Digital Personal Data Protection Bill, 2022: Takeaways

The right to privacy is essential to the right to life protected under Article 21 of the Indian Constitution. The term Privacy means the state of being alone and undisturbed by anyone, where a person enjoys personal autonomy. In the present time, the right to privacy is not confined to physical, mental, and social aspects of one’s life. But, with the advancement and boom of the digital area, an individual’s data privacy is also of great concern.

Data privacy means “the ability of a person to have autonomy as to when, how, and to what extent personal information about an individual is shared with or communicated to others.”

Acknowledging the immense usage of the internet by citizens and the transfer of data, the Government of India introduced the Draft Personal Data Protection Bill, 2019. But, the restrictions on the use of personal data and increased surveillance of government on the personal data of citizens were condoned by the digital business players and citizens, respectively. And subsequently, the Bill was withdrawn by the government.

Recently, the Government of India introduced the Digital Personal Data Protection Bill, 2022. 

In this blog, the author shall try to summarise the said Bill.

The Draft Personal Data Bill, 2022

Objective

The said Bill aims “to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process personal data for lawful purposes.”^[i]

Key takeaways

Extra-Territorial Scope

The said Bill has both territorial and extra-territorial scope, i.e. processing of digital personal data collected from the data principal online and offline, and processing of personal data outside India when such processing is “in connection with any profiling of, or activity of offering goods or services to data principals located within the territory of India.”

Important Definitions

“Personal data” broadly includes any data about an individual who is identifiable by or in relation to such data. In simple words, personal data implicitly tends to identify an individual.

“Data Principle” is an individual whose data is collected. The Bill also provides that an individual below 18 years of age shall not be a data principle. Rather, the parents/lawful guardian shall be declared as data principle.

“Data Fiduciary” is defined to be an entity that decides the “purpose and means of the processing of an individual’s data.” Such entities can be an individual, firms, companies, or a State.

“Significant Data Fiduciary” means an individual, firm, state, company, etc, that deals with a high volume of personal data. The Bill has tried to make this head subjective as to one that can threaten the security of a state and public order or cause risk to the electoral democracy.

Consent & Deemed Consent

The Bill provides that prior consent of the data principal, i.e. an individual, must be taken. An “itemized notice” must specify the type of personal data sought to be collected and the purpose of processing it. Once the data principle agrees to the “itemized notice”, the data fiduciary can access the personal data. It is important to note that consent can be both expressed and implied. And the express consent must be unambiguous and in accordance with the law.

Also, consent will be considered to be deemed consent if the data principle voluntarily provides its personal data to the data fiduciary. But, deemed consent is applicable in limited cases provided under the Bill. A data principle also has a right to withdraw its consent, and the data fiduciary shall cease to process the personal data within a reasonable time.

Rights of Data Principles

The Bill postulates various rights to data principles which are provided below:

1. As discussed above, the data principle must have the right to give consent (expressed or implied) before collecting personal data by a data fiduciary. Also, it has the right to withdraw its consent at any point in time.
2. The data principle shall have the right to access information on the type and extent of personal data being processed by the data fiduciary. The data principle shall also have the right to access the identities of all data fiduciaries on request. 
3. The data principle has the right to register grievances with the data fiduciary. If the grievance is not restored within seven days of communication with the data fiduciary, the data principle can register a complaint with the Data Protection Board. Provided the grievances of the data principle must be true and not misleading.
4. The data principle shall also have the right to correction. It means that the data principal shall have the right to make corrections to its personal data or seek the erasure of its personal data. And the data fiduciary will be obligated to correct or erase the data.

Duties of Data Fiduciary

The Bill provides for various duties of data fiduciaries as well listed below:

1. The Bill tends to establish a responsibility on the data fiduciary to protect the personal data of the data principle. In case the data fiduciary does not take the security measures to protect the data, it shall be liable for a penalty. Also, in case of a breach of personal data, the data fiduciary must inform the Data Protection Board and the data principal.
2. The Bill ensures to give due regard to the personal data of the data principal, by enforcing the right to be forgotten on data fiduciaries, i.e. once the purpose for the collection of the personal data is served, the personal data must not be retained and must be deleted.
3. The Bill ensures the protection of the personal data of the children by seeking consent from their lawful guardians or parents. The said obligation is on the data fiduciary to make sure that the personal data of the children are protected.
4. In the case of significant data fiduciary, the Central Government has the power to identify a data fiduciary as significant data fiduciary on the following grounds i.e. the amount of personal data it handles, collection of such data is sensitive enough to impact the sovereignty and integrity of India and public order. Hence, the Bill provides that significant data fiduciaries must have an independent data auditor who must conduct data protection impact assessments and audits.
5. The Bill provides that an appointment of a Data Protection Officer (DPO) is essential for every data fiduciary. The DPO shall address the concerns and queries of the data principle.

Data Protection Board

The draft bill provides for the establishment of a separate body, i.e. Data Protection Board, to oversee and keep a check on the data fiduciaries and data principals, and their effort to comply with the provisions of the Bill. The said board is expected to have an online and offline file management system. And the board must derive its procedural powers from the Code of Civil Procedure, 1908

Penalties

The Bill provides for heavy penalties ranging from Rs 50 crores to Rs. 500 crores. A heavy penalty shall be imposed on the non-compliances by the parties, taking into consideration the loss suffered or gained incurred, the nature of non-compliance, the repetition of non-compliances, and the conduct.

Exemptions

The Bill enables the government to exempt certain enterprises, entities, or companies from complying with the provisions of the Bill, taking into account the volume of personal data and users processed by it. An exemption is also applicable to the data fiduciary in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognizable offence.^[ii]

Key Principles of the Bill, 2022

The Bill provides for various principles, i.e., collection of personal data in a fair, lawful and transparent manner, that the collected data must be used for the purposeful objective of the data fiduciary. The Bill also provides for data minimization and accuracy when it comes to data collection. As discussed above, there is also a provision to ensure that the personal data is not stored for an indefinite period, and there must be “no authorized collecting or processing of personal data” Lastly, the Bill brings in huge accountability in the form of heavy penalties.

Conclusion

The introduction of the said Bill reflects the effort of the government to bring laws protecting the personal data of netizens. Since the pronouncement of KS Puttaswamy v. Union that recognized the right to privacy and the report of the BN Srikrishna Committee that recommended implementing privacy law for personal data, the introduction of the said Bill was needed for an hour.

But, the journey for implementation has not been a cakewalk for the legislature; the Personal Data Protection Bill 2019 was withdrawn due to immense criticism received from the interested parties. Hence, the question arises what the future of the present 2022 bill is?

Despite heavy penalties, obligations, and additional obligations on the data fiduciaries, the introduction of cross-border jurisdiction, and withdrawn consent, it has attracted much criticism. One of the criticisms is its departure from the judgment of KS Puttaswamy, in the light of unclear on the powers of the government that may evade an individual’s privacy.

Arshnit Sandhu has completed her LLM in Corporate and Commercial Law from the National University of Study and Research in Law (NUSRL), Ranchi.

Disclaimer:  The views, thoughts, and opinions expressed in the text belong solely to the author and not to the Jurisedge Academy.

Read the Recent Legal News on our Blog.

Read all the updates on CLAT PG 2023 here

For daily legal updates, you may follow us on Instagram and LinkedIn and join our Telegram channel.

^[i] Objective of the Draft Personal Data Protection Bill, 2022.

^[ii] Section 18(2)(b) of the Draft Personal Data Protection Bill, 2022.