BACKGROUNDS OF THE BILL:
In India the data protection got noticed and became important matter, when the idea was first mooted in the Indian Parliament in 2008, when an amendment to the Information Technology Act, 2000 (IT Act) was proposed. The introduction of the new Section 43A under the Information Technology (Amendment) Act, 2008 (Amendment) inter alia put an obligation on companies to protect all sensitive personal data and information that they possessed, dealt with or handled in a computer resource by implementing and maintaining reasonable security practices and procedures. The Amendment also imposed a penalty for non-compliance.
Data protection became the centre of importance when supreme court passed a judgment in K.S. Puttuswamy v. Union of India, which recognised ‘privacy’ as intrinsic to the right to life and liberty, guaranteed by Article 21 of the Constitution of India, thus making ‘right to privacy’ a fundamental right. This judgment linked the value of privacy to individual dignity. Thereafter Draft Personal Data Protection Bill was prepared and introduced by Sri Krishna Committee in 2018. The Personal Data Protection Bill 2019 (“PDPB”) was later introduced in the Rajya Sabha. However, after several deliberation, feedback and discussion the same was withdrawn.
INTRODUCTION OF THE BILL:
The Ministry of Electronics and Information Technology (MeitY) on November 18, 2022, has released its much-awaited personal data protection bill i.e., the Digital Personal Data Protection (DPDP) Bill, 2022 (DPDP Bill) for public comments until December 17, 2022.
This Bill contains Seven Principles which are mentioned below:
> Usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
> Personal data must only be used for the purposes for which it was collected.
> Data minimisation.
> Data accuracy when it comes to collection.
> Manner in which personal data is collected and it cannot be “stored perpetually by default” and storage should be limited to a fixed duration.
> There should be reasonable safeguards to ensure that there is “no unauthorized collection or processing of personal data”.
> The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
KEY HIGHLIGHTS OF THE BILL:
1. DATA PRINCIPAL AND DATA FIDUCIARY:
> Data Principal refers to the individual whose data is being collected. In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.
> Data Fiduciary is the entity (individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data”.
> Personal Data is “any data by which an individual can be identified”.
> Processing means “the entire cycle of operations that can be carried out in respect of personal data”.
> Significant Data Fiduciary:
Significant Data Fiduciaries are those who deal with a high volume of personal data. The Central government will define who is designated under this category based on a number of factors. Such entities will have to appoint a ‘Data protection officer’ and an independent Data Auditor.
2. RIGHTS OF INDIVIDUALS:
> Access to Information:
The bill ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
> Right to Consent:
Individuals need to give consent before their data is processed and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing”. Individuals also have the right to withdraw consent from a Data Fiduciary.
> Right to Erase:
Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
> Right to Nominate:
Data principals will also have the right to nominate an individual who will exercise these rights in the event of their death or incapacity.
> Data Protection Board:
The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board.
> Cross-border Data Transfer:
The bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there.
3. FINANCIAL PENALTIES:
> For Data Fiduciary:
The bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
The penalties will be imposed ranging from Rs. 50 crores to Rs. 500 crores.
> For Data Principal:
If a user submits false documents while signing up for an online service, or files frivolous grievance complaints, the user could be fined up to Rs 10,000.
The government can exempt certain businesses from adhering to provisions of the bill on the basis of the number of users and the volume of personal data processed by the entity. This has been done keeping in mind startups of the country who had complained that the Personal Data Protection Bill, 2019 was too “compliance intensive”. National security-related exemptions, similar to the previous 2019 version, have been kept intact.
The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence.
5. IMPORTANCE OF THE DATA PROTECTION BILL:
The new Bill offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography.
It offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations which is likely to foster country-to-country trade agreements.
The bill recognises the data principal’s right to postmortem privacy (Withdraw Consent) which was missing from the PDP Bill, 2019 but had been recommended by the Joint Parliamentary Committee (JPC).
6. OBLIGATIONS OF THE DATA FIDUCIARIES AND/OR DATA PROCESSOR:
i. It shall be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary;
ii. It shall ensure that the personal data processed by or on behalf of the Data Fiduciary is accurate and complete.
iii. It shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act;
iv. It shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
v. In the event of a personal data breach, it shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed;
vi. A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals;
vii. Every Data Fiduciary shall publish the business contact information of a Data Protection Officer, if applicable.
viii. It shall place a procedure and effective mechanism to redress the grievances of Data Principals;
ix. It may, with the consent of Data Principal, share, transfer or transmit the personal data to any Data Fiduciary, or a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.
x. The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed, and undertake not to process data that is likely to cause harm to or tracking behavioural monitoring of a child for targeted advertising.
Additional obligations of Significant Data Fiduciary:
Central Government has not yet notified Significant Data Fiduciary, however, it shall notify on the basis of factors such as 1) volume and sensitivity of personal data processed, 2) risk of harm to the Data Principal, 3) potential impact on the sovereignty and integrity of India, 4) risk to electoral democracy, 5) security of the State, 6) public order; and others.
i. It shall appoint Data Protection Officer;
ii. appoint an Independent Data Auditor;
iii. undertake such other measures including Data Protection Impact Assessment and periodic audit.
Hefty penalties are also in store for companies breaching the obligation.
6. IMPACT OF THE BILL ON STAKEHOLDERS:
There are various stakeholders to this Bill such as Data Principal, Data Fiduciary, Significant Data Fiduciary, Data Processor and the Data Protection Board of India. The Bill sets out the responsibilities on all such stakeholders.
Entities involved in the financial & insurance sector could be playing the role of either the Data Fiduciary in certain times or in most instances the role of a Data Processor (one that processes personal data on behalf of a Data Fiduciary) and several entity of financial & insurance sector are likely to be classified as Significant Data Fiduciaries, whereas entities belonging to other sectors shall be engaged in the role of fiduciary.
Data Fiduciary including significant Data Fiduciary and Data Processor both are required to comply with the Bill and obligation mentioned thereon, after it is effective, while collecting and processing the data of Data Principal.
The Bill requires that the Data Principal has to received an itemised notice in clear and plain language with description of the personal data sought to be collected and the purpose of processing. Bill also mandates that the child consent is also obtained
7. ADDITIONAL COMPLIANCE BURDEN ON FINANCIAL & INSURANCE SECTOR (on being classified as Significant Data Fiduciary):
i. appointment of data protection officer;
ii. Appointment of independent data auditor;
iii. perform data protection impact assessment; and
iv. Respond to the Data Principal on:
The format, scope, and approach of the DPDP is much simpler compared to its earlier version. There are several provisions still left open ended. We all would need to wait and watch on what emerges as the Law.