Digital Personal Data Protection Bill, 2022 – A Complete Analysis

Digital Personal Data Protection Bill, 2022
Sherin Jose
| Updated: Nov 23, 2022 | Category: News, Other Services

The Digital Personal Data Protection Bill 2022 (Data Protection Bill, 2022) has been published by the government for public consultation. The Digital Personal Data Protection Bill 2022, is the most recent iteration in the Data Protection laws of the country. Following the landmark judgement of Justice K.S Puttaswamyv Union of India, 2017, which upheld the Right to Privacy as a Fundamental Right under Article 21 of the Constitution of India, the Ministry of Electronics and Information Technology (MeitY) introduced the first draft of the law called the Personal Data Protection Bill, 2018. After two more revised drafts, namely the Personal Data Protection Bill, 2019 and the Joint Parliament Committee’s[1] Data Protection Bill, 2021 (JPC Bill,2021), both of which were withdrawn amid extreme criticisms from various stakeholders, the government has published the new draft of the Data Protection Bill, 2022. The new draft aims at achieving a balance between the right of privacy of the citizens, the right of citizens over their personal data and the right of the private and government entities to use and process the data. This blog aims to provide an overview of the extant draft Digital Personal Data Protection Bill, 2022.

Major Principles behind the Digital Personal Data Protection Bill, 2022

The following are some major principles behind the Digital Personal Data Protection Bill, 2022:

  • The usage of personal data by organizations must be done in a fair, lawful, and transparent manner
  • The usage of personal data shall be limited to the purpose it was taken for.
  • Data Minimization: only those aspects of personal data required to fulfil the specific purpose ought to be collected.
  • Reasonable effort is to be made to ensure that the data collected is accurate and complete.
  • Personal data should not be stored in perpetuity and not retained beyond what is required to achieve the specific purpose
  • To prevent a breach of personal data, reasonable safeguards ought to be in place to prevent accidental disclosure or unauthorized use
  • To ensure accountability, data fiduciaries (defined below) must be held accountable for the processing of data.

Applicability – Digital Personal Data Protection Bill, 2022

Unlike the previous drafts, the new bill only applies on “Digital Personal Data”, which is collected from Data Principals (individual to whom the personal data is related to and if such individual is a child, shall include parents or lawful guardian of the child) online or when the personal data is collected offline but is digitized.

The Digital Personal Data Protection Bill, 2022 excludes from its purview “non-personal data” and personal data which is collected manually. In the previous bills, only manual data collected by small entities was excluded. It also categorically excludes non-automated processing of personal data, personal data processed by individuals for domestic or individual purposes, and records of personal data of an individual which has been in existence for at least one hundred years.

It also provides no distinction between the types of personal data, namely, Critical Personal Data(CPD) and Sensitive Personal Data (SPD). The JPC Bill,2021 and the 2019 Bill did include non-personal data within its purview.

It applies to processing digital data within the territory of India and to processing of digital personal data outside India if it is for providing goods or services to Data Principals in India.

Cross-Border Data Transfers

As per the previous iterations, personal data collected was to be stored in India and only transferred according to the contract or intra-group scheme approved by Data Protection Policy and only after obtaining consent from the Data Principal. The Data Protection Bill, 2022 does not refer to local storage but has provided new parameters for cross-border transfers. The extant 2022 Bill restricts the cross-border transfer of all personal data only to jurisdictions which have been approved and notified by the central government. There are certain exceptions in the bill where cross-border transfer to jurisdictions not notified by the government is allowed, namely, to enforce a legal right or prevent contravention of law or prosecution of an offence or to conduct other judicial and quasi-judicial functions.

Consent and Deemed Consent

Like the previous draft bills, consent still is the primary prerequisite to process the personal data of the Data Principals. Data Principals need to provide clear and unequivocal consent for having their data used for a “specific purpose.”If the Data Principal wishes to withdraw the consent given, the Data Fiduciaries (persons who determine the purpose and means of the processing of personal data)ought to instruct Data Processors to stop processing that person’s personal data, unless it is otherwise authorized under the extant bill or it is a necessity to process such personal data without consent. Such withdrawal of consent can be given through Consent Managers registered with the Data Protection Board. The Data Fiduciary only needs to provide notice to the Data Principal before processing personal data based on consent and not with respect to the processing of personal data with deemed consent. This notice should clearly provide for the specified purpose.

The Digital Personal Data Protection Bill, 2022has introduced the concept of “deemed consent”. It provides for certain situations and circumstances where consent of the data principal is not required to process personal data. This applies to data provided voluntarily by the data principal or when such data is required to meet the demands of law or for “public interests” to prevent fraud or for information security, or for any fair and reasonable grounds which shall be determined by the government. Earlier draft bills placed the onus of determining “fair and reasonable purpose” on the Data Protection Authority.

Obligations on Data Fiduciaries and Data Processors – Digital Personal Data Protection Bill, 2022

  • Inform Data Protection Board of the Personal Data Breach

“Personal data breach” includes accidental disclosures, unauthorized use, sharing and processing of data. Data fiduciaries & data processors can be penalized up to Rupees 250 Crore for not following reasonable security safeguards for data protection and can be penalized up to Rupees 200 Crore for not reporting a personal data breach to the Data Protection Board. The 2022 Bill has placed the obligation on data processors as well to report breach of personal data. The maximum penalty which has been provided under the 2022 Bill is Rupees 500 Crore.

Data fiduciaries must maintain the completeness and accuracy of the data processed by them, remove data for which processing has been completed and establish a grievance redressal mechanism. They are to appoint a person to answer the data principal’s questions as to the processing of personal data.

  • If the Data Principal wishes to withdraw the consent given, the data fiduciaries must instruct Data Processors to stop processing that person’s personal data, unless it is otherwise authorized under the extant bill or it is a necessity to process such personal data without consent.
  • Data fiduciaries must obtain parental consent while processing children’s (individuals under the age of 18) data and cannot target or track advertisements to children

Significant Data Fiduciaries

The government can notify entities which would be significant data fiduciaries based on the amount and sensitivity of the personal data they deal with, the risk to data principal and to electoral democracy, and the potential impact on the sovereignty and integrity of India. In addition to the obligations placed on data fiduciaries, the significant data fiduciaries have additional obligations to conduct data protection impact assessments, appoint an independent data auditor to assess compliance with the 2022 Bill, and appoint a data protection officer based in India.

Unlike the previous draft bills. Digital Personal Data Protection Bill, 2022 does not automatically consider social media platforms with a considerable number of users or data fiduciaries dealing with children’s data as significant data fiduciaries. Also, earlier, only those significant data fiduciaries involved in large-scale profiling or the use of new technologies or using SPD were obligated to conduct data protection impact assessments. Now all significant data fiduciaries must conduct them.

Rights and Duties of Data Principals – Digital Personal Data Protection Bill, 2022

Under the Digital Personal Data Protection Bill, 2022, data principals have the right to:

  • Obtain information as to personal data being processed, processing activities of identities of data fiduciaries
  • Withdraw consent given to process personal data for a specific purpose
  • Correction and erasure of data
  • Nominate an individual on their behalf in case of death or incapacitation of the data principal
  • Grievance Redressal

The JPC, 2021 Bill and 2019 Bill provided for the right of data portability from one service provider to another. However, the Digital Personal Data Protection Bill, 2022 does not provide the same.

Unlike the previous draft bills, the Digital Personal Data Protection Bill 2022 places duties on the data principal to comply with the provisions of the Bill while exercising the rights provided thereunder, refrain from placing false or frivolous grievances against data fiduciaries, not furnish false particulars but provide authentic information.

Data Protection Board of India

The data protection board shall be established by the central government, which will have the power to determine the composition, qualification and experience, selection terms of appointment, and salary of the board. Even though the Digital Personal Data Protection Bill 2022 categorically states the independence of the board, unlike the previous draft bills, the central government clearly holds significant powers in the board’s functioning. The board is to enforce the provisions of the Bill, impose penalties, conduct hearings, summon, and enforce attendance, and examine on oath but cannot prevent access to premises or detain equipment required in the functioning of the entity under inquiry. The 2022 Bill introduces the concept of voluntary undertakings by entities subject to the board’s proceeding from agreeing to do or abstain from doing certain things. This ensures compliance and facilitates timely acceptance of violations.

The Digital Personal Data Protection Bill 2022 reduces the functions of the board, which are now restricted to adjudication and enforcement purposes only. The previous bills allowed the data protection authority to formulate regulations. However, the power to issue rules only vests with the central government as per the extant 2022 Bill.

Powers of the Government

Rule Making Power

The Digital Personal Data Protection Bill, 2022gives wide rule-making and various other powers to the central government. The Central Government of India has the power to make rules determining “fair and reasonable” purposes to process personal data without the data principal’s consent, the power to appoint and make rules with respect to the functioning of the data protection board and frame regulations which was earlier the prerogative of the data protection authority, decide the form and manner of reporting data breaches.

Power to Grant Exemptions

The 2022 Bill also provides the power to the government to exempt state agencies from the application of the bill for reasons pertaining to the “interest of sovereignty & integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or to prevent incitement of offences related to these”. It also has the power to exempt certain classes of data fiduciaries. This Digital Personal Data Protection Bill, 2022has removed the subjection of “just, fair and reasonable procedures” provided for in the JPC Bill while granting exemption to state agencies, thus expanding the powers of the government to provide such exemption.

Conclusion

The Digital Personal Data Protection Bill, 2022 is the latest in the iterations brought out with a view to draft a comprehensive data protection law for India. The 2022 Bill is comprehensive yet concise when compared to the previous bill, which had 90 Sections as opposed to the 30 Sections in the 2022 Bill.

When compared with the previous draft bills, it is clear that the 2022 Bill gives overarching powers to the central government for the appointment of data protection officials under the data protection board and in granting exemptions to state agencies based on ambiguous and vague parameters like “national security” and “public order”. Experts have stated that there stands a grave threat of misuse as the government can collect and process data without following the provisions of the Bill while justifying it by saying that “national and public interest is at times greater than interests of an individual.” With respect to the penalties provided under the Bill, in contrast to the previous drafts where the penalty imposed was 4 % of the entity’s annual turnover, the maximum penalty under the 2022 Bill is Rupees Five Hundred Crore. This may lead to data principals’ personal data being bought by entities with large turnovers. Many analysts have also spoken against the relaxation of data localization as this can make the data of citizens vulnerable and make it difficult to detect and punish non-compliance and breaches under the Bill in foreign jurisdictions. The Bill has received praise as well as criticisms from various stakeholders from the industry and civil society. The Bill is open for receipt of public comments till the 17th of December 2022.

Spread the love
Sherin Jose

Sherin has degrees in Law and English Literature from the University of Delhi. She is adept at legal research and writing and enjoys discussing and analysing important legal developments. Her primary interests lie in Corporate, FinTech and IPR Law and she is always on the lookout for exploring new developments in the area. She is an avid reader who loves classics and contemporary fiction. She likes to travel, bake and obsess over cat videos in her free time.

 

Related Articles

Companies (CSR Policy) Amendment Rules 2021
| Date: Feb 01, 2021 | Category: News

A Detailed Analysis of Companies (CSR Policy) Amendment Rules 2021 notified by MCA

Recently, the Ministry of Corporate Affairs (MCA), by way of powers conferred under section 135 and 469 (1) and (2) of the Companies Act 2013, has decided to amend the...

Read More
Mutual Fund Participation in ETCDs
| Date: Feb 17, 2021 | Category: News, SEBI Advisory

Mutual Fund Participation in ETCDs: New Norms Introduced by SEBI

Recently, SEBI, by way of the powers conferred under the provisions of section 11 (1) of the SEBI Act 1992 along with the rule 77 of the SEBI (Mutual Funds)...

Read More
RBI Introduced (Digital Payment Security Controls) Directions 2021
| Date: Apr 16, 2021 | Category: News, RBI Advisory

RBI Introduced (Digital Payment Security Controls) Directions 2021

Going by the well-known role being played by the digital payment mechanisms in India, RBI (Reserve Bank of India) gives the highest standing to the security controls around it. As...

Read More

ARTICLES

Hi! My name is Akanksha! Let's talk.