This article is authored by Ayushee Priya and edited by Mr. Anoop Prakash Awasthi, AOR and Adv. Prapti Singh.

INTRODUCTION

Digital India has caused digitization of the Indian economy and transformed the lives of Indian citizens in particular and governance in general. The lives of crores of Indians and their experience of governance have been significantly enhanced by the use of technology and the internet. Digital India has also unleashed innovation and entrepreneurship in the digital space in addition to the large global Big Tech platforms that have a significant presence on the internet.

In the month of August 2022, The Ministry of Electronics and Information Technology (Government of India) had withdrawn Personal Data Protection Bill, 2019, owing to multiple recommendations received through public consultation. As a revised version of its predecessor, the Government released Digital Personal Data Protection Bill on November 18, 2022. This bill is a part of a list of legislations that include IT rules, National Data Governance Framework Policy and a new Digital India Act.

SCOPE OF THE BILL 

The bill applies to the automated processing of personal data, which includes data collected online or offline but is digitized.

The law also has extra-territorial applicability, meaning it applies to cases where personal data is being processed outside of India for the profiling of Indian residents or for the provision of goods or services to Indian residents. This means that even if a company or organization is not based in India, but if they process the personal data of Indian citizens or offer goods or services to Indian citizens, they will be subject to the provisions of the bill.

However, the bill excludes certain types of processing from its applicability, such as non-automated processing, processing of offline personal data, and processing for personal or domestic use.

HIGHLIGHTS OF THE BILL

  • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
  • Personal data may be processed only for a lawful purpose for which an individual has given consent.  Consent may be deemed in certain cases.
  • Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
  • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.

KEY FEATURES

  • Applicability:  The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.   It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.  Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  Processing has been defined as an automated operation or set of operations performed on digital personal data.  It includes collection, storage, use, and sharing.
  • Consent:  Personal data may be processed only for a lawful purpose for which an individual has given consent.  A notice must be given before seeking consent.  Notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time.  Consent will be deemed given where processing is necessary for: (i) performance of any function under a law, (ii) provision of service or benefit by the State, (iii) medical emergency, (iv) employment purposes, and (v) specified public interest purposes such as national security, fraud prevention, and information security.  For individuals below 18 years of age, consent will be provided by the legal guardian.
  • Rights and duties of data principal:  An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.  Data principals will have certain duties.  They must not: (i) register a false or frivolous complaint, (ii) furnish any false particulars, suppress information, or impersonate another person in specified cases.  Violation of duties will be punishable with a penalty of up to Rs 10,000.
  • Obligations of data fiduciaries:  The entity determining the purpose and means of processing, called data fiduciary, must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, and (iii) cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).  The storage limitation requirement will not apply in case of processing by government entities.
  • Transfer of personal data outside India:  The central government will notify countries where a data fiduciary may transfer personal data.  Transfers will be subject to prescribed terms and conditions.
  • Exemptions:  Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases including prevention and investigation of offences, and enforcement of legal rights or claims.   The central government may, by notification, exempt certain activities from the application of provisions of the Bill.   These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.
  • Data Protection Board of India: The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.  The central government will prescribe: (i) composition of the Board, (ii) selection process, (iii) terms and conditions of appointment and service, and (iv) manner of removal.
  • Penalties: The schedule to the Bill specifies penalties for various offences such as: (i) up to Rs 150 crore for non-fulfilment of obligations for children and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry. 

CONCLUSION

In its attempt to balance national security, public order, ease of doing business, global diplomacy and cross-border cooperation, technology velocity, and data volumes, the Digital Personal Data Protection Bill 2022 does a fine-balancing act. While in the formative normative stages the Central government must have room for navigation, if the reservations and amendments in their respective context can be operationalised seamlessly, the bill can be the global digital personal data protection laws’ fore-runner.

REFERENCES:

FacebookTwitterPinterestRedditLinkedinWhatsappTelegramEmailShortlink

Related Posts