Digital Personal Data Protection Bill, 2022

IN NEWS:

• The latest draft of the data protection law — the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — has now been made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023.

NEED OF DATA PROTECTION LAW:

• Uphold right to Privacy:
  • In the Js. Puttaswamy Vs Union of India case, 2017, the Supreme court declared that Right to Privacy forms a part of the fundamental rights. Hence specific laws have become the need of the hour.
• To ensure public safety and rule of law:
  • Digital revolution has led to unprecedented amounts of personal data being generated by users (data principals). When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that could impair the autonomy, self-determination, freedom of choice and privacy of the people. A dedicated law is essential to manage such concerns.
• Overcome legislative shortfalls:
  • The current legal framework for privacy enshrined in the Information Technology Rules, 2011 is inadequate to combat harms arising from the misuse data, since they have not been updated to suit the challenges of today’s connected world.
• Ensure data sovereignty:
  • Data is an essential resource that powers the information economy in much the way that oil has fueled the industrial economy. Hence, India needs to have appreciable control over data if it is to face the challenges in the coming future.
• Address cross sectoral nature of data:
  • Data is not confined to a single sector or a geographical boundary. Hence, protection of data needs an overarching regulatory framework. The IT Act does not serve this purpose, as it was developed to primarily address e-commerce trade in India.
• Enhance ease of doing business status:
  • India is among the countries not considered data secure by the EU. This creates difficult and cumbersome procedures. Recognition as a data secure country is vital for India to ensure meaningful data access across borders for business.
• Protect national interests:
  • India is home to the 2nd largest population of internet users and recorded 36.29 lakh cyber security incidents since 2019 till June 2022. Hence, much of the future’s economy and issues of national sovereignty will be predicated on the regulation of data.
• Taxing tech giants:
  • The processing of personal data has become an important source of profits for big corporations. Strong data protection legislation can help increase the ability of the Indian government to tax Internet giants.

BACKGROUND:

• The first draft of the law- the Personal Data Protection Bill, 2018, was proposed by the Justice B N Srikrishna Committee.
• The government made revisions to this draft and introduced the Personal Data Protection Bill, 2019. It was referred to a joint committee of both the Houses of Parliament.
• Later, the Data Protection Bill of 2021 was drafted, incorporating the recommendations of the JPC. However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
• The current draft is the fourth iteration of a data protection law in India.

KEY FEATURES OF THE 2022 BILL:

• Applicability:
  • The law will cover personal data collected online and digitized offline data.
  • It will also apply to the processing of personal data abroad, if such data involves profiling Indian users or selling services to them.
• Consent:
  • Fiduciaries can only process personal data for which the user has given or is deemed to have given consent.
  • Fiduciaries must give the users a notice that describes what personal data will be collected and for what purpose.
  • The DPDP Bill, 2022 introduces the concept of “deemed consent”: Clearly defined situations wherein insisting on consent would be counterproductive have been listed under the Deemed Consent provision in the DPDP Bill.
• Other powers of data principals:
  • Users shall have the right to correction and erasure of their personal data.
  • Withdrawal of consent: Users should have their right to withdraw consent at any time with the same ease as they were able to give consent.
  • Right to post mortem privacy: The right to post mortem privacy would allow the data principal to nominate another individual in case of death or incapacity.
  • No company or organisation will be allowed to process personal data that is "likely to cause harm" to children, and advertising cannot target children. Before processing any personal data of a child, parental consent will be required.
• Responsibilities of fiduciary:
  • Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected.
  • Grievance redressal mechanism: Data Fiduciaries must have in place a procedure and effective mechanism to redress the grievances of Data Principals.
• Data Protection Board:
  • The government will establish a "Data Protection Board" for ensuring compliance with the proposed law.
  • The board will also hear user complaints and can levy six types of financial penalties for non-compliance. The Board will have the power to impose a penalty of up to Rs 500 crore.
• Powers of the government:
  • The government can exempt state agencies from processing data from the proposed law in the interest of national security.
  • The government will have the power to specify the countries to which companies can transfer personal data. This will allow companies to send user data to servers located in countries on that list.
• Data auditor:
  • Companies of "significant" size - based on factors such as the volume of data they process - should appoint an independent data auditor to evaluate compliance with provisions of the law.
• Recognition of consent managers:
  • A consent manager platform enables an individual to have a comprehensive view of his/her interactions with Data Fiduciaries and consent given to them. The DPDP Bill has recognised Consent Managers.

CRITICISM OF THE DRAFT:

• Limited coverage:
  • The bill inadvertently, seems to exclude protections to personal data processing of non-residents of India by data fiduciaries in India. This would impact statutory protections available for clients of Indian start-ups operating overseas, thereby impacting their competitiveness.
• Expansive exemptions:
  • The DPDP Bill, 2022 is inapplicable to data processed manually. This provides for a lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
• Government control:
  • The central government can issue notifications to exempt its agencies from adhering to provisions of the draft law for national security reasons. Moreover, storage limitation does not apply to government agencies which means they can continue to retain personal data for an unlimited period.
  • The new Bill has just 30 clauses compared to the more than 90 in the previous one, mainly because many operational details have been left to subsequent rule-making.
• Questionable autonomy of the proposed Data Protection Board:
  • The draft law leaves the appointment, composition of the board, terms of service etc. of the chairperson and members of the Data Protection Board entirely to the discretion of the central government.
• Dilution of previous provisions:
  • The current draft does away with the concept of “sensitive personal data”. Hence, important personal data (biometric data, health data, genetic data etc.) lose their higher degree of protection.
  • The Bill also reduces the information that a data fiduciary is required to provide to the data principal and removes explicit reference to certain data protection principles such as collection limitation.
• Obligations on the data fiduciaries:
  • The DPDP Bill, 2022 places duties on data principals. If they are non-compliant, it could lead to penalties upto Rs. 10,000. Such provisions are one of its kind among data protection legislations and may hinder data principles from exercising their rights for fear of penalties.
• Vague provisions:
  • There exist some concerns around vaguely worded grounds such as “public interest”.
• Effectiveness consent-based processing:
  • Making collection solely contingent on consent/deemed consent, ignores the fact that data principals often do not have the requisite know-how of what kind of personal data is relevant for a particular purpose.
  • Under the proposed Act, in case of a data breach, the victim cannot seek monetary compensation.

CONCLUSION:

• The revised Bill has dropped some of the more contentious rules that govern cross-border data flows after facing considerable opposition from Big Tech. But, the arguably contentious provisions, which will vest greater power with government as opposed to an independent statutory authority, need to be reexamined.
• The draft is open for public comment till December 17, 2022. The Bill is expected to be tabled in the Budget session of parliament next year.

PRACTICE QUESTION:

Q. Critically analyse the salient features of the Digital Personal Data Protection Bill, 2022.