Meenakshi Gupta (Senior Associate) and Navanshu Mishra (Associate) have summarised the DPDP Bill, 2022

The heavily hyped Digital Personal Data Protection Bill, 2022 (“DPDP Bill, 2022”) was issued on November 18, 2022 by the Ministry of Electronics and Information Technology.

Brief history of the DPDP Bill, 2022:

The right to privacy has been upheld by the Hon’ble Supreme Court of India as a fundamental right (K.S. Puttaswamy v. Union of India [2017]). ‘Justice Srikrishna Committee’, appointed by the Ministry of Electronics and Information Technology came up with the first draft of the legislation, the Personal Data Protection (PDP) Bill, 2018. In 2019, the Government amended this draft and presented it to the Lok Sabha as the Personal Data Protection Bill, 2019. Further, a move to send the PDP Bill, 2019, to a joint committee of both Houses of Parliament, was approved by the Lok Sabha on the same day.

The Joint Committee on the PDP Bill, 2019 issued its findings after two years, in December 2021, because of delays due to pandemic and drafted the Data Protection Bill, 2021, a new Bill that included the Joint Committee’s suggestions. However, on August 3, 2022, the Government withdrew the PDP Bill, 2019 and made substantial amendments in it.

Now on November 18, 2022, the Ministry again came up with the new draft of the Digital Personal Data Protection Bill. This draft DPDP Bill, 2022 is open for public comments till December 17, 2022 and is expected to be introduced in the Parliament in the Budget session of 2023.

Key Features of the DPDP Bill, 2022:

This new Bill contains total 6 chapters with 30 sections along with 1 schedule.

• The purpose of the Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith. “Personal data” shall mean any data about an individual who is identifiable by or in relation to such data.

• The provisions of this Bill shall apply to the processing of digital personal data within the territory of India where: (a) such personal data is collected from Data Principals online; and (b) such personal data collected offline, is digitized.

• The provisions of this Bill shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India, or upon receipt of approval from the Central Government.

Whereas, “Data Principal” shall mean an individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child; and

“Profiling” shall mean any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.

• The provisions of this Bill shall not apply to (a) non-automated processing of personal data; (b) offline personal data; (c) personal data processed by an individual for any personal or domestic purpose; and (d) personal data about an individual that is contained in a record that has been in existence for at least 100 years.

Who are Data Fiduciaries and how can they process Personal Data?

“Data Fiduciary” is defined in the Bill as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The Data Fiduciaries may only process personal data with consent or deemed consent, for a  lawful purposes for which the Data Principal has given or is deemed to have given consent.

The Data Fiduciaries must provide users with a notice that describes what personal data will be collected and for what purpose, as soon as it is reasonably practicable. The notice must be presented in the form of a document or in an electronic form or any other form as may be prescribed. Furthermore, Data Fiduciary shall give the option to the Data Principal to access the information in English or any language specified in the Eight Schedule of the Constitution of India and the language of the Notice should be plain.

Roles and responsibilities of Data Fiduciaries:

In order to process the personal data, the Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract.

Further, there are certain other responsibilities and obligations as well, which the Data Fiduciary must follow, such as, (i) it shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete; (ii) shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the Act; (iii) shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach; (iv) must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, when the purpose for which such personal data was collected is no longer being served by its retention or is no longer necessary for legal or business purposes.

Additional responsibilities of Data Fiduciaries while handling children’s data:

In addition to the above-mentioned roles and responsibilities, the Data Fiduciary, before processing any Personal Data of a child in any way, shall obtain verifiable parental consent and should not process Personal Data in a way that is likely to harm a child. According to the Bill, harm includes any physical injury, identity theft, or other forms of harassment preventing legal profit or causing a substantial loss. There should be no tracking or behavioral monitoring of minors or targeted advertising directed at youngsters. However, the above-mentioned conditions shall not be applicable to processing of Personal Data of a child for such other purpose as may be prescribed later. 

Concept of Deemed Consent:

In order to process the personal data, firstly consent should be obtained from the Data Principal.  Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.

A Data Principal is deemed to have given consent to the processing of Personal Data if such processing is necessary, in a situation where the Data Principal voluntarily provides the personal data to the Data Fiduciary; for the performance of any function under any law; for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance and in public interest.

Rights and obligations of the Data Principal:

The user/ Data Principal has the right to know from Data Fiduciary whether or not a Data Fiduciary is or has processed their personal data. If so, the Data Fiduciary shall provide a summary of the Personal Data being processed as well as the processing activities carried out by the Data Fiduciary; and the identities of all those with whom personal data has been shared, as well as what categories of personal data have been shared and any additional information as prescribed.

In accordance with the existing laws and in such manner as may be prescribed,” the Data Principal has the right to request the rectification and deletion of their Personal Data. However, such requests may be turned down by the Data Fiduciary if data needs to be kept for legal reasons. 

The users/ Data Principal are entitled to file a complaint with a Data Fiduciary. The user may file a complaint with the Data Protection Board in a way as may be prescribed if the Data Fiduciary’s response is unsatisfactory or no response is received after passing of seven days.

While exercising rights granted herein, the users/ Data Principal are required to abide by all applicable laws. Data Principal should not approach a Data Fiduciary or the Board with a fictitious or pointless complaint. Further, Data Principal should not conceal any relevant information, provide any fake information, or act in another person’s place. Data Principal who exercise their right to rectification or erasure should only submit information that can be independently verified as accurate.

Establishment of the Data Protection Board of India:

The Central Government may by notification establish the Data Protection Board of India, wherein allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design. 

The Board shall perform various functions including but not limited to identify non-compliance; identify violations and implement suitable sanctions; give instruction to carry out its duties; in the event of a personal data breach, the Board may direct the Data Fiduciary to adopt any urgent measures to remedy such Personal Data breach or mitigate any harm caused to Data Principals; the Board may issue directions from time-to-time as it may consider necessary, to such person, who shall be bound to comply with the same; and the Board on its own motion may modify, suspend, withdraw or cancel any such direction already issued.

Financial Penalty that can be imposed:

In the event the Data Protection Board determines on conclusion of an inquiry that non- compliance by a person is significant, the Board may, after giving the person a reasonable opportunity of being heard, impose financial penalty as specified in Schedule 1 of the Bill.

Our Conclusion: 

It is the want of the time to implement laws relating entirely to data protection, data processing and imposing penalties on possible violations thereof, in India. In this new era of digitalization, it is crucial, especially for the corporate world, to have a precise and conventional law for data processing. 

This newly proposed Bill is brought into being only after a comprehensive review of the worldwide data protection and data processing laws such as the General Data Protection Regulation (GDPR) of the European Unions, which specifically applies to the processing of personal data, and to processing activities carried out by both the government and private entities. However, even though reference has been made from the GDPR laws, it can be said that this newly proposed Bill is not stringent enough and does not impose many obligations on organizations processing the data.

Further, several exemptions from the application of provisions of the Bill have been provided thereunder, such as by any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these. As the terms such as “sovereignty and integrity of India”, etc. cannot be defined, the authorities can misuse these exemptions as provided. 

It can be concluded that in order to cover various sectors of industries and to implement more comprehensive and stringent laws, this Personal Data Protection Bill, 2022 needs to push the envelope and raise the bar. 

*****