Examining the Draft Digital Personal Data Protection Bill 2022

Posted On - 22 November, 2022 • By - King Stubb & Kasiva

The Right to Privacy has gained substantial importance not only in the developed world (for eg. through legislations like GDPR in the EU) but also in developing countries like India, especially after the Supreme Court’s judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India[1]where the Right to Privacy was recognized as a Fundamental Right. In a world witnessing rapid advancement of technology, data privacy, and personal data protection assumes significant importance to safeguard an individual’s right to privacy.

Furthermore, the advent of social media has given rise to several platforms seeking and storing the personal data of individuals and in such a scenario, it becomes crucial for the State to lay down guidelines to govern how such personal data should be protected.

In a follow-up to all this, the Indian government has recently proposed a new data privacy bill-“Digital Personal Data Protection Bill, 2022” (“Bill”). The Ministry of Electronics and Information Technology released the draft Bill on November 18, 2022, to invite feedback from the public by December 17, 2022.[2]In this piece, we aim to study the main components of the Bill and provide a brief overview of the same.

Examining the Features of the Digital Personal Data Protection Bill

Introduction

The Bill aims to define several relevant terms such as Personal Data, Data Fiduciary, Processing, Data Principal, Data Processor, Person, and so on. The statute shall apply to the processing of online or offline digitized data collected within the Indian territory, and processing such data outside India if it is related to profiling or offering goods and services to people resident in India.

Obligations of Data Fiduciaries

Data Fiduciaries, i.e., organizations seeking personal data have been imposed with certain obligations and duties. They can process personal data only with the consent or deemed consent of the Data Principal, i.e., the individual who has given his/her data. They are required to issue notices describing the data required and the purpose to seek consent. The form for notice has not been notified yet and may be included in the final statute.

The consent obtained from an individual has to be made freely, specifically, informed, and affirmative and no consent can be sought for infringing any provisions of the statute itself. The contact details of the Data Protection Officer (who is mandatorily required to be appointed) need to be provided while seeking consent and such consent can also be withdrawn by the individual. If the provision of such consent is challenged, the proof of burden lies on the Data Fiduciary to show that consent was taken appropriately as per the statute and additionally, a proper grievance redressal mechanism must be set up.

There are, however some exemptions; Consent is considered deemed in the following situations:

  • When the user voluntarily provides the data to the Fiduciary;
  • When the State or its agencies require such data to perform any function to provide service or benefit to such user, for example, issuing of a license;
  • If such data is required in complying with a judgment or Court Order;
  • If such data is required for a medical emergency;
  • If such data is required for medical treatment, health services, ensuring safety during epidemics or disasters, etc.;
  • If such data is required for employment purposes;
  • If it is in the Public Interest to prevent fraud, etc.; or
  • In any fair and reasonable case ‘as may be prescribed by the Government by taking into consideration public interest, reasonable expectations of the Data Principal etc.

This displays that substantial powers have been given to the Governmental authorities to determine such public interest or fair and reasonable cases.

There are further obligations in respect of processing children’s data such as ensuring parental consent, no harm to be caused to the child, no targeted advertising, and so on.

Obligations of Significant Data Fiduciaries

The Bill does not define what a Significant Data Fiduciary is, however, whether an organization is a Significant Data Fiduciary (“SDF”) or not will be notified by the Government considering several factors such as volume and sensitivity of the personal data, risk of harm to the user, the potential impact on the sovereignty of India, a risk to democracy, security of the State, public order, and other such factors. In light of these factors, it is evident that an SDF would hold a large volume of personal data, thus the requirement of special guidelines for SDFs.

SDFs must appoint a Data Protection Officer and an Independent Data Auditor. They also must undertake Data Protection Impact Assessments and periodic audits.

Rights and Duties of Data Principals

  • Users have a right to know whether a Data Fiduciary is processing their data, and in such cases, a summary of the personal data, activities of the Fiduciary, the identities of all those with whom data has been shared, and any other information ‘as may be prescribed has to be provided to such User.
  • They have the right to request for correction of the personal data or for erasing it.
  • They have a right to register grievances with such Fiduciaries, and if not satisfied, with the Data Protection Board of India (“DPBI”).
  • They also have a right to nominate any person to exercise their rights after their death or incapacitation.

There are also several duties of Data Principals:

  • Compliance with all applicable laws;
  • Should not raise a false or frivolous complaint;
  • Should not furnish false information, suppress material information, or impersonate another person;
  • Should only provide verifiably authentic information while correcting or erasing data.

Transfer of Personal Data outside India

The general rule as per India’s data privacy laws has been data localization. According to Rule 7 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[3], transfer of data to any other country can only happen if:

  • The entity receiving the data has to ensure that the same level of data protection is provided as was in the transferor entity.
  • Such information can only be transferred if it is necessary to comply with a lawful contract; or
  • With the prior consent of the data provider.

As per this new Bill, Data Fiduciaries may transfer data to approved countries or territories, which is a departure from an earlier strict position on the localisation of data and should give respite to big-tech companies like Meta and Alphabet, which were hoping for the same. Such approval will be given by the Central Government and the terms and conditions will also be specified by the Central Government.

Government Access to Data

The Central Government has the authority to exempt any State instrumentality from the provisions of this Bill via notification for reasons including the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintaining public order, and preventing incitement to any offence. Government agencies also have the authority to retain personal data for any amount of time regardless of the purpose.

Data Protection Board of India

The DPBI will be established by the Central Government via a notification. The Bill further provides the composition and functions of the DPBI, along with the process of investigation and review, and appeal to DPBI orders. The DPBI can review its own orders, which can also be appealed before the High Courts. However, no civil courts have the jurisdiction to entertain such suits.

Penalties

Schedule 1 of the Bill provides for Penalties on Data Fiduciaries and Data Principals for violating any provisions of the statute. The final quantum is to be determined by DPBI.

Conclusion

The Bill is quite elaborate in covering potential issues about personal data protection in India. It has also relaxed the rules for the flow of data between countries and the principles of the Bill aim to promote ease of doing business, especially for start-ups.[4]. This should be greatly beneficial for big-tech companies as well as start-ups. However, there seem to be several loopholes in the Bill as of now, especially since it is in its nascent draft stage and comments have been invited from the public at large. There are hefty penalties for non-compliance, but there linkage to the turnover of the potential errant entity.

There is almost a blanket exemption to government agencies from complying with the requirements, which is not surprising given how such statutes are framed. Furthermore, the appointment of the DPBI members, including the chairperson, entirely rests with the Central Government. These are preliminary thoughts and there will definitely be multiple suggestions and queries raised during the consultation process while the Bill is being examined and debated. Whatever is said and done, this is a step in the right direction and should pave the road towards better protection of data and make the data protection system overall robust and mature in the long run.


[1]Justice K.S. Puttaswamy (Retd.) &Anr. v. Union of India &Ors., (2017) 10 SCC 1.

[2]https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf.

[3]https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.

[4]https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022_0.pdf.