In the current technology driven era, data[1] is the oil which governs the functioning of all entities, individuals, or a government body. As the significance and use of data, especially personal data[2] has tremendously increased in the modern day, the impressing need for a legislation to protect and safeguard such data and the privacy of an individual cannot be undermined.
The current legislation governing and protecting the use of personal data is the Information Technology Act, 2000 (“IT Act”) read along with the Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules, 2011[3] (“SPDI Rules”). Further, in 2016, to govern Aadhaar number and matters ancillary to it, the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, and the rules and regulations framed thereunder (“Aadhaar Act”) was introduced. However, the validity of the Aadhaar Act was subsequently brought in question before the Supreme Court and in the case of Justice K.S. Puttuswamy & ors. v. Union of India & ors.[4], the Apex Court held that right to privacy is an intrinsic right of an individual under the right to life and personal liberty. During the course of the proceedings, a committee of experts, called the Srikrishna Committee, was constituted with the dual object of reviewing the existing data protection norms in India and making appropriate recommendations for the regulations.
With the objective to regulate the e-commerce platforms in India and to protect the consumers from unfair trade practices being undertaken on these platforms, the Consumer Protection (E-commerce) Rules, 2020[5] were notified on 23 July 2020. Thereafter, to empower social media users and to prevent abuse and misuse of power by the social media intermediaries, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[6] was notified on 25 February 2021 and replaced the earlier Information Technology (Intermediary Guidelines) Rules, 2011.
Despite enacting of such fragmented rules and regulations, India lacks a vigorous data protection law, aimed at safeguarding the privacy of its citizens. After a report submitted by the Srikrishna Committee in 2018, “The Personal Data Protection Bill, 2019” (“2019 Bill”) was introduced. However, after a plethora of changes suggested in the 2019 Bill, it was finally withdrawn in August 2022 which led to the Digital Personal Data Protection Bill, 2022[7] (“2022 Bill”). The 2022 Bill is open to feedback from public till 17 December 2022.
Salient features of the 2022 Bill
The 2022 Bill lays down the rights and duties of a Data Principal[8] and the obligations to use collected data lawfully by a Data Fiduciary[9] or a Data Processor[10].The 2022 Bill shall apply to processing of personal data within the territory of India where the personal data is collected online or is collected offline and is digitized. It shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling[11] or activity of offering goods or services to Data Principal within the territory of India. However, 2022 Bill shall not apply to (a) non-automated[12] processing of personal data; (b) offline personal data; (c) personal data processed by an individual for any personal or domestic purpose; and (d) personal data about an individual that is contained in a record that has been in existence for at least 100 years.
Apart from the other notable provisions of the 2022 Bill, as mentioned herein, it is pertinent to note that it is the first Indian legislation wherein “she/her” is used to refer to an individual, irrespective of their gender.
Consent Mechanism: The 2022 Bill, unlike the SPDI Rules, requires consent of the Data Principal to be specific, informed, and unambiguous which is indicated by a clear affirmative action. Further, every request for consent should be presented along with the contact details of a Data Protection Officer appointed by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercising her rights. The 2022 Bill further provides for appointment of Consent Manager[13] in addition to the Data Protection Officer. Responsibilities of Data Fiduciary: As per the 2022 Bill, the Data Fiduciary shall be responsible for complying with the provisions of the 2022 Bill in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary, irrespective of any agreement to the contrary. In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board[14] and each affected Data Principal, in such form and manner as may be prescribed. Personal Data of Children: The 2022 Bill has introduced, the following additional obligations for processing personal data of children[15]:
o before processing any personal data of a child, verifiable parental consent[16] is to be obtained. o tracking or behavioral monitoring or targeted advertising directed at children, cannot be undertaken. o any processing of personal data which may cause harm to a child, cannot be undertaken. Obligations of Significant Data Fiduciary: Like the 2019 Bill, the 2022 Bill also provides for specific obligations for Significant Data Fiduciary [17]. The Significant Data Fiduciary is required to:
o appoint a Data Protection Officer, based in India, who shall be an individual responsible to the board of directors or similar governing body of the Significant Data Fiduciary and be the point of contact for the grievance redressal mechanism; o appoint an independent data auditor to evaluate compliance; and o undertake period security measures like Data Protection Impact Assessment[18] and periodic audit. Rights of Data Principals: The 2022 Bill, provides the following rights to the Data Principal which are in addition to the rights granted under the SPDI Rule:
o Right to information: Data Principal shall have the right to obtain (a) a confirmation on whether the personal data is being processed; (b) a summary of all activities undertaken with respect to such data; and (c) identities of all Data Fiduciaries with whom such data has been shared. o Right to correction and erasure: Data Principal shall have the right to request the Data Fiduciary to correct, and/or update its personal data and erase such personal data that is no longer necessary for the purpose. o Right to nominate: Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity exercise the rights of the Data Principal. Duties of Data Principal: Unlike the previous legislations that have even been passed, the 2022 Bill along with granting various rights to the Data Principal, also, contains certain duties for the Data Principal and has provided a penalty of up to Rs 10,000/- for breach of the following duties- o she shall not register a false or frivolous grievance or complaint. o she shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address; furnish any false particulars or suppress any material information or impersonate another person. o she shall furnish only such information as is verifiably authentic while exercising the right to correction or erasure. Cross Border transfer of data: Upon enforcement of the 2022 Bill, the Central Government shall notify such countries or territories outside India to which a Data Fiduciary may transfer personal data. Establishment of the Data Protection Board: For the purpose of implementation of the provision of the 2022 Bill, the Central Government shall be required to establish the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design. Amendment to the RTI: Once the 2022 Bill is enacted, the Right to Information Act, 2005 (“RTI Act”) shall be modified to the extent that requires to prevent disclosure of any personal information to other citizen under any circumstance. At present, the RTI Act permits such disclosure wherein the disclosure is justified to serve larger public interest by Central Public Information Officer or the State Public Information Officer or is requested by Parliament, or a State Legislature.
Comparative analysis of the 2019 Bill and the 2022 Bill
The 2019 Bill was more General Data Protection Regulation oriented, however, the 2022 Bill is more focused on individual rights, public interest, and ease of doing business. The table below analyses the differences between the 2019 Bill and the 2022 Bill.
Conclusion
The 2022 Bill is drafted in a concise and direct manner; however, it is business centric in nature and the balance of convenience is tilted in favor of the large tech giants. The undemanding and flexible mechanisms provided therein makes compliance for Data Fiduciaries and Data Processors uncomplicated and serene, however they do not shield Data Principal adequately.
It can also be remarked that the provisions of the 2022 Bill are an extension of the existing SPDI Rules, Consumer Protection (E-commerce) Rules, 2020 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, owing to the similarity among them with regards to provisions relating to consent driven framework, grievance redressal mechanism, collection, disclosure and transfer of data, reasonable security practices and procedures to be undertaken by a body corporate, right to withdraw consent, etc. Undoubtedly, the 2022 Bill is wider in its ambit as it includes any person who processes personal data.
[1] “data” means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. [2] “personal data” means any data about an individual who is identifiable by or in relation to such data. [3] https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf [4] MANU/SC/1054/2018 [5] https://consumeraffairs.nic.in/sites/default/files/E%20commerce%20rules.pdf [6] https://mib.gov.in/sites/default/files/DigitalMediaEthicsCodeRulesNotification.pdf [7]https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf [8] “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child. [9] “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. [10] “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary. [11] “Profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of a Data Principal. [12] “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data. [13] "Consent Manager" is a Data Fiduciary which enables a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. It shall be an entity that is accountable to the Data Principal and acts on behalf of the Data Principal and is registered with the Data Protection Board of India. It shall be subject to such technical, operational, financial, and other conditions as may be prescribed. [14] “Board” means the Data Protection Board of India established by the Central Government. [15] “child” means an individual who has not completed 18 years of age. [16] Parental consent includes the consent of lawful guardian, where applicable. [17] The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including (a) the volume and sensitivity of personal data processed; (b) risk of harm to the Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; (f) public order; and (g) such other factors as it may consider necessary. [18] A process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed. [19] Section 3 (3) of the Personal Data Protection Bill, 2019 defines "anonymized data" as data which has undergone the process of anonymization. Anonymization in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority.
Sl. No. | Subject matter of the non-compliance | Penalty |
1. | Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach | Penalty up to Rs 250 crore |
2. | Failure to notify the Board and affected Data Principals in the event of a personal data breach | Penalty up to Rs 200 crore |
3. | Non-fulfilment of additional obligations in relation to Children | |
4. | Non-fulfilment of additional obligations of Significant Data Fiduciary | Penalty up to Rs 150 crore |
5. | Non-compliance with point 8, as stated above | Penalty up to Rs 10 thousand |
6. | Non-compliance with provisions of the PDPD Bill and any rule made thereunder | Penalty up to Rs 50 crore |