Cyber Law

Highlights of the Digital Personal Data Protection Bill, 2022

by

This blog post is written by Ms. Ritu Sajnani. 

Significance of Data Protection and its Journey so far

Privacy is as important as any other Human Right, as it forms a part of a person’s identity. Given this, the Government has been making efforts to protect the digital data of persons. The journey of Digital Personal Data Protection Bill, 2022 released on November 18, 2022 (“Draft Bill 2022”) dates back to August, 2017 when the Supreme Court recognised Privacy as a Fundamental Right and constitution of Justice BN Srikrishna Committee to frame data protection norms. 

Subsequently, several iterations of this bill were introduced by the Ministry of Electronics and Information Technology:

  • Personal Data Protection Bill, 2018 on July 27, 2018;
  • Personal Data Protection Bill, 2019 on December 11, 2019 (“2019 Bill”); and
  • Personal Data Protection Bill, 2021 on December 16, 2021 (“2021 Bill”)

On August 3, 2022, the Parliament withdrew the 2019 Bill with an intent to introduce a more comprehensive framework of data protection. Finally, the Draft Bill 2022 was released – which is open for public consultation till December 17, 2022.

The Draft Bill 2022, if passed, will replace the already present data protection law under Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.

Key takeaways from the Draft Bill 2022 

  • Meaning and scope of Personal Data

The 2019 and 2021 Bills categorized personal data into sensitive personal data and critical personal data etc. Such categorization has been removed in the 2022 Draft Bill. Personal data is now referred to as ‘data about an individual who is identifiable by or in relation to such data’. Further, the Draft Bill 2022 only considers ‘Automated Personal Data’ and does not apply on non-automated processing of personal data, offline personal data, personal data processed by an individual for any personal/ domestic purpose, and personal data about an individual record of which exists for at least 100 years.

  • Extraterritorial Application 

The data transfer provisions have been simplified in the Draft Bill 2022. The provisions of this Bill not only apply to personal data within the territory of India, but also to processing of such data outside the territory of India, if such processing is in connection with any profiling of or activity of offering goods or services to data principals in India. 

  • Data transfer

Data transfer may only be allowed to certain countries, subject to the Central Government’s terms and conditions, which it may notify, after assessment of necessary factors.

  • Consent-led approach

Consent is now required to be given freely, specific, informed, explicit and unambiguous. Additionally, forms of procuring consent should be translated into all languages mentioned in the 8th schedule of the Indian Constitution. A data principal has the right to give, manage, review, and withdraw the consent provided to the data fiduciary. The concept of deemed consent has also been introduced which is brought in circumstances like an emergency, purposes related to employment, and fair and reasonable purpose as may be prescribed by the Central Government and where the data principal voluntarily provides such data to the data fiduciary and it is reasonably expected that the same would be provided.

  • Personal Data of Children

Parental consent has been made compulsory before processing any personal data belonging to a child. A data fiduciary is obligated not to undertake any such processing likely to cause harm to the child. Additionally, undertaking tracking or behavioral monitoring of children or targeted advertising directed at children is prohibited.

 

  • Data Protection Board of India (“Board”)

The Data Protection Authority has been replaced by the Data Protection Board of India and the functions, composition and powers of the Board are different from the 2019 and 2021 Bills. Furthermore, the Board does not have an ability to initiate subordinate legislation. The main functions of the Board include determining of non-compliance, imposition of penalties, conducting enquiries, directing parties to resolve complaints through ADR methods, and directing adoption of response measures in case of personal data breach. It is pertinent to note that powers related to implementation of the law are proposed to be prescribed by the Government through Rules, most of which, under the earlier Bills, were with the Data Protection Authority. 

  • Penalties 

The Draft Bill 2022 does not provide for any criminal penalties, but a financial penalty of up to INR 500 crores for each instance of non-compliance, depending on various factors. Further, the Draft Bill 2022 does not provide for compensating data principals whose personal data has been compromised, however prescribes a penalty of up to INR 10,000 for registering a false complaint of furnishing false particulars or suppressing any material information. 

  • Grievance Redressal  

A data principal has now been provided with a right to grievance redressal with a data fiduciary. A complaint can also be registered with the Board in the event no satisfactory response is received from the data fiduciary. 

  • Duties of Data Principal and Data Fiduciary

Duties of a data principal have been introduced in addition to all the rights provided under the 2019 and 2021 Bills. These inter alia include compliance with all applicable laws, providing all material information while applying for any document and furnishing only such information verifiably authentic while exercising the right to correction or erasure. Further, the data fiduciary too has obligations like notifying the Board and each affected data principal about data breaches.

  • Significant Data Fiduciary and Data Protection Officer

The role of a significant data fiduciary is unchanged from that of the earlier Bills. These fiduciaries are required to comply with additional obligations like appointing a Data Protection Officer and Independent Data Auditor, and undertaking data protection impact assessments. 

Data Protection Officer is a person responsible to the board of directors / governing body of the Significant Data Fiduciary and is also the point of contact for the grievance redressal mechanism set up by the Significant Data Fiduciary. 

  • Exemptions

State instrumentalities, in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, and maintenance of public order, are exempted from compliance. 

India’s time to take the leap!

The 2019 and 2021 Bills were bulky and hard to implement. The Draft Bill 2022 also has some flaws like constitutional consistency and ability to work alongside global privacy laws, and has taken a slightly doctrinal approach which creates a hindrance for it to be a full-proof law. 

However, the Draft Bill 2022 is more simplified and has better enforceability than the earlier Bills. There is a hope that there will be a huge reduction in privacy breach, leakage of data and related offences in the country once this law comes into force. The implementation of this law will give the digital business a new outlook towards data processing. The trust among people in online platforms and digitalization will increase and this will further lead to connecting better with the rest of the world.

Many nations in the world have had data protection laws for a long time and it is now India’s time to take the leap!