The Indian Union Government has recently unveiled an updated version of the personal data protection bill, now known as the Digital Personal Data Protection Bill, 2022. This revised bill has been introduced three months after the withdrawal of the previous Personal Data Protection Bill, 2019.
The Digital Personal Data Protection Bill, 2022, is built on seven key principles:
1. Lawful, Fair, and Transparent Use of Personal Data: Organizations must use personal data in a manner that is lawful, fair to the individuals involved, and transparent to those individuals.
2. Purpose-Limited Use of Personal Data: Personal data should only be used for the purposes for which it was originally collected.
3. Data Minimization: The bill emphasizes the importance of data minimization, meaning that only the necessary and relevant data should be collected.
4. Data Accuracy: The bill recognizes the significance of data accuracy during the collection process.
5. Limited Storage Duration: Personal data collected cannot be stored indefinitely by default. Instead, storage should be limited to a fixed duration.
6. Safeguards against Unauthorized Collection or Processing: The bill mandates the implementation of reasonable safeguards to prevent unauthorized collection or processing of personal data.
7. Accountability of Data Processors: The bill states that the individual or entity responsible for determining the purpose and means of processing personal data should be accountable for such processing.
I. Data Principal and Data Fiduciary:
a) Data Principal: Refers to the individual whose data is being collected. For children under 18 years of age, their parents or lawful guardians will act as their “Data Principals.”
b) Data Fiduciary: The entity, whether an individual, company, firm, or state, that decides the purpose and means of processing an individual’s personal data. Personal data is defined as any information by which an individual can be identified. Processing refers to the entire cycle of operations related to personal data.
c) Significant Data Fiduciary: This category includes entities that handle a large volume of personal data. The Central government will determine the designation based on various factors. Such entities must appoint a data protection officer and an independent data auditor.
II. Rights of Individuals:
a) Access to Information: The bill ensures that individuals have the right to access basic information in languages specified in the eighth schedule of the Indian Constitution.
b) Right to Consent: Individuals must provide consent before their data is processed. They should be informed about the specific personal data items collected by a Data Fiduciary and the purpose of such collection and processing. Individuals also have the right to withdraw their consent.
c) Right to Erase: Data principals have the right to request the erasure and correction of the data collected by the data fiduciary.
d) Right to Nominate: Data principals can nominate an individual to exercise these rights in the event of their death or incapacity.
III. Data Protection Board:
a) The bill proposes the establishment of a Data Protection Board to ensure compliance with the bill.
b) In case of an unsatisfactory response from a Data Fiduciary, consumers can file a complaint with the Data Protection Board.
IV. Cross-border Data Transfer:
a) The bill permits cross-border storage and transfer of data to specific countries and territories that have suitable data security landscapes, and where the Indian government can access data of its citizens.
V. Financial Penalties:
a) Penalties for Data Fiduciaries: The bill proposes significant penalties for businesses that experience data breaches or fail to notify users about such breaches. Penalties can range from Rs. 50 crores to Rs. 500 crores.
b) Penalties for Data Principals: Users who submit false documents during online service sign-ups or file frivolous grievance complaints may face fines of up to Rs. 10,000.
a) The government can exempt certain businesses from complying with certain provisions of the bill based on factors such as the number of users and the volume of personal data processed by the entity. This exemption aims to ease compliance burdens on startups that had expressed concerns about the previous Personal Data Protection Bill, 2019.
b) National Security Exemptions: Similar to the 2019 version, the bill allows the central government to exempt its agencies from adhering to certain provisions in the interest of India’s sovereignty, integrity, security, foreign relations, public order, or to prevent incitement to any cognizable offense.
The Digital Personal Data Protection Bill offers concessions on cross-border data flows, departing from the previous requirement of local data storage within India. It allows data transfer to select global destinations, which is expected to foster country-to-country trade agreements. The bill also acknowledges the right to post-mortem privacy (withdrawal of consent), which was absent in the previous Personal Data Protection Bill, 2019, but recommended by the Joint Parliamentary Committee (JPC).
India has strengthened its data protection regime through various initiatives:
1. Justice K. S. Puttaswamy (Retd) vs Union of India 2017: In 2017, the Supreme Court recognized the fundamental right to privacy as an intrinsic part of life and liberty under Article 21 of the Indian Constitution.
2. N. Srikrishna Committee 2017: The government established a committee of experts, chaired by Justice B. N. Srikrishna, which submitted a report in 2018 along with a draft Data Protection Bill. The report made comprehensive recommendations to enhance privacy laws in India, including restrictions on data processing and collection, the establishment of a Data Protection Authority, the right to be forgotten, and data localization.
3. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: These rules mandate social media platforms to exercise greater diligence in handling content on their platforms.
Overall, the Digital Personal Data Protection Bill, 2022, aims to safeguard personal data, establish rights for individuals, regulate data transfer, and ensure compliance through penalties and exemptions. It represents a significant step in India’s data protection efforts.