The Right to Privacy has gained substantial importance not only in the developed world (for eg. through legislations like GDPR in the EU) but also in developing countries like India, especially after the Supreme Court’s judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India[1]where the Right to Privacy was recognized as a Fundamental Right. In a world witnessing rapid advancement of technology, data privacy, and personal data protection assumes significant importance to safeguard an individual’s right to privacy.
Furthermore, the advent of social media has given rise to several platforms seeking and storing the personal data of individuals and in such a scenario, it becomes crucial for the State to lay down guidelines to govern how such personal data should be protected.
In a follow-up to all this, the Indian government has recently proposed a new data privacy bill-“Digital Personal Data Protection Bill, 2022” (“Bill”). The Ministry of Electronics and Information Technology released the draft Bill on November 18, 2022, to invite feedback from the public by December 17, 2022.[2]In this piece, we aim to study the main components of the Bill and provide a brief overview of the same.
The Bill aims to define several relevant terms such as Personal Data, Data Fiduciary, Processing, Data Principal, Data Processor, Person, and so on. The statute shall apply to the processing of online or offline digitized data collected within the Indian territory, and processing such data outside India if it is related to profiling or offering goods and services to people resident in India.
Data Fiduciaries, i.e., organizations seeking personal data have been imposed with certain obligations and duties. They can process personal data only with the consent or deemed consent of the Data Principal, i.e., the individual who has given his/her data. They are required to issue notices describing the data required and the purpose to seek consent. The form for notice has not been notified yet and may be included in the final statute.
The consent obtained from an individual has to be made freely, specifically, informed, and affirmative and no consent can be sought for infringing any provisions of the statute itself. The contact details of the Data Protection Officer (who is mandatorily required to be appointed) need to be provided while seeking consent and such consent can also be withdrawn by the individual. If the provision of such consent is challenged, the proof of burden lies on the Data Fiduciary to show that consent was taken appropriately as per the statute and additionally, a proper grievance redressal mechanism must be set up.
There are, however some exemptions; Consent is considered deemed in the following situations:
This displays that substantial powers have been given to the Governmental authorities to determine such public interest or fair and reasonable cases.
There are further obligations in respect of processing children’s data such as ensuring parental consent, no harm to be caused to the child, no targeted advertising, and so on.
The Bill does not define what a Significant Data Fiduciary is, however, whether an organization is a Significant Data Fiduciary (“SDF”) or not will be notified by the Government considering several factors such as volume and sensitivity of the personal data, risk of harm to the user, the potential impact on the sovereignty of India, a risk to democracy, security of the State, public order, and other such factors. In light of these factors, it is evident that an SDF would hold a large volume of personal data, thus the requirement of special guidelines for SDFs.
SDFs must appoint a Data Protection Officer and an Independent Data Auditor. They also must undertake Data Protection Impact Assessments and periodic audits.
There are also several duties of Data Principals:
The general rule as per India’s data privacy laws has been data localization. According to Rule 7 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[3], transfer of data to any other country can only happen if:
As per this new Bill, Data Fiduciaries may transfer data to approved countries or territories, which is a departure from an earlier strict position on the localisation of data and should give respite to big-tech companies like Meta and Alphabet, which were hoping for the same. Such approval will be given by the Central Government and the terms and conditions will also be specified by the Central Government.
The Central Government has the authority to exempt any State instrumentality from the provisions of this Bill via notification for reasons including the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintaining public order, and preventing incitement to any offence. Government agencies also have the authority to retain personal data for any amount of time regardless of the purpose.
The DPBI will be established by the Central Government via a notification. The Bill further provides the composition and functions of the DPBI, along with the process of investigation and review, and appeal to DPBI orders. The DPBI can review its own orders, which can also be appealed before the High Courts. However, no civil courts have the jurisdiction to entertain such suits.
Schedule 1 of the Bill provides for Penalties on Data Fiduciaries and Data Principals for violating any provisions of the statute. The final quantum is to be determined by DPBI.
The Bill is quite elaborate in covering potential issues about personal data protection in India. It has also relaxed the rules for the flow of data between countries and the principles of the Bill aim to promote ease of doing business, especially for start-ups.[4]. This should be greatly beneficial for big-tech companies as well as start-ups. However, there seem to be several loopholes in the Bill as of now, especially since it is in its nascent draft stage and comments have been invited from the public at large. There are hefty penalties for non-compliance, but there linkage to the turnover of the potential errant entity.
There is almost a blanket exemption to government agencies from complying with the requirements, which is not surprising given how such statutes are framed. Furthermore, the appointment of the DPBI members, including the chairperson, entirely rests with the Central Government. These are preliminary thoughts and there will definitely be multiple suggestions and queries raised during the consultation process while the Bill is being examined and debated. Whatever is said and done, this is a step in the right direction and should pave the road towards better protection of data and make the data protection system overall robust and mature in the long run.
[1]Justice K.S. Puttaswamy (Retd.) &Anr. v. Union of India &Ors., (2017) 10 SCC 1.
[2]https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf.
[3]https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.
[4]https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022_0.pdf.
