The Digital Personal Data Protection Bill 2022
In November 2022, the Ministry of Electronics and Information Technology introduced the draft Digital Personal Data Protection Bill (DPDP 2022) inviting recommendations and suggestions from stakeholders and interested parties. The timeline for submitting recommendations has been extended to the first week of January 2023. A look at the main features of the much-awaited Bill.
Private businesses as well as government(s) access and use personal data of individuals for various purposes. The business sector seeks personal data of individuals to understand likes, preferences, choices and accordingly categorize target consumers, adopt marketing strategies, advertisements and the like. The government seeks and processes personal information for regulating law and order, framing effective policies and protecting national security of the country.
There is a very thin line between processing personal data of individuals for (specific) use and misuse. Presently, the usage / storage of personal data is governed by the Information Technology Act 2000.
The digital personal data protection Bill 2022 is (yet another) attempt at regulating and maintaining the fine line between processing data for specified end use while upholding the right of privacy of individuals.
Digital personal data means information or data of individuals who or which are identified or identifiable and is available online digitally. Either data is collected online or is collected manually and digitized online.
This Bill shall be applicable to:
- Processing of digital personal data within India where such data is collected online or collected offline and digitized.
- Processing of digital personal data outside India if data is used for offering goods or services or profiling individuals in India.
II. Non applicability
This Bill shall not be applicable to processing of data manually.
III. Important definitions
- Personal data: any data about an individual who is identifiable by or in relation to such data.
- Data Principal: Individual to whom the personal data relates to. If the data relates to a child (under 18 year of age) then data principal will include the parents or lawful guardian of such a child.
- Data Fiduciary: A person (natural or an entity), who alone or together with another person determines the purpose and means of processing personal data.
- Data Processor: A person who processes data on behalf of data fiduciary
IV. Key Features
- Purpose – Personal data can be processed only for lawful purpose(s).
- Consent – It is mandatory to obtain consent of the individual by giving prior notice for processing data of the individual. Consent can be withdrawn at any time. Consent is ‘deemed’ to be given for processing of personal data for reasonable purposes – under law, medical emergency, to safeguard national security, prevent fraud etc. For a child (individuals under 18 years of age), consent shall be provided by parents / legal guardian.
- Rights / Obligations
a. Data Principal – the Data principal has the right to seek information about the processing of his information, make corrections and or erasure of personal data. However, the data principal shall ensure that no incorrect data is provided to the data fiduciary.
b. Data Fiduciary – the data fiduciary shall ensure security safeguard of the data sought to be processed and intimate the statutory authorities such as the data protection Board in the event of any breach of security of data. Further, the data fiduciary shall not retain any data on completion of the purpose for which the data was sought, and retention is not required either legally or otherwise. However, this will not apply in case of processing data by government. To such extent, the data storage provisions are different for private business sectors and government sector.
- Transfer of personal data outside India
Personal data may be transferred to outside India only to countries notified by the central government subject to certain terms and conditions
- Data Protection Board
The Bill empowers the central government to establish a Data Protection Board of India. Key functions of the Board shall include (i) compliance of security safeguards for data protection by the data fiduciaries (ii) to take effective steps to mitigate damage in the event of breach of security safeguards (iii) grievance redressal (iv) administrative duties relating to composition of the Board – selection, appointment, removal and related activities (v) conducting enquiries in the event of breach and deciding on penalty.
The Bill proposes stringent penalties between 150 crores to Rs. 250 crores for failure on the part of data fiduciary to ensure adequate security safeguards for data protection.
Certain provisions in the Bill are ambiguous. For instance, the classification of ‘sensitive’ personal data, general data that were present in the present in the previous Bills are not included in the present Bill. In the absence of such classification, data processing could be open to more litigation.
Provisions relating to ‘deemed’ consent for processing data by the government and applicability of data storage restriction only to private / business sector seeking personal data may not serve the core objective of data protection. Irrespective of the data fiduciary, storing data beyond the requisite time or purpose will encroach on the right to privacy of the data principal.
Previous Data protection Bill (in 2017 and 2019) had provisions relating to data portability and right to be forgotten. These provisions had their genesis in the General Data Protection Regulation (GDPR) of the European Union.
Data portability allowed the data principal the right to procure and transfer data for their own use in a structured manner from the data fiduciary. This allows greater control on the data for data principal.
The right to be forgotten gives the data principal the right for certain information to be erased from the memory of the internet.
Both the above provisions have been omitted in the present Bill 2022. This could weaken the position of the Data principal vis a vis the data fiduciary.
Data the new oil
The above phrase by mathematician Clive Humby is prophetic. Today businesses thrive and governments function on valuable data. World over, there is increase laws governing data. India is not far behind. With the 2017 Supreme Court judgment declaring right to privacy a fundamental right, bills such digital personal data protection Bill 2022 should become effective laws to ensure a balance between use of personal data while ensuring right to privacy of person(s).
Full text of the Bill: