Highlights of the Digital Personal Data Protection (DPDP) Bill, 2022
India’s New Digital Personal Data Protection (DPDP) Bill, 2022
India’s Supreme Court in a 2017 judgment recognized ‘privacy’ as a fundamental right and observed that there should be a separate law for the protection of data privacy. Accordingly, in 2019 a Personal Data Protection Bill was introduced before the Indian Parliament. However, it was referred to a Joint Parliamentary Committee for review in 2021 who gave several recommendations and proposed more than 80 amendments. On August 3, 2022, the Personal Data Protection Bill was withdrawn by the Government with an intention to have a more comprehensive bill in its place. On November 18, 2022, the Indian Ministry of Electronics and Information Technology (MeitY) released a draft of the Digital Personal Data Protection (DPDP) Bill (2022), and has invited public comments on the bill by December 17, 2022.
The Highlights of the draft DPDP Bill, 2022, are as follows: -
Applicability of draft DPDP Bill, 2022
The Bill applies to processing of digital personal data collected within the territory of India. It can include data collected online or collected offline and digitized later. Further, its scope can extend beyond the territories of India when processing is connected with any profiling (processing that analyses or predicts aspects related to the behavior, attributes, or interests of the data principle) or the activity of offering goods or services to the data principle within the territory of India.
However, this Bill is not applicable to the following:
Important definitions and concepts: -
Personal data - Any data through which an individual can be identified.
Data Principal: The individual to whom the personal data relates and where such individual is a child (below the age of 18) includes the parents or lawful guardian of such a child. This concept is similar to the ‘data subject’ in GDPR.
Data Fiduciary: Any person (individual, Hindu undivided family, firm, a company, state, etc.) who alone or in partnership with other persons determines the purpose and means of the processing of an individual personal data. This concept is similar to the ‘data controller’ in GDPR.
The Bill also authorizes the Central Government to notify data fiduciary or a class of data fiduciaries as significant data fiduciary considering certain facts such as the volume of sensitivity of personal data processed, risk of harm to data principals, potential impact on the sovereignty and integrity of India, security of state, etc.
Processing: A Set of operations performed on personal data which includes collection, recording, organization, storage, transmission, etc.
Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
Consent: Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal's wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of his or her personal data for the specified purpose.
The Bill recognizes the concept of ‘deemed consent’. It lists out certain situations where consent would be deemed to have been given by the data principal such as, (i) when information is provided by him or her voluntarily; or (ii) for compliance with judgment or order issued under law or (iii) for responding to medical emergency; or (iv) when information is required in the public interest such as for preventing or detecting frauds, for network security, credit scoring, etc.; (v) for the performance of any function under law, for issue of permit or license by State or instrumentality of State, etc.
Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time.
Notice: Data fiduciaries collecting personal data from individuals, must provide an itemized notice containing details of personal data to be collected and the purpose. Such notice can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed.
Obligation of data fiduciary
Rights and Duties of Data Principle
The Data Principle has the following rights -
Cross-border transfer of personal data
The Central Government will notify countries or territories outside India to which a Data Fiduciary would be allowed to transfer personal data.
Exemption
The bill gives the Government the authority to provide exemptions from certain requirements of the Act where processing is necessary for the interests of India's sovereignty and integrity, state security, and preserving public order, etc.
Data Protection Authority
The bill proposes the formation of an authority namely, the Data Protection Board of India (DPBI), which would be notified by the Central Government. DPBI will have the power to determine non-compliance with the provisions of the law and impose penalties provided therein.
Penalties
DPBI has the power to levy penalties as provided under the Bill where, on inquiry and after giving an opportunity of being heard, it concludes that the non-compliance is significant. Such financial penalty cannot exceed INR 5 billion in each instance. The following penalties are proposed for various violations:
Implications
The new drafted Bill has restricted the scope of the law to personal and digital data and it does not extend to non-personal data. Further, earlier Bill mandated companies dealing with sensitive data of Indian users to keep a copy within its borders. The new Bill proposes allowing the transfer of data to specific countries which will be notified by the Government. Further, the new Bill proposes financial penalties for violation as against criminal liability under the earlier Bill. Companies processing personal data should monitor the development of the Bill and evaluate the compliance requirements.
© Shan & Co 2022