The digital personal data protection bill, 2022 – Is this the finale?

The Ministry of Electronics and Information Technology (MeitY) on November 18, 2022, published the Digital Personal Data Protection Bill, 2022 (“Bill”) for public consultation. The Bill in a concise and a simple manner creates a balance between the rights of an individual and protection of their privacy, and the need to process digital personal data for lawful purposes by organizations.

The Bill inculcates seven (7) globally recognised principles used for regulating collection and processing of digital personal data:

(a) lawful processing of digital personal data,

(b) purpose limitation,

(c) data minimisation,

(d) accuracy of digital personal data,

(e) storage limitation,

(f) implementing reasonable safeguards, and

(g) accountability. The various chapters of the Bill spur on these principles in a comprehensive manner, desiring a law for all citizens (Digital Nagriks).

Canny professionals will understand that the soul of the Bill resonates with the soul of the existing Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (law in India currently regulating collection and processing of sensitive personal data).

  • Commencement and Applicability: The Bill will be enacted upon notification by the Central Government. However, the Central Government may appoint different dates for enactment of different provisions of the Bill. The Bill will regulate processing of digital personal data of individuals within the territory of India. It is important to note that the applicability is linked to the individuals within India and not to their citizenship or residency and non-digital personal data is not covered under the Bill. The Government will have powers to exempt its agencies from the applicability of the Bill in the interest of sovereignty, security, integrity of India and to maintain its relations with foreign states. Processing of personal digital data, where processing is necessary, for enforcing any legal right or claim or for processing of personal data in compliance with an order of a court is exempted from the ambit of the Bill.
  • Notice: Organizations collecting and processing digital personal data (“Data Principal”) need to provide an itemised notice in clear and plain language to the individual providing digital personal data (“Data Fiduciary”). The notice must detail particulars of the digital personal data and purposes for which digital personal data is being collected and can be provided in English or any language specified in the Eight Schedule of the Constitution of India. The option of providing the notice in English or any regional language (as notified under the Eight Schedule of the Constitution of India) may trigger a scenario where the language in which such notice is issued by a Data Fiduciary is not known to the Data Principal resulting into an uninformed consent.
  • Consent: Consent provided by a Data Principal must be free, specific, informed, and unambiguous establishing a clear affirmative action of a Data Principal evidencing its agreement for processing of its digital personal data for the specified purposes. Data Principals must have an option to access such request in English or any regional languages (as notified under the Eight Schedule of the Constitution of India). The concept of ‘Deemed Consent’ under the Bill has attracted a lot of attention from the industry as it is being perceived as a hinderance to the autonomy of an individual’s rights over its personal data. Recognition of consent managers under the Bill is a positive move as it may help in effective compliance and implementation of the Bill.
  • Rights of Data Principals: Absence of right to be forgotten and right to data portability from the DPD Bill is surprising. Data Principals will have a right to withdraw their consent, demand correction and erasure of their digital personal data, and nominate an individual who will exercise their rights in the event of death or incapacity.
Gerald Manoharan
Partner, JSA
  • Data Fiduciaries: Data Fiduciaries will have to act in a manner consistent with the rights of the Data Principals inter alia ensuring lawful processing of digital personal data; implementing purpose limitation, data minimisation and storage limitation; maintaining accuracy of digital personal data; and implementing reasonable safeguards and accountability measures to protect digital personal data. Every Data Fiduciary is required to implement a grievance redressal mechanism and designate a person to address queries of a Data Principal. The Central Government may notify any Data Fiduciary to be a ‘significant data fiduciary’ based on an assessment of factors which inter alia includes (a) volume and sensitivity of personal data processed, (b) risk of harm to Data Principals, (c) sovereignty and safety of India, and (d) public order. Significant data fiduciaries are required to appoint a data protection officer for redressing grievances of Data Principals and an independent data auditor to evaluate its compliances under the Bill. Such data protection officer shall be based in India. Further, significant data fiduciaries are required to undertake impact assessment tests and data audits to be compliant with the Bill. A personal data breach must be notified by a Data Fiduciary to the data protection board (to be established under the Bill, (“Board”). It will be interesting to see whether Data Fiduciaries will be required to report a personal data breach to various authorities such as CERT-IN (Computer Emergency Response Team – India), the Reserve Bank of India (where applicable) and the proposed Board. The Bill proposes special provisions for processing of personal data of children (individual below the age of 18). Which requires Data Fiduciaries to obtain consent from the parent or guardian of the child before processing its digital personal data. Targeted advertising at children and behaviour monitoring of children can’t be undertaken by Data Fiduciaries.
  • Transfer of personal data outside of India: The Bill in this regard takes a simplistic approach and allows the Government to notify countries or territories outside of India to whom a Data Fiduciary may transfer personal data in accordance with terms and conditions as may be specified. The Bill does away with specific data localisation provisions which were emphasised upon in previous iterations of the draft law.
  • Data Protection Board and Penalties. The Bill proposes to establish a Board; the purposes, constitution, functions and powers of the Board has been detailed under Chapter 5 of the DPD Bill. The Board after conducting a fair inquiry may determine if the non-compliance under the DPD Bill is significant and may impose a financial penalty not exceeding INR 500,00,00,000 (Rupees Five Hundred Crores) in each instance. For certain subject matters the Bill provides specific penalties extending from INR 150,00,00,000 (Rupees One Hundred and Fifty Crores) and up to INR 250,00,00,000 (Rupees Two Hundred and Fifty Crores). Further, if a Data Principal is found in breach of its duties under the Bill, a Data Principal may also be penalised with a fine of up to INR 10,000 (Rupees Ten Thousand).
 
Manas Ingle
Senior Associate, JSA

This Bill is worded simply but takes a principles based regulatory approach which may give room for the law to evolve, laying its foundation on the rules and regulations that will be enacted under the Bill and the judicial precedents that may follow.

This article is co-authored by Manas Ingle, Senior Associate, JSA.

Disclaimer: The views expressed in this article are those of the author and do not necessarily reflect the views of ET Edge Insights, its management, or its members

Scroll to Top