After several iterations of the Data Protection Bill, the Indian Ministry of Electronics and IT (MeitY) released the fourth draft which is known as the Digital Personal Data Protection Bill, 2022 (DPDP Bill) on November 18, 2022. The latest version of the Bill has been introduced three months after the withdrawal of the Data Protection Bill, 2019, which sparked outrage from major tech and civil society. The 24-page draft, for the first time in the history of Indian Legislation, uses she/her to address all genders and is open for public feedback until December 17. Further, it is a noticeably precise version in comparison to the drafts proposed in 2018 and 2019, and imposes harsh penalties for data breaches and non-compliance with the law. The government is expected to introduce this Bill during the next Budget Session of Parliament in February 2023.
The Bill primarily addresses individuals' personal digital data collected online or offline. As per Section 4(1)(b) of the proposed draft, such personal data collected offline has to be digitized for the provisions of the Bill to be applicable. Further, the Bill seeks to establish a Data Protection Board of India (“the Board”) that will regulate safe use of data and ensure effective compliance.
The rules and guidelines of the Bill also apply to digital personal data that is processed outside the territory of India, for example, when we share our date of birth with apps, or our card details with online shopping apps, of foreign origin or operating out of foreign countries. The ambit of the term ‘person’ in the Bill is quite elaborate. Besides an individual, it includes, a Hindu Undivided Family, a company, a firm, a group of people, whether incorporated or not, the State, and all artificial entities capable of suing and being sued in a Court of Law.
The Bill takes into account existing global standards and laws, while remaining consistent with the Supreme Court's ruling on privacy being included under the ambit of fundamental rights, but within reasonable limits. The importance of privacy became apparent when a 9-Judge Bench of the Hon'ble Supreme Court, in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India, on August 24, 2017, acknowledged the right to privacy as a fundamental right under the Indian Constitution that is an intrinsic part of life and liberty under Article 21. The declaration of privacy as a right and an essential component of the right to life and liberty marked a significant milestone in the constitutional history of data protection.
Further, by establishing the rights and duties of Data Principal and Data Fiduciary, the Bill attempts to establish a framework that prioritizes the data protection of citizens. In addition, the Bill proposes lifting restrictions on data flow by permitting cross-border transfer of data. This move facilitates the ease of doing business and is a positive step towards turning India into a corporate haven and achieving the goal of a USD 1 trillion digital economy, keeping in mind public interest and national security.
The Data Fiduciary, any entity that has the purpose and means of processing an individual’s personal data, should provide a notice that is understandable (simple, in English or any of the languages recognized by the Constitution of India) to the Data Principal explaining about the collection of such sensitive personal digital data and the reason for seeking their consent. Furthermore, the notice must include the contact information of the Data Fiduciary's representative (Data Processor) who can respond to communications from the Data Principal. Moreover, when the Data Principal gives the consent for processing her data, she can also retract or withdraw the consent at any time while facing the resulting consequences. A Data Processor is any person who processes data on behalf of the Data Fiduciary.
The Bill introduces the role of Consent Managers (to be registered with the Board), allowing Data Principals to review, manage, and withdraw consent. Further, the Bill establishes provisions for ‘Deemed Consent’ in situations mentioned, such as inferred consent, medical emergency, public interest, etc.
The obligations of Data Fiduciary include taking reasonable efforts to ensure that the data is accurate and complete and maintain security safeguards and not retain any Data whose purpose has expired or is no longer necessary. However, this obligation will not apply to any data processed by the State or an instrumentality of the State.
In the event of a data breach, the Data Fiduciary or Data Processor accordingly, is to notify the Board and each affected Data Principal.
The Data Fiduciary, as per the provisions of the Bill, has to publish the business contact information of its representative, i.e., Data Protection Officer. Moreover, having a procedure for an effective grievance redressal mechanism is crucial.
Significant Data Fiduciaries (SFDs) are not defined in the Bill, however, they will be identified by the Central Government based on the amount of personal data they hold, not necessarily depending on the number of its subscribers. The Bill recommends that the criteria for establishing Significant Data Fiduciaries be expanded beyond the number of registered users to include relevant factors such as the volume and sensitivity of personal data processed, the risk of harm to the Data Principal, the risk to electoral democracy, and the risk to public order, etc., and is considered to be a step forward from the traditional approach of handling data. Further, SDF shall appoint a Data Protection Officer and an Independent Data Auditor, and undertake a Data Protection Impact Assessment.
As per the provisions of the Bill, Data Principal is entitled to obtain confirmation and a summary of Data being processed by Data Fiduciary and a list of identified Data Fiduciaries with whom such Data has been shared. Additionally, she has a right to procure correction and erasure of data, to grievance redressal by Data Fiduciary and the Board, and to nominate an individual to exercise such rights in the event of her death or incapacity.
Further, the Bill lays down the duties of Data Principal, which include, non-registration of a false or frivolous complaint, not furnishing false particulars, suppressing material information, or impersonating while providing identification, and furnishing verifiable and authentic information while exercising the right to correction or erasure.
Further, the Bill proposes to establish the Board for the enforcement of provisions, determination of non-compliance, and imposition of financial penalties. The Board will function as a digital office, and an online dispute resolution mechanism will be implemented to resolve conflicts in accordance with the proposed Act. In addition, the Board will have powers to conduct inquiries, give directions, issue summons, warnings, and interim orders, request assistance from officers, and impose costs and penalties.
Any Order of the Board will be deemed as a Decree of a Civil Court and the Board has exclusive jurisdiction in respect of any matter under the provisions of the Bill. The Board has power of review, and an appeal against any order of the Board will go to the High Court. Moreover, the Board can refer any complaint for alternate dispute resolution, like arbitration.
For a timely resolution, the Board may accept a voluntary undertaking in lieu of penalty for non-compliance with the Bill, which will consequently limit proceedings under the Bill.
Lastly, the Bill establishes the provision for Financial Penalty. It emphasizes financial penalties rather than a criminal conviction and proposes to provide for graded financial penalty up to INR 500 crores. The grading will be determined on the basis of variables provided under the Bill. Failure of compliance by a Data Fiduciary or Processor can result in a penalty of up to INR 250 crores, while failure to comply by a Data Principal can result in a penalty of up to INR 10,000.
Author: Aleema Nishat, Research Associate, Law, Rainmaker Online Training Solutions Directions and Contributions: Akanksha Arora, AVP - Legal, Rainmaker Online Training Solutions
DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.
