads.

data-protection-bill

Each of the above are entrusted with their set of rights and duties. Most being centric around the ‘Data Fiduciary’.

Ground for collection of personal data

Consent of the data principal forms the basic premise for collection and processing of personal data. On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and plain language containing a description of personal data sought to be collected and the purpose of processing of such personal data. The request shall contain the contact details of a Data Protection Officer or a person who is able to answer on behalf of the Data Fiduciary. The bill also mentions cases of “deemed consent”.

Who is a Consent Manager?

The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager;

The Consent Manager shall be an entity that is accountable to the Data Principal and acts on behalf of the Data Principal. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. However, the Rules and Regulations in this regard are yet to be published.

Transfer of personal data outside India – E-commerce prospect:

In the earlier draft versions, entities were not allowed to transfer customer’s data outside India, they were further directed to store the data in India only. In the present draft bill, the Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions.

Additional obligations of Significant Data Fiduciary

The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as “Significant Data Fiduciary”, on the basis of an assessment of relevant factors, including:

  1. the volume and sensitivity of personal data processed;
  2. risk of harm to the Data Principal;
  3. potential impact on the sovereignty and integrity of India;
  4. risk to electoral democracy;
  5. security of the State;
  6. public order; and
  7. such other factors as it may consider necessary;

The Significant Data Fiduciary shall:

  • Appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act and be based in India. The Data Protection Officer shall be an individual responsible to the Board of Directors of the Significant Data Fiduciary. The Data Protection officer shall be the point of contact for the grievance redressal mechanism under the provisions of this Act;

  • Appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act; and

  • Undertake such other measures including Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act, as may be prescribed.

 “Data Protection Impact Assessment” means a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed.

Additional obligations in relation to processing of personal data of children

Verifiable parental consent is required for collection of children’s personal data. The Bill also prohibits profiling of children or behavioural monitoring or targeted advertising to children.

Here, ‘child means an individual who has not completed eighteen years of age;

Financial Penalty

In the earlier draft, non-compliance with any provision of the proposed law was to attract criminal penalties i.e. imprisonment as well as monetary penalty.

In the new draft, the same has been replaced by “Financial penalty”. Now, if the concerned authority determines on the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose not exceeding rupees five hundred crore in each instance.

Concluding thoughts

The draft bill is far simpler in language compared to its predecessors and has addressed the concerns relating to cross-border transactions. It offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations which is likely to foster country-to-country trade agreements.

The bill also recognises the data principal’s right to post mortem privacy (Withdraw Consent).

While the new bill has addressed the concerns that arose during the previous drafts viz, data localisation and cross-border transactions, it still has host of issues it needs to deal with. It fails to mention anything on the personal data that is being maintained in a non-digital format. There is also no clarity on how the data can be processed, and if there is any mechanism the data principals are required to establish. Concerns have also been noted on the exemptions granted to central and state agencies.

All in all the proposed law is in its nascent stage and it is hoped that the government rolls out further clarifications for a better understanding soon.

[i] Supreme Court of India in Justice K.S. Puttaswamy (Retd) … vs Union Of India And Ors. on 24 August, 2017

Leave a comment

Your email address will not be published. Required fields are marked *