The Government has introduced a new Digital Personal Data Protection Bill, 2022 in the Parliament on November 18, 2022 paving the way for a more seriously thought-out law concerning data privacy and protection in India. The Bill, a third version of its kind, seeks to establish a comprehensive regime and regulatory framework for data privacy and protection. This update highlights and summarizes the key provisions of the Bill.
BACKGROUND
The Government of India (GoI) had tabled a Personal Data Protection Bill (PDPB) in the Parliament in 2019, but withdrew it in August 2022, after more than two years of deliberations with stakeholders and within the Joint Parliamentary Committee. The Joint Parliamentary Committee (JPC) proposed 81 amendments and 12 recommendations to integrate it into a "comprehensive legal framework".
The PDPB had faced substantial opposition and criticism from privacy and civil society activists due to provisions enabling the government’s access to data of the ‘Digital Nagrik’. Furthermore, tech industry giants like Google, Meta, and Amazon opposed the PDPB's data localization requirements, which mandated certain sensitive information to be stored within Indian territory.
Now, the Ministry of Electronics and Information Technology ('MeitY') has introduced a third version of titled the Digital Personal Data Protection Bill, 2022 ('the Bill'), with its Preamble inter alia stating the purpose of the Bill being to provide for the processing of digital personal data in a manner that recognizes both the rights of individuals to protect their personal data and the need to process personal data for lawful purposes.
SUMMARY
A concise summary of the proposed Bill is as follows:
Key Definitions
‘Personal Data’ has been defined as any data of an individual identifiable by or in relation to such data. The term ‘data’ here refers exclusively to digital data, excluding the non-digital data of any individual.
‘Data Principal’, in the Bill, refers to an individual to whom the data relates. In the case of a minor, it includes the parents or guardians of that minor.
'Data Fiduciary' is any person who, alone or with any other person, determines the purpose and means of processing the personal data.
The law will apply within the territory of India to such personal data that is collected online or offline in the digitized form. It also applies to personal data outside the territory of India if the processing of such data is intended to provide goods and services to data principals.
Obligations of Data Fiduciaries
Data Fiduciaries can process the personal data of Data Principals only after obtaining explicit or deemed consent. For this purpose, Data Fiduciaries must provide a notice to Data Principals detailing the personal data to be collected and reasons, in a prescribed form for obtaining her consent.
The Data Principal's consent must be freely given, specific, informed, and involve a clear affirmative action agreeing to the processing of her personal data for the specified purpose in the notice. If any part of the consent infringes upon this act, it should be deemed invalid. The Data Principal retains the right to withdraw her consent at any time through the 'Consent Manager.'
The burden of proof in case of disputes lies with the Data Fiduciary to demonstrate that notice was provided, and consent was freely given by the data principal.
The Bill outlines various conditions under which the Data Principal is deemed to have given her consent for processing her personal data if the nature of such processing is deemed necessary.
The general obligation of the Data Fiduciary is to comply with the provisions of this Act and make reasonable efforts to ensure that the personal data to be processed is accurate and complete, especially if the data is used to make decisions that affect the Data Principal or is disclosed to another Data Fiduciary. Additional obligations have been cast upon Data Fiduciaries regarding process of personal data of minors. Further, there are additional obligations to be followed by Significant Data Fiduciaries who shall be notified by the Central Government.
Rights and Duties of Data Principals
The Data Principal is granted several rights under the Bill, including:
The right to information about her personal data being processed, including a summary of processed personal data, a list of data fiduciaries with whom her personal data has been shared, or any other prescribed information.
The right to correction and erasure of her personal data "in accordance with applicable laws and prescribed procedures." However, erasure requests may be denied if data retention is required by law.
The right of grievance redressal allows the data principal to register a grievance with the data fiduciary. If unsatisfied or if no response is received within seven days, she may file a complaint with the data protection board.
The right to nominate another individual to exercise her rights in case of her death or if she is incapacitated due to an unsound mind or body.
Further, the Bill outlines duties that data principal must adhere to, including :
Compliance with all provisions of this Act.
Refraining from registering false or frivolous grievances or complaints with the data fiduciary or the board.
Not providing false particulars, suppressing material information, or impersonating another person.
Furnishing only verified and authentic information while exercising the right to correction and erasure.
Compliance Framework
The Bill establishes a compliance framework, including the establishment of the Data Protection Board of India. The composition of the Board, the process for selecting its members, including the chairperson, and the terms and conditions of appointment and service will be prescribed. No suit, prosecution, or legal proceedings shall be initiated against the Board, its Chairperson, Members, employees, or officers for actions undertaken in good faith under the provisions of this Act.
The Bill outlines the functions of the Board in detail and covers the process the Board must follow to ensure compliance with the provisions of the Bill. The Board has been entrusted with the power to review its own orders based on representations made to it. Appeals against the board's orders should be heard in the High Court. Appeals must be filed within sixty days from the date of the order.
The Bill provides for Alternative Dispute Resolution, allowing the Board to direct concerned parties to alternative dispute resolution options if it deems a complaint can be more appropriately resolved through mediation or other dispute resolution processes.
Financial penalties for non-compliance with the provisions of the Bill have been specified, with an upper limit of five hundred crore rupees for each instance.
Notably, the Central Government has been given the power to notify specific terms and conditions for countries or territories outside India, after proper consideration. Further, the Central Government may issue notifications exempting any instrumentality of the State from the Bill's provisions in the interest of India's sovereignty, integrity, security, friendly relations with foreign states, maintenance of public order, or prevention of incitement to cognizable offenses.
CONCLUSION
While the practical implementation of the Bill remains uncertain, it is anticipated to positively impact the Indian economy and individual privacy. Notably, the Bill's primary effects will be felt by tech companies (or, data fiduciaries) adhering to the stipulated data collection, storage, and processing standards. The Bill includes provisions aimed at enhancing data security, such as requiring businesses to implement reasonable measures to safeguard personal data. The Bill's presentation in the upcoming session of parliament is expected, as indicated by the Central Government during a hearing regarding WhatsApp's Policy before a constitution bench of the Hon'ble Supreme Court.
Authored by Jitin Bharadwaj, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinion.