India’s New Digital Personal Data Protection (DPDP) Bill, 2022
India’s Supreme Court in a 2017 judgment recognized ‘privacy’ as a fundamental right and observed that there should be a separate law for the protection of data privacy. Accordingly, in 2019 a Personal Data Protection Bill was introduced before the Indian Parliament. However, it was referred to a Joint Parliamentary Committee for review in 2021 who gave several recommendations and proposed more than 80 amendments. On August 3, 2022, the Personal Data Protection Bill was withdrawn by the Government with an intention to have a more comprehensive bill in its place. On November 18, 2022, the Indian Ministry of Electronics and Information Technology (MeitY) released a draft of the Digital Personal Data Protection (DPDP) Bill (2022), and has invited public comments on the bill by December 17, 2022.
The Highlights of the draft DPDP Bill, 2022, are as follows:
Applicability of draft DPDP Bill, 2022
The Bill applies to processing of digital personal data collected within the territory of India. It can include data collected online or collected offline and digitized later. Further, its scope can extend beyond the territories of India when processing is connected with any profiling (processing that analyses or predicts aspects related to the behavior, attributes, or interests of the data principle) or the activity of offering goods or services to the data principle within the territory of India.
However, this Bill is not applicable to the following:
- Offline processing of personal data.
- Manually processed personal data.
- Data processed by an individual for any personal or domestic use.
- Recorded personal data of individuals in existence for at least 100 years.
Important definitions and concepts:
Personal data – Any data through which an individual can be identified.
Data Principal: The individual to whom the personal data relates and where such individual is a child (below the age of 18) includes the parents or lawful guardian of such a child. This concept is similar to the ‘data subject’ in GDPR.
Data Fiduciary: Any person (individual, Hindu undivided family, firm, a company, state, etc.) who alone or in partnership with other persons determines the purpose and means of the processing of an individual personal data. This concept is similar to the ‘data controller’ in GDPR.
The Bill also authorizes the Central Government to notify data fiduciary or a class of data fiduciaries as significant data fiduciary considering certain facts such as the volume of sensitivity of personal data processed, risk of harm to data principals, potential impact on the sovereignty and integrity of India, security of state, etc.
Processing: A Set of operations performed on personal data which includes collection, recording, organization, storage, transmission, etc.
Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
Consent: Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of his or her personal data for the specified purpose.
The Bill recognizes the concept of ‘deemed consent’. It lists out certain situations where consent would be deemed to have been given by the data principal such as, (i) when information is provided by him or her voluntarily; or (ii) for compliance with judgment or order issued under law or (iii) for responding to medical emergency; or (iv) when information is required in the public interest such as for preventing or detecting frauds, for network security, credit scoring, etc.; (v) for the performance of any function under law, for issue of permit or license by State or instrumentality of State, etc.
Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time.
Notice: Data fiduciaries collecting personal data from individuals, must provide an itemized notice containing details of personal data to be collected and the purpose. Such notice can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed.
Obligation of data fiduciary
- A Data Fiduciary shall process digital personal data only according to this Act and rules framed thereunder for a lawful purpose (which means purpose which is not expressly forbidden by law) for which Data Principal has given consent or there is deemed consent.
- Data fiduciary shall make reasonable efforts to ensure that data is accurate and complete,
- Data fiduciary and data processor shall take reasonable safeguards to protect personal data in their possession. They should implement appropriate technical and organization measures to ensure effective adherence of this law.
- They should notify data protection authority and each affected data principal in the event of data breach
- A data fiduciary shall not retain data for a period beyond what it is necessary for legal or business purpose or when the purpose for which such personal data is retained is not longer served by its retention. Such data needs to be removed.
- A Data fiduciary shall publish information of Data Protection Officer or any other person who will be responsible for answering on behalf of it. All significant Data fiduciary will be required to appoint a data protection officer.
- A significant data fiduciary is required to appoint an independent data auditor to evaluate compliance with the provisions of the proposed law, notification of breaches in a timely manner, and to ensure that data is not retained beyond what is necessary.
Rights and Duties of Data Principle
The Data Principle has the following rights –
- to be provided with the information about the processing of personal data, such as type of data collected, identity of data fiduciary with whom data is shared, etc.
- correction of inaccurate or misleading data, updation of data as well erasure of data as per law
- to nominate any other individual to exercise their rights in the event of the principal’s death or incapacity to perform his rights and duties
- to register the grievance with a data fiduciary
- to give, manage, review, or withdraw her consent to the data fiduciary through a consent manager. A consent manager is a data fiduciary who enables a data principal to give, manage, review, and withdraw consent through an accessible, transparent process.
Cross-border transfer of personal data
The Central Government will notify countries or territories outside India to which a Data Fiduciary would be allowed to transfer personal data.
The bill gives the Government the authority to provide exemptions from certain requirements of the Act where processing is necessary for the interests of India’s sovereignty and integrity, state security, and preserving public order, etc.
Data Protection Authority
The bill proposes the formation of an authority namely, the Data Protection Board of India (DPBI), which would be notified by the Central Government. DPBI will have the power to determine non-compliance with the provisions of the law and impose penalties provided therein.
DPBI has the power to levy penalties as provided under the Bill where, on inquiry and after giving an opportunity of being heard, it concludes that the non-compliance is significant. Such financial penalty cannot exceed INR 5 billion in each instance. The following penalties are proposed for various violations:
- Non-fulfilment of additional obligations of Significant Data Fiduciary- Up to INR 1.5 billion
- Failure to notify the DPBI and affected Data Principals of a personal data breach or non-fulfilment of additional obligations in relation to processing data of children – up to INR 2 billion
- Failure to take reasonable security safeguards to prevent personal data breach: Up to INR 2.5 billion
- Violation of data principal duties- Up to INR 10,000
- Other non-compliances – INR 500 million
The new drafted Bill has restricted the scope of the law to personal and digital data and it does not extend to non-personal data. Further, earlier Bill mandated companies dealing with sensitive data of Indian users to keep a copy within its borders. The new Bill proposes allowing the transfer of data to specific countries which will be notified by the Government. Further, the new Bill proposes financial penalties for violation as against criminal liability under the earlier Bill. Companies processing personal data should monitor the development of the Bill and evaluate the compliance requirements.
© Shan & Co 2022