Digital Personal Data Protection Bill, 2022

The Digital Personal Data Protection Bill, 2022 (“DPDP Bill, 2022” or “the Bill”) provides legal framework for processing of digital personal data of an individual in India. The Indian Government has been in the process of introducing an extensive data protection law since 2018. The present draft of the Bill is a significant departure from previous drafts. Taking India closer to the first Data Protection Law to come into force, the Bill was cleared by the Indian Union Cabinet on July 5, 2023. Thereafter, the Bill was introduced and passed by Lok Sabha and Rajya Sabha respectively on August 07, 2023 & August 09, 2023, respectively. It shall obtain assent of the Hon’ble President of India and thereafter it shall come into force once it is published in The Gazette of India.

The current draft of the Bill is more open – ended, leaving much to be prescribed by the Central Government and it does away with different categories of datasets (like critical or sensitive data). The Data Protection Board of India (“Board”) is proposed to be the adjudicatory body for enforcement of the provisions of the Bill.

The term Data Protection refers to the protection of user data safely and securely by the person holding it. It is a protocol that defines the numerous policies on how to restrict the user’s personal data usage and save and prevent it from data breaches.

Personal Data Protection (PDP) refers to a set of tools and policies for practicing, regulating and measuring the privacy and security of an individual’s personal information. It includes the collection, use, storage, and sharing of personal data by organizations and governments while ensuring that individuals have control over their personal data.

The main function of the Bill is safeguarding an individuals’ privacy and taking steps against misuse or unauthorized access to their personal information.

Personal data primarily includes various types of information, such as names, addresses, phone numbers, email addresses, financial details, medical records, and other identifiers that can be used to identify an individual.

The Bill defines compliance regulations for ‘Data Fiduciary’ who is none other than a person who alone or in conjunction with other persons determines the purpose and means of processing personal data of an individual.

Personal data protection is built based on technologies like Data Loss Prevention (DLP) which ensures end-to-end encryption, built-in data protection, firewalls and more. It is essential in business operations such as research and development, finance business, etc.

What is the Bill about

The Digital Personal Data Protection Bill, 2022 defines the compliance regulations for Persons taking responsibility for using users’ personal data.

The Bill establishes requirements for businesses handling and processing data and individual rights. Its main purpose is to prohibit data transfers that happen cross-border, punish Persons for data breaches monetarily, and provide a framework for the establishment of a data protection body to ensure compliance. Non-compliance and failure can result in penalties for Persons since they would also be required to discontinue retaining user data if it no longer serves the original business objective.

No Person will be authorized to process personal data that has “any detrimental effect” on the well-being of the Data Principal who shall be an individual to whom the personal data relates.

What is the Bill about

The Digital Personal Data Protection Bill, 2022 defines the compliance regulations for Persons taking responsibility for using users’ personal data.

The Bill establishes requirements for businesses handling and processing data and individual rights. Its main purpose is to prohibit data transfers that happen cross-border, punish Persons for data breaches monetarily, and provide a framework for the establishment of a data protection body to ensure compliance. Non-compliance and failure can result in penalties for Persons since they would also be required to discontinue retaining user data if it no longer serves the original business objective.

No Person will be authorized to process personal data that has “any detrimental effect” on the well-being of the Data Principal who shall be an individual to whom the personal data relates.

The Bill provides for the following rights of Data Principals:

  • Right to Information: Data Principals have the right to access information about the processing of their personal data, along with a summary of the data itself.
  • Right to Withdraw Consent: Individuals can withdraw their consent for data processing at any point and they are entitled to be informed if their data has been shared with a third party.
  • Right to Correction and Erasure: Data principals have the authority to rectify inaccuracies in their personal data and request the erasure of such data when no longer necessary.
  • Right of Grievance Redressal: This empowers data principals to register complaints with the Data Fiduciary. In cases of inadequate or unsatisfactory responses, grievances can be escalated to the Board . The Bill outlines certain obligations for Data Principals, including refraining from providing false information and filing false complaints.
  • Simultaneously, the Bill lays down several responsibilities on Data Fiduciary:

  • Transparency: Data Fiduciaries must transparently explain the personal data they intend to collect and its purpose and usage behind the collection.
  • Informed Consent: Prior consent is mandatory for collecting an individual’s personal data without which it shall amount to breach of the provisions of the Bill.
  • Data Accuracy: Measures should be implemented to ensure accuracy and completeness of processed data.
  • Security Measures: Adequate security measures must be in place to prevent data breaches. The data should not be misused by any fiduciary as this would lead to legal implications.
  • Data Retention: Data should only be retained as long as required for the intended purpose. After fulfilling the purpose of the data or after the user deletes the application or website, the fiduciaries should block the personal data to the extent that is should not be available to anyone in the public domain.
  • Data Breach Notification: In the event of a data breach, both the Board and affected Data Principals must be notified.
  • Data Sharing: Data Fiduciaries should establish contracts before sharing or transferring data to other fiduciaries or data processors.

For larger data organizations, the Bill mandates appointment of a Data Protection Officer and an Independent Auditor for periodic compliance.

Companies and institutions are required to delete user data if it no longer serves the intended business purpose. No corporation or organization will be permitted to process personal data that is likely to have “any detrimental effect” on Data Principal

RTI LAW AND DATA PROTECTION BILL

The Right to Information Act, 2005 (RTI Act) has an exception clause under section 8(1)(j) to preserve people’s right to privacy. To use this section to deny personal information, at least one of the following conditions must be met:

  1. the information sought has no relationship to any public activity or public interest, or
  2. the information sought is such that it would cause an unwarranted invasion of privacy and the information officer is satisfied that there is no larger public interest that justifies disclosure.

The Bill includes a provision to amend section 8(1)(j) to expand its purview and exempt all personal information from the ambit of the RTI Act. This would be a huge blow to the transparency regime in the country.

We believe that the Bill must be in consistent with the RTI Act’s requirements and aims and more precisely in consistent with Justice A.P. Shah’s report which recommends that “the Privacy Act should clarify that publication of personal data for public interest… and disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.”

Limitations of the Bill

  • No autonomy for the Data Protection Board: The Bill does not guarantee the independence of the Data Protection Board which is the Organization in Charge for enforcing the law’s requirements. Given that the government is the largest source of data, it was critical that the monitoring body established by the legislation be sufficiently independent to act on breaches of the law by government agencies.
  • Digital by design: The Bill stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints. As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet. The Bill, therefore, effectively fails millions of people who do not have meaningful access to the Internet.
  • Article 21: – It violates the fundamental right to privacy because of the exemptions provided to the State on grounds such as national security.
  • Regulation: – The Bill does not regulate risks of harms arising from processing of personal data.
  • Personal data outside India: – This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
  • Independence: The short term (2 years) of the members of the Data Protection Board of India with scope for re-appointment may affect the independent functioning of the Board.
  • No compensation: Section 43A of IT Act, 2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. However, the Bill excludes the application of Section 43A.

Data Protection Bill – Boon or Bane

  • A much-needed Bill: – Once in force, the Bill empowers Data Principals to manage their own personal (digital) data and requires the Data Fiduciaries to treat individuals’ personal data lawfully. Due to the bill’s extraterritorial reach, firms operating outside India that serve persons in India would be expected to follow the provisions of the Bill once it is adopted. To be able to fulfil the rights that individuals may exercise, such as the right to access, update, and erase their personal data, Persons will have to assess their existing working methods, particularly for the personal data of persons such as their workers, customers, merchants, vendors, and so on. Noncompliance with the bill’s duties may result in fines and commercial penalties of up to Rs 500 crore.
  • Towards compliance & transparency: The Bill is seen as a significant milestone towards addressing the data protection concerns that have been a matter of contention for a long time. The Bill’s comprehensive framework imposes reasonable requirements on data fiduciaries and processors, guaranteeing responsible digital personal data processing. Citizens’ basic right to privacy is reinforced by the emphasis on free and informed consent. The formation of a data protection board improves the Act by ensuring compliance, corrective actions, and sanctions if needed. The Board’s ability to work as a digital office, processing complaints, distributing cases, and making judgments using techno-legal methods, improves the overall efficiency and openness of the process.

    Overall, the bill is a positive step towards safeguarding data privacy, promoting transparency in data practices, and marks a milestone for India’s Digital future.

  • More rights for individuals: The Bill which has been drafted by Ministry of Electronics and Information Technology (MeitY) is seen as a forward-looking legislation that has a broad scope across sectors and will have an impact on businesses of all sizes.

    The Bill strikes an essential balance between safeguarding users’ rights and encouraging digital business innovation. Its significant business-friendly elements include the elimination of criminal penalties for noncompliance and the facilitation of foreign data transfers, among other things. On the other hand, it also guarantees a complete set of rights to data principals, with the goal of creating a transparent and responsible data governance structure in the future. We applaud the DPDP Bill as a significant step toward establishing a new legal framework for digital firms and ushering in India’s technological revolution.

Penalties

If the Board discovers severe non-compliance by a person after conducting an inquiry, it may impose a pecuniary penalty of up to INR 500 Crore. The Bill also imposes particular fines ranging from INR 50 crore to INR 250 crore for failing to implement reasonable security safeguards to prevent personal data breaches, failing to inform the Board and impacted Data principals of data breaches, and failing to comply with additional Significant Data Fiduciaries responsibilities. The most serious penalties under the Bill are for failing to comply with the provisions of data-breach responsibilities.

The Bill, unlike earlier proposals, does not allow harmed data principals to seek compensation for breaches by data fiduciaries. This may disincentivize people from pursuing costly adjudication before the courts.

SK Attorneys’ view

Personal data protection is a critical component in protecting everyone’s privacy. As a result, every Data Fiduciary should have the appropriate Human Resource Management Software that complies with personal data protection laws and procedures.

The Bill is enacted at the national level to enforce and govern personal Data Protection. These laws provide duties for people, organizations, and governments to gather, use, store, and share personal data.

The Bill sought to govern the processing and protection of personal data in India, as well as to provide individuals more control over their personal data. Several significant measures were suggested in the bill, including data protection principles, data localization standards, individual data rights, the formation of a Data Protection Authority of India (DPA), and regulations for cross-border data transfers.

The export of personal data outside of India is a major concern for huge corporations operating in numerous other international jurisdictions. The Indian government may, however, decide that it is important to alert the nations or territories outside of India to which Indian firms may transfer personal data after evaluating such external considerations. Organisations must re-architect and re-engineer their technology deployment, which is a one- to two-year effort, in order to move the locations where the data is housed. They can complete it without taking too long. The Indian government will therefore need to provide some advance notice of the schedule and a general idea of which nations will be completely off-limits.

The high penalty for non-compliance, with a potential penalty of Rs. 500 crores, was another issue that was continually brought up after the bill was made public. The Bill, however, omits to acknowledge or describe what compensation users will receive when their personal data has been compromised. If there is a data breach, the company is fined, and the money goes to the government. But what about the person whose data was compromised or breached? The person whose data was compromised should receive some sort of reparation.

1. Persons – As defined under Section 2 (12) of the DPDP Bill, 2022
2. Data Principal – As defined under Section 2 (6) of the DPDP Bill, 2022
3. Board – As defined under Section 2 (2) of the DPDP Bill, 2022
4. As defined under Section 2 (8) of the DPDP Bill, 2022

Written by Saurabh Kumar (Managing Partner, SK Attorneys)
Saurabh Khanna (Associate Partner-Corporate)
Assisted by Laqshyaa Saluja and Akshat Angrish (Interns)

Legal Disclaimer: The information contained in this article is intended solely for the personal non-commercial use of the user who accepts full responsibility for its use. While we have taken every precaution to ensure that the content of this article is both current and accurate however, the information contained in this article is general in nature and should not be considered to be a legal, tax, consulting or any other professional advice. In all cases the reader should consult with professional advisors familiar with your particular factual situation for advice concerning specific matters before making any decisions.

Disclaimer: The views expressed in this feature article are of the author. This is not meant to be an advisory to purchase or invest in products, services or solutions of a particular type or, those promoted and sold by a particular company, their legal subsidiary in India or their channel partners. No warranty or any other liability is either expressed or implied.
Reproduction or Copying in part or whole is not permitted unless approved by author.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report