An estimated 137 out of 194 countries have put in place legislation to taut the protection of data and privacy, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively, according to data from the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
In India, After several iterations of Data Personal Protection Bill, the Ministry of Electronics and IT (MeitY) released the revised Data Protection Bill which is known as Digital Personal Data Protection Bill, 2022 (DPDP Bill). The Bill has been introduced after 3 months of the withdrawal of the Data Protection Bill containing 24-page draft, is now open for public feedback until December 17, is a noticeably shrunken version from the ones proposed in 2018 and 2019 from 90 to 30 clauses, and levies heavy penalties for data breaches and non-compliance with the law. The Government is hopeful of introducing this Bill in the upcoming Budget session of Parliament in February 2023.
The history goes back to August 24, 2017, where in a landmark judgement by a 9 Judges bench of the Hon’ble Supreme Court in the Justice K.S. Puttaswamy. (Retd.) v. Union of India conceded the right to privacy as a fundamental right under the Constitution of India that is an intrinsic part of life and liberty under Article 21. The pronouncement of privacy as a right and a pivotal part of the right to life and liberty was a tipping point in the constitutional history of data protection.
- August 2017: The Central government of India has appointed a Committee of Experts for Data Protection under the Chairmanship of Justice B N Krishna.
- July 2018: The Bill 2018 drafted by such expert committee is presented to MeitY. Subsequently, MeitY begins drafting the next iteration of the Bill.
- December 2019: Bill, 2019 tabled in Parliament for review.
- December 2021: After multiple extensions, and a leadership change, JPC Chairperson PP Chaudhary tabled the report of the JPC on the PDP Bill, 2019, as well as the draft Data Protection Bill 2021, in the parliament.
- August 2022: On August 3, MeitY withdrew the Data Protection Bill 2021 from the parliament, stating that a more “comprehensive legal framework” will be presented soon.
APPLICABILITY OF DPDP BILL
Clause 4 of the Bill envisages the applicability and non-applicability:
- Processing of personal data collected within the territory of India when the data is collected online or is collected offline and digitised.
- Processing of personal data outside of India, if the processing is in connection with profiling people in India or offering goods and services to people in India. Profiling here means “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.”
- Does not apply to:
- non-automated processing of personal data
- offline personal data
- personal data processed by an individual for any personal or domestic purpose
- personal data about an individual that is contained in a record that has been in existence for at least 100 years.
The Key terminologies defined under Clause 2 of the Bill are as under:
- Data: “means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means
- Data Fiduciary: “Any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data.”
- Data Principal: “The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.”
- Data Processor: “Any person who processes personal data on behalf of a Data Fiduciary.”
- Personal data: “Any data about an individual who is identifiable by or in relation to such data.”
- Processing: “An automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
- Public Interest means in the interest of any of the following:
- sovereignty and integrity of India
- security of the State
- friendly relations with foreign States
- maintenance of public order
- preventing incitement to the commission of any cognizable offence relating
- to the preceding sub-clauses and
- preventing dissemination of false statements of fact.
- The pronouns “her” and “she” have been used for an individual, irrespective of gender.
PRINCIPLES OF THE BILL
The Digital Personal Data Protection Bill 2022 is based on the 7 principles of the Data Economy. The following principles have been based on the personal data protection laws in various jurisdictions.
- Rightful Usage- Usage of personal data by organisations must be done in a lawful, fair and transparent manner to the individuals concerned.
- Resolute Dissemination- Personal data must only be used for the purposes for which it was collected.
- Relevant Data Collection- Bare minimum and only necessary data should be collected to fulfill a purpose i.e this principle clearly mentioned for focusing on Data minimisation.
- Data Reliability- Data collected should be accurate and no duplication shall be there at any point.
- Period of Data Retention: Personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
- Authorized collection and processing: There should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.”
- Accountability of users: The person who decides the purpose and means of the processing of personal data should be accountable for processing of collected data.
OBLIGATIONS OF DATA FIDUCIARY
|1||Clause 5||Grounds for processing digital personal data||Fiduciaries can only process personal data for lawful purposes for which the Data Principal has given or is deemed to have given consent.|
|2||Clause 6||Issue of Notice to seek consent||When seeking consent, or as soon as it is reasonably practicable, Fiduciaries must give the users a notice that describes what personal data will be collected and for what purpose. The notice must be presented in a form as prescribed.|
|3||Clause 7||Consent of Users||The consent given by users must be freely given, specific, informed, and must be a clear affirmative action agreeing to the processing of their personal data for the purpose specified in the notice.
|4||Clause 8||Deemed Consent||A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary for the following purposes:
|5||Clause 9||Maintain Accuracy and Retention of Data, prevention of Data Breaches||Data Fiduciaries to make reasonable efforts to ensure that personal data processed is accurate and complete, protect personal data in its possession.
Data Fiduciaries must publish the “business contact information of a Data Protection Officer in a format “as may be prescribed.”
|6||Clause 9(8)||Grievance Redressal Mechanism||Data Fiduciaries must have in place “a procedure and effective mechanism to redress the grievances of Data Principals.”|
|7||Clause 10||Personal Data of Children|| Additional obligations also given under the Act for the personal data of Children’s. The Data Fiduciary who is obtaining personal data of a child shall obtain verifiable parental consent in such a manner as may be prescribed.
RIGHTS AND DUTIES OF DATA PRINCIPAL
|1||Clause 11||Right to Information about personal data||Data Principal shall have the right to obtain from the Data Fiduciary:
|2||Clause 12||Right to correction and erasure of personal data||The Data Principal has the right to make a request with Data Fiduciary for correction and erasure of her personal data “in accordance with the applicable laws and in such manner as may be prescribed.”
Erasure requests can be denied if data must be retained for legal purposes.
|3||Clause 13||Right of Grievance Redressal||Users have the right to register a grievance with a Data Fiduciary and if the response from the Fiduciary is not found satisfactory or a response is not received in 7 days or any other shorter time period as may be prescribed, the user may register a complaint with the Data Protection Board.|
|4||Clause 14||Nomination Right||A Data Principal has the right to nominate any other individual to exercise their rights in the event of the Principal’s death or if the Principal is incapacitated.|
|5||Clause 15||Duties of Data Principal||A Data Prinicipal
- Transfer of personal data outside India- Clause 17
The Central Government may, after an assessment of factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
- Data Protection Board of India- Clause 19
The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. To appoint Members of the board including Chairperson, Management of affairs of the Board to be entrusted to the Chief Executive, officers and employees and they all will be deemed as public servants. No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee or officer for anything which is done or intended to be done in good faith under the provisions of this Act.
- Functions of the Board- Clause 20
To determine non-compliance with provisions of this Act and impose penalties, to discharge its functions under the Act, the Board may issue directions from time to time after giving the concerned persons a reasonable opportunity of being heard and after recordings its own reasons in writing. The Board also can also modify, suspend, withdraw or cancel any direction it has issued. In the event of a personal data breach, the Board can direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.
- Review and Appeal of Board Orders-Clause 22
The Board can review any order it has issued, on a representation and for reasons to be recorded in writing, modify, suspend, withdraw or cancel any order issued. The review must be done by a group that is larger than the group that issued the order. Any appeals against orders issued by the Board will be heard in the High Court and the appeal will be preferred within a period of 60 days from the date of the order. No civil court will have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act.
- Alternate Dispute Resolution- Clause 23
If the Board is of the opinion that any complaint can be more appropriately resolved by mediation or other processes of dispute resolution, the Board may direct the concerned parties to the alternative dispute resolution option through mediation.
- Voluntary undertaking- Clause 24
The Board can accept voluntary undertakings from entities in respect of any matter related to compliance with provisions of this Act. The undertaking must include specific actions and timelines, and must be publicised. Board can request for the terms of the undertaking to be modified. If accepted, any ongoing relevant proceedings against the concerned entity must be barred unless the terms of the undertaking and not complied with.
Clause 18 of the DPDP Bill carries forward the wide and vague exemptions that were provided to the Union Government in clauses 35, 36, 37, 38, & 39 of the Data Protection Bill, 2021.
- The central government has the power to exempt certain Data Fiduciaries or a class of Data Fiduciaries, based on the volume and nature of personal data they process, from certain provisions of the Bill. Specifically, these Fiduciaries will be exempt from section 6, 9(2), 10, 11 and 12.
- The Bill exempts entities from provisions of chapter 2 (obligations of Data Fiduciaries) except section 2(4), and 2(9), chapter 3 (rights and duties of Data Principals), and section 17 (transfer of personal data outside India) of this Act when:
- Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.
- The processing of personal data is necessary for enforcing any legal right or claim.
- Processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function.
- Personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
- The central government can exempt entities when the processing of personal data is “necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards specified by the [Data Protection] Board.
OTHER ACTS/LAWSAfter being notified this DPDP Act, 2022 following Acts should be amended:
- Information Technology Act, 2000 in following manner:
- section 43A of the IT Act shall be omitted;
- In section 81 of the IT Act, in the proviso, after the words and figures “the Patents Act, 1970”, the words “or the Digital Personal Data Protection Act, 2022” shall be inserted; and
- clause (ob) of sub-section (2) of section 87 of IT Act shall be omitted.
- Clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 shall also be amended
Schedule 1 prescribed under Clause 25 envisages the applicable penalties described in the below table:
|S.No.||Subject Matter of Non-Compliance||Non-Compliance Clause||Potential Penalty|
|1||Failure to take reasonable security safeguards to prevent personal data breach||Clause 9(4)||Up to ₹250 Crores|
|2||Failure to notify the Board and affected Data Principals of a personal data breach||Clause 9(5)||Up to ₹200 Crores|
|3||Non-fulfilment of additional obligations in relation to processing data of children||Clause 10||Up to ₹200 Crores|
|4||Non-fulfilment of additional obligations of Significant Data Fiduciary||Clause 11||Up to ₹150 Crores|
|5||Violation of user duties||Clause 16||Up to ₹10,000 Crores|
|6||For all other non-compliances under this Act||All other Clauses except mentioned above||Up to ₹50 Crores|
The earlier version of the Bill provided for penalties of maximum ₹15 crore, or 4% of the total worldwide turnover of any data collection or processing entity, for violating provisions. However, Clause 25 prescribes that maximum penalty shall not exceed Rupees Five Hundred Crore in each instance under this Act.
There are mixed reviews on the DPDP Bill, 2022 but it’s a comprehensive legislation which should be enacted soon. The definitions have been narrowed down for ease of understanding. The Bill allows for cross-border storage and transfer of data to “certain notified countries and territories but which countries the data can be moved is still unknown. Previous Versions of the Bill as said was too “compliance intensive”, but DPDP Bill, 2022 provides incentive to Start-ups as Government could exempt certain businesses from adhering to provisions of the Bill on the basis of the number of users and the volume of personal data processed by the entity. The Bill also gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order.