Explained: Digital Personal Data Protection Bill
The bill envisions the governance of digital personal data by providing a legislative framework that highlights the rights and duties of the ‘Digital Nagarik’.
The draft Digital Personal Data Protection Bill 2022 (Bill) which received the approval of the Union Cabinet on July 5, is expected to be taken up in the 12th Session of the 17th Lok Sabha.
The bill envisions the governance of digital personal data by providing a legislative framework that highlights the rights and duties of the ‘Digital Nagarik’ and the obligations of the business.
The bill is based on similar underlying principles which are the basis of personal data protection laws in other jurisdictions including the General Data Protection Regulation (GDPR).
These include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability. Fundamentally, the bill is based on sound principles and envisions to safeguard data privacy without overburdening business.
The bill is the fourth iteration of the proposed data protection framework introduced by the Government of India in the last six years since the recognition of the Right to Privacy as a fundamental right under the constitution by the honourable Supreme Court of India.
It is much leaner in scope as compared to the previous iterations. The bill has been drafted in plain and simple language without any provisos with the intention of making it easy to understand and comply with by individuals and organisations. It aims to put forward a robust mechanism with strict obligations for organisations including technology, healthcare, telecommunication, banking, finance, e-commerce and many more that process personal data at a large scale.
The bill was released last year on November 18 for public consultation. Since then, the bill has received 20,000 comments from experts and industry stakeholders. Interestingly, as per officials there has not been much change between the proposed draft that was circulated for public consultation and the final Bill that will be tabled in Parliament. Some the key provisions to look out for in the current draft bill are the following:
Definition of Personal Data
The definition of ‘personal data’ has been simplified in the current draft. It means any data that can help in identification of an individual. The latest iteration does not classify the personal data further into sensitive personal data or critical personal data leading to reduction of the compliance requirements.
Applicability and scope
It applies to the processing of ‘Digital Personal Data’ and excludes from its ambit both non-personal data and data in non-digital formats.
It applies to processing digital personal data within the territory of India. It also applies to processing of digital personal data outside India if such processing is in connection with any profiling or offering goods or services to data principals within India.
It does not apply to non-automated processing, processing for domestic or personal purposes by individuals, and personal data about individuals contained in records that have been in existence for at least 100 years.
The bill provides that the personal data of an individual can only be processed for a lawful purpose for which the concerned individual has given consent or is deemed to have given her consent. Consent refers to a clear affirmative action that signifies an agreement for their data to be processed for a specific purpose. It should be free, specific, informed and unambiguous.
The current draft of the Bill has introduced the concept of ‘Deemed Consent’ which refers to situations where consent is not expressly needed. These circumstances largely seem rather broad, leaving a lot of scope for subjective interpretation.
For example, consent shall be deemed to have been given if the processing is necessary “for the purposes related to employment” or “in public interest” etc. These grounds significantly undermine the protection accorded to the employee data and has the potential of misuse respectively as these rights are provided to every data fiduciary.
Data localisation and cross border transfer
The current draft Bill permits relaxed data localisation requirements and permits cross-border data flow to certain countries and territories as may be notified by the central government. Unlike the previous iteration the Bill does not prescribe local storage or localization requirements.
A Data Protection Board will be set up to determine non-compliance and imposition of penalty. Interestingly, the Board will be ‘digital by design’ and will also accept voluntary undertakings.
Retention of personal data
The current draft permits the data fiduciaries to retain the personal data for ‘Business Purpose’ even after the purpose for collection is no longer served by its retention.
Significant Data Fiduciary
The Bill prescribes that the Central Government may after performing an assessment on the basis of relevant factors, notify a Data Fiduciary or Class of Data Fiduciaries as a ‘Significant Data Fiduciary’.
The concept of Significant Data Fiduciary and the power to designate one has remained unchanged from the previous iteration of the Bill. One of the most significant changes in the current draft is that it does not automatically consider social media platforms that meet a specified user threshold to be Significant Data Fiduciary.
Secondly, the latest draft mandates performance of Data Protection Impact Assessment for all the Significant Data Fiduciaries.
Personal Data Breach
A Personal Data Breach refers to unauthorised processing or accidental disclosure, use, sharing, acquisition etc of personal data. The Bill prescribes a fine of INR 200 crores if the data fiduciary or the data processor fails to report a personal data breach to the Data Protection Board and affected individuals. Further, the Data Fiduciary or Processor can be penalised up to INR 250 crores for failure to ensure reasonable security safeguards.
|S. NO||DESCRIPTION OF NON-COMPLIANCE||PENALTY PRESCRIBED|
|1||Failure of data processor or fiduciary to take reasonable security safeguards to prevent personal data breach||Up to ₹250 crore|
|2||Failure to notify the Board and affected Data Principles in case of a personal data breach||Up to ₹200 crore|
|3||Non-fulfilment of additional obligations in relation to the processing of children's personal data||Up to ₹200 crore|
|4||Non-fulfilment of additional obligations by Significant Data Fiduciary||Up to ₹150 crore|
|5||Any other non-compliance with the provisions of the Bill||Up to ₹50 crore|
The Bill provides that if the Board pursuant to an inquiry determines that non-compliance by a person is significant then it may impose a penalty as specified in Schedule 1 of the Bill, not exceeding INR 500 Crores in each instance.
(Akshat Shonak is law graduate who specialises in Data Protection law)