Context: With the fast growing pace of India’s Digital Economy that is expected to hit $1 trillion by 2026 and with people rapidly adopting digital technologies for various purposes that generate large amounts of personal data, a legislative framework such as the Digital Personal Data Protection (DPDP) Bill 2022, to safeguard citizens’ personal information from misuse and unauthorized access is the need of the hour.
Understanding Digital Personal Data Protection (DPDP) Bill 2022
Objective of the Bill:
- The Bill seeks to establish a comprehensive legal framework governing digital personal data protection in India.
- It aims to provide for processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process it for lawful purposes.
Highlights of the Bill:
- The Bill will apply to the processing of digital personal data in India, whether it is collected online or offline and then digitized. It will also apply to the processing of digital personal data outside of India if it involves offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
- The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
Features and Analysis
- Notice and Consent: It contemplates seeking prior consent of the data principal (individual whose data is being collected) which should disclose description of personal data sought and purpose of processing it.
- The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
- Obligations of the data fiduciary: To ensure that personal data is processed, stored or erased in a safe and proper manner, bill imposes some responsibilities like:
- If there is a breach, the data fiduciary (Entity- individual, company, firm or state which decides purpose and means of processing of an individual’s personal data) must inform the Board and the data principal.
- Deletion of personal data once proposed for collection is no longer served, or the retention is no longer necessary.
- Every data fiduciary must appoint a Data Protection Officer (DPO) to address the data principal’s queries and concerns.
- Additional obligations while processing personal data of children, which includes seeking consent from parents/ guardians.
- Significant Data fiduciary: Central government can identify a data fiduciary as a significant data fiduciary if it handles high volume of sensitive personal data, involves a risk of harm to data principal and impact on sovereignty and integrity of India, security of state, public order, etc.
- They must appoint an Independent Data Auditor (to ensure compliance with proposed Bill) and conduct a Data Protection Impact Assessment and periodic audit to ensure compliance.
- Duties and Rights of the data principal: Bill stipulates duties of the data principal, to the extent ensuring that it is not registering a false grievance/complaint, not providing false or misleading information, or suppressing information. Rights of data principal include:
- Right to information, right to correction or erasure and grievance redressal.
- Establishment of Data Protection Board: It also provides for setting up of a Data Protection Board, which will oversee compliance by data fiduciaries and data principals.
- Penalties imposed by Board: Bill proposes 6 types of penalties which extend to a maximum penalty of ₹500 crore.
- Transfer of data outside India: It suggests that it will notify a list of countries to whom a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Significance of the Bill:
- Plugs Loopholes in the current framework: The current legal framework for data protection in India, the Information Technology Rules, 2011, is inadequate to protect the privacy of individuals.
- The existing framework is based on privacy being a statutory right rather than a fundamental right.
- It does not apply to the processing of personal data by the government.
- It has a limited understanding of the kinds of data to be protected.
- It places scant obligations on the data fiduciaries which can be overridden by contract.
- There are only minimal consequences for data fiduciaries for breach of these obligations. The DPDP Bill, 2022 aims to address these inadequacies.
- Easier to Comprehend: While previous versions of proposed legislations were dense and voluminous, the new bill is easier to comprehend and understand.
- Ensures a Transparent regime: The Bill seeks to introduce transparency to the current system. Usage of personal data by organizations must be done in a manner that is lawful, fair, and transparent to individuals concerned.
- Empowers individuals: The Bill recognizes the linguistic diversity of India and enables individuals to access basic information in 8th schedule languages. It also empowers individuals by recognizing their right to post mortem privacy, which was missing from the earlier regulations. The bill allows data principals to nominate another individual in case of death or incapacity. For the first time in India’s legislative history, “her” and “she” have been used to refer to individuals irrespective of gender.
- Smooth compliance regime: The Bill proposes a forgiving framework for compliance and suggests several welcome improvements. It deletes non-personal data and does away with the onerous data localization mandate imposed by the PDP Bill, 2019. Relaxing rules on cross-border data flows could bring relief to big tech companies.
Limitations of the Bill:
- No defined timelines: The Bill imposes certain obligations on data fiduciaries, but without providing a timeframe. There is:
- Lack of deadline for deleting personal data (in case of withdrawal of consent),
- Lack of timeline for Board to adjudicate on a complaint,
- No deadline for data fiduciary to erase personal data once the intended purpose is served, etc.
- Powers of the Board: The Bill does not specify the actual composition/strength of the Board, which has been raised about the reduced independence of the proposed Board.
- Limiting penalties: Bill seems to focus on the severity of the non-compliance, and not the non-compliance itself. It states that if non-compliance is not significant, the Board may choose to close the enquiry. And remedial measures will be taken only in case non-compliance is significant.
- Large number of exceptions: It allows the Central government to exempt any data fiduciary from the provisions of the draft Bill. Also, the government can have an exemption from most data protection obligations if the processing is undertaken “in the interests of prevention, detection, investigation of any offence or any other contravention of any law.”
- Missed crucial rights for Data Principal: The Right of Data Portability and Right to be Forgotten are not part of the draft bill.
- The right to data portability allowed the data principal to receive in a structured format all the personal data they had provided to the data fiduciary.
- It also has data that the data fiduciary generated on the data principal while processing for provisioning of its services.
- The right to be forgotten allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data.
Global Data Protection Models:
As per the United Nations Conference on Trade and Development (UNCTAD), an estimated 137 out of 194 countries have put in place legislation to secure protection of data and privacy.
- General Data Protection Regulation (GDPR)- European Union: The Regulation embodies the comprehensive approach, offering the strongest and most stringent framework for data protection.
- Right to privacy is backed by this comprehensive data protection framework which applies to processing of the personal data by any means and by both government and private entities.
- Sectoral Approach Model of the US: Privacy protection is largely defined as “liberty protection” focused on protection of the individual’s personal space from the government.
- It is viewed as a framework that is narrow in focus as it enables collection of personal information as long as the individual is informed of such collection and use.
- Also, it has been deemed flawed for various reasons, including inconsistent protection, problems in enforcement, overlapping and contradictory provisions, and a lack of federal regulation leaving certain sectors unprotected.
- This creates confusion and coverage gaps for businesses, and there is no centralised authority to enforce data protection laws, leading to a lack of standardisation.
- China Model: Chinese laws on data privacy gives Chinese data principals new rights as it seeks to prevent misuse of personal data.
- This model requires business data to be categorized by levels of importance, and puts new restrictions on cross-border transfers.
India’s Strengthened Data Protection Regime
- Justice K. S. Puttaswamy (Retd) vs Union of India 2017: In August 2017, a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy Vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21 of the Constitution.
- B.N. Srikrishna Committee 2017: Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, that submitted its report with recommendations to strengthen privacy law in India including restrictions on processing and collection of data, Data Protection Authority, right to be forgotten, data localisation etc.
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: IT Rules 2021 mandate social media platforms to exercise greater diligence with respect to the content on their platforms.