This article is authored by Bokka Ashwika and edited by Mr. Anoop Prakash Awasthi, AOR and Adv. Prapti Singh.

Introduction: It is remarkable that the Personal Data Protection Bill, 2019 (“PDP Bill”), which it replaced, was withdrawn by MeitY in August 2022. Only a few months later, the DPDP Bill was introduced (after the Joint Parliamentary Committee reviewing the PDP Bill proposed over 80 amendments and multiple recommendations). To “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto,” according to the new (and simplified) DPBP Bill. For the sake of clear comprehension by all stakeholders, this article examines the contents of the draught DPBP Law and provides a description of the significant modifications implemented thereunder.

Scope: Every “digital personal data” processed within India is subject to the DPDP Law. For the purpose of understanding, the term ‘data’ is used in the DPDP Bill to mean the ‘representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means’; while the term ‘personal data’ is defined as ‘any data about an individual who is identifiable by or in relation to such data’. Under the DPDP Law, the phrase “digital personal data” refers to both data gathered offline and afterwards converted to digital form as well as data collected online by a “Data Principal” (viz. the individual to whom the personal data processed is in relation to). Note, the phrase “Data Principal” includes the parents or legal guardian(s) of such a private individual if they are a “kid” (i.e., younger than the age of eighteen). It is important to highlight, however, that the DPDP Bill’s territorial reach extends beyond India and includes digital personal data handled outside of India, provided that processing is done to: offering goods or services to people in India; “profiling” or processing personal data expressly to “analyse or predicts factors relating the behaviour, traits or interests” of an individual there.

The DPDP Law does not apply to personal data that is handled “offline,” though. However, it clearly exempts from its scope any data processed by an individual for “personal or domestic purposes,” any personal data included in a record that has been around for at least 100 years, and/or any “non-automated processing” (also known as manual processing) of personal data.

Highlights of the Bill: Personal data is information that relates to an identified or identifiable individual.  Businesses as well as government entities process personal data for delivery of goods and services.  Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations.   Processing of personal data may also aid law enforcement.  Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right.  It may subject individuals to harm such as financial loss, loss of reputation, and profiling.

Currently, India does not have a standalone law on data protection.  The usage of personal data is regulated under the Information Technology (IT) Act, 2000.  It has been observed that this framework is not adequate to ensure the protection of personal data.1  In 2017, the central government constituted a Committee of Experts on Data Protection chaired by Justice B. N. Srikrishna to examine issues relating to data protection in the country.  The Committee submitted its report in July 2018.   Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019.  The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021.2  In August 2022, the Bill was withdrawn from Parliament.  In November 2022, the Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Bill, 2022 for public feedback.

Key Features: Applicability:  The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.   It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.  Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  Processing has been defined as an automated operation or set of operations performed on digital personal data.  It includes collection, storage, use, and sharing.

  • Consent:  Personal data may be processed only for a lawful purpose for which an individual has given consent.  A notice must be given before seeking consent.  Notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time.  Consent will be deemed given where processing is necessary for: (i) performance of any function under a law, (ii) provision of service or benefit by the State, (iii) medical emergency, (iv) employment purposes, and (v) specified public interest purposes such as national security, fraud prevention, and information security.  For individuals below 18 years of age, consent will be provided by the legal guardian.
  • Rights and duties of data principal:  An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.  Data principals will have certain duties.  They must not: (i) register a false or frivolous complaint, (ii) furnish any false particulars, suppress information, or impersonate another person in specified cases.  Violation of duties will be punishable with a penalty of up to Rs 10,000.
  • Obligations of data fiduciaries:  The entity determining the purpose and means of processing, called data fiduciary, must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, and (iii) cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).  The storage limitation requirement will not apply in case of processing by government entities.
  • Transfer of personal data outside India:  The central government will notify countries where a data fiduciary may transfer personal data.  Transfers will be subject to prescribed terms and conditions.
  • Exemptions:  Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases including prevention and investigation of offences, and enforcement of legal rights or claims.   The central government may, by notification, exempt certain activities from the application of provisions of the Bill.   These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.
  • Data Protection Board of India: The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.  The central government will prescribe: (i) composition of the Board, (ii) selection process, (iii) terms and conditions of appointment and service, and (iv) manner of removal.
  • Penalties: The schedule to the Bill specifies penalties for various offences such as: (i) up to Rs 150 crore for non-fulfilment of obligations for children and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry. 

Key Issues:  

  • Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing and retention beyond what is necessary.  This may violate the fundamental right to privacy.
  • The Bill accords differential treatment on consent and storage limitation to private and government entities performing the same commercial function such as providing banking or telecom services.   This may violate the right to equality of the private sector providers.
  • The central government will prescribe the composition, and manner and terms of appointments to the Data Protection Board of India.  This raises a question about the independent functioning of the Board.
  • The Bill does not grant the right to data portability or to be forgotten to the data principal.
  • The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child.   To comply with this provision, every data fiduciary must verify the age of everyone signing up for its services.  This may have adverse implications for anonymity in the digital space.

References: 

FacebookTwitterPinterestRedditLinkedinWhatsappTelegramEmailShortlink

Related Posts