The Digital Personal Data Protection Bill, 2022 (the “DPDP Bill”) has been introduced by the Ministry of Electronics and IT (“MeitY“), and the public is requested to provide input on the DPDP Bill by December 17, 2022. This move comes a few months after MeitY withdrew the DPDP Bill’s predecessor, the Personal Data Protection Bill, 2019 (‘PDP Bill’) in August 2022. The DPDP Bill seeks to regulate personal data alone and leaves out non-personal data from its ambit. For the first time in India, the DPDP Bill has introduced pronouns ‘she/her’ to refer to individuals, irrespective of gender. In contrast to the current Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules 2011“), which only apply to body corporates, “Data Fiduciary” now includes HUFs, artificial judicial persons, individuals, and the State.
While the DPDP Bill proposes the protection of (a) personal information gathered online and from the Data Principal (b) Offline personal information that has been digitalized; the DPDP Bill excludes (a) processing of personal data not automatically, (b) individual offline data, (c) personal information processed by an individual for any domestic or personal use, (d) personal information about a person that is present in a document that has been around for at least 100 years. The DPDP Bill proposes three grounds according to which personal data can be processed by a DF. First and foremost, the DPDP Bill’s requirements must be followed when processing digital personal data. Secondly, as long as the processing is not expressly forbidden by law, such processing is allowed. Thirdly, the DP should have given consent (express or deemed) before such personal data is processed.
SOME OF THE KEY FEATURES OF THE DPDP BILL
- Territorial Applicability
The DPDP Bill proposes that the Bill shall be applicable to personal digital data that is processed in India and to such personal data which though processed by the DF outside India but processed in connection with any activity of offering products or services to the DP in India or profiling of the DP.
- Notice and Consent
The DF must provide a notice to the DP outlining the nature of the personal data sought to be gathered and the reason for its acquisition on or before asking for the DP’s consent. According to the DPDP Bill, permission may be either expressed or inferred. This consent is not permanent; the DP may withdraw consent at any time. Unless processing without the DP’s consent is required or permitted by law, the DF must stop using the DP’s personal data when the DP withdraws consent and do so in a fair amount of time. The latter form of consent, referred to as ‘deemed consent’ can be inferred by DFs during medical emergencies, compliance with a judgment or order, or when the DP voluntarily provides personal data to the DF, etc.
- Duties and Obligations of DFs
The DFs have to inter alia:
- (a) guarantee the personal data is accurate and complete when it is used to make a decision that affects the DP to whom it relates and when it is transferred from one DF to another;
- (b) implement appropriate security measures to guard against personal data breaches and alert the affected
- (c) cease to retain personal data upon fulfillment of the purpose for which it is collected.
- Rights and Duties of the DPS
The DPDP Bill prescribes certain rights and duties for the DPs such as obtaining (a) a list of personal data (b) the ability to amend and delete her personal information, (c) nominating a person who may take decisions vis-à-vis the data of the DP upon her death or incapacity. The DP also has certain obligations under the DPDP Bill such as compliance with the provisions of the DPDP Bill, not furnishing false information, not registering a false or frivolous grievance or complaint, etc.
The DPDP Bill gives the State the authority to exclude some firms from adhering to its requirements based on factors including the number of users and the amount of personal data they process. This seems to have been done keeping in mind the complaints received from start-ups regarding the compliance burden under the PDP Bill.
- Appointment of Significant Data Fiduciary
Provisions for the appointment of a Significant Data Fiduciary (or “SDF”) are proposed in the DPDP Bill. On the basis of an evaluation of factors like the amount of personal data to be processed, the risk to DPs, the potential impact on national sovereignty, the risk to electoral democracy, the security of the State, public order, and any other factors it deems necessary, the Central Government may notify any DF or class of DF as an SDF. The DPDP Bill also includes proposals for additional responsibilities for the SDF, including the selection of a Data Protection Officer (“DPO”) to represent the SDF and an Independent Data Auditor (“IDA”) to assess the SDF’s adherence to the DPDP Bill’s requirements.
- Data Protection Board of India
The DPDP Bill calls for the Central Government to create the Data Protection Board of India (the “Board”). The Board shall decide non-compliance and issue fines for non-compliance in line with the provisions of the DPDP Bill. The Board shall accept and hear complaints, pronounce decisions, and conduct three other responsibilities in a digital format. Appeals from the Board’s decision must be made to the High Court.
The DPDP Bill imposes severe fines of up to INR 500 crores on DFs, in contrast to the PDP Bill, which imposed a penalty of INR 15 crores or 4% of the entire worldwide revenue of any data collection or processing business. The DPDP Bill further stipulates that DPs can be fined up to INR 10,000 for noncompliance.
- Data- Transfer
The transfer of personal data outside of India was constrained by the PDP Bill. The DPDP Bill, on the other hand, has made allowances for cross-border data flow by authorising the transfer of personal data to nations outside of India that will be informed by the government.
The DPDP Bill has been drafted by the MeitY in simple and plain language to facilitate easy understanding. But the plain language also leaves ample room for interpretations, which may negate the intent of the legislature. In the majority of clauses, the term ‘as may be prescribed’ has been used in the DPDP Bill thus leaving the detailing of the statute through rules and notifications. Further, though the concept of voluntary undertakings may go a long way in establishing a clear focus on facilitating and enabling compliance rather than penalising non-compliance, it may also result in being frequently used as a bail-out card for getting away with non-compliance.
Author’s Name: Shivam Kumar (Jamia Millia Islamia, New Delhi)