The Ministry of Electronics and Information Technology (“MeitY”) has released the first draft of the Digital Personal Data Protection Bill, 2022 (“the Bill”) for public consultation asking stakeholders to submit their views on it by December 17, 2022.
The historic Justice KS Puttaswamy v. Union of India [(2017) 10 SCC 1] (“Puttaswamy Judgment”) sparked the development of a data protection law, which has been the impetus for this legislation since 2017. The previous Personal Data Protection Bill was withdrawn by the Government in August after working on it for five years. Thereafter, the Government considered the best practices across the globe, reviewing the personal data protection laws of Singapore, Australia, the European Union, and potential US federal legislation.
The foundation of the Bill is the digital economy, and one of its kind- using “her” and “she” instead of “he” and “him” to refer to people regardless of their gender. According to the explanatory statement from the MeitY, this is in line with the Government’s aim of empowering women.
THE SEVEN FOUNDATIONAL PRINCIPLES OF THE BILL
The Bill is primarily based on the following seven principles, keeping in mind the global standards of data privacy:
Principle 1: Usage of Personal Data
According to this principle, personal data should be used by organizations in a manner that is lawful, fair to the individuals concerned, and transparent to individuals.
Principle 2: Purpose Limitation
The purpose limitation principle is based on the concept that personal data should be used for the purposes for which it was collected.
Principle 3: Data Minimization
The principle of data minimization stipulates that only those items of personal data that are required for attaining a specific purpose must be collected.
Principle 4: Accuracy of Personal Data
The principle of accuracy of personal data states that reasonable effort should be made to ensure that the data of an individual is accurate and kept up to date.
Principle 5: Storage Limitation
Storage limitation is one of the pivotal principles herein, which provides that personal data is not to be stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
Principle 6: Reasonable Safeguards
According to this principle, reasonable safeguards are to be taken to ensure that there is no unauthorized collection or processing of personal data. This is intended to prevent personal data breaches.
Principle 7: Accountability
The Bill stipulates that the person who decides the purpose and means of processing personal data should be accountable for such processing.
Personal data protection regulations have been based on the abovementioned ideas in several different jurisdictions. The practical application of such regulations has allowed a more sophisticated vision of personal data protection to emerge, one that balances the rights of the individual, the public interest, and the convenience of conducting business, particularly for start-ups.
MAIN PROVISIONS OF THE REVAMPED BILL
1. High Penalties
Organizations that deal with the data of customers may be subject to fines of up to Rs. 250 Crore if such Data Fiduciaries do not take reasonable precautions to avoid data breaches. Penalties are anticipated to differ depending on the type of non-compliance by the Data Fiduciaries.
Organizations that do not inform those affected by a data breach risk, a penalty up to Rs. 200 Crore shall be imposed on them. The Data Fiduciaries who fail to protect the personal information of children and fail to fulfil obligations in relation to children could also face penalty up to Rs. 200 Crore.
2. The Data Protection Board
The Bill calls for the establishment of an Adjudicating Body, which will likely have the authority to impose penalty and fine after providing the Data Fiduciaries with a fair chance of hearing.
3. Personal Data
It is understood that the Bill will only address protection for personal data and has left out non-personal data from its purview. Non-personal data is any information that cannot be used to identify a specific person.
4. Obligations of the Organizations
Data of the Data Principals that is no longer needed for commercial purposes; shall not be retained by the Data Fiduciaries under any circumstances. Subsequently, the Data Fiduciaries shall ensure that the personal data processed by them is accurate and complete.
In addition to the above, the Data Fiduciaries shall be responsible for complying with all the provisions of the Bill, and have the same responsibility if any third-party processes the personal data on behalf of such Data Fiduciary.
The Central Government has been given the authority to exempt its Agencies from Adhering to the Provisions of the Bill. Under Section 18(2) of the Bill, the Central Government can issue a notification to exempt any “instrumentality of the state” from the provisions of the Bill “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offense relating to any of these.”
6. Cross-border Data Transfer
The Bill relaxes restrictions on data localization and allows data to travel to specific international locations based on those locations’ data security environments. The most significant concern raised by Information Technology organizations was that the 2019 Bill required businesses to maintain a copy of sensitive personal data inside India and forbade the export of vital personal data.
However, the Bill permits the storage and transfer of data across international borders to “certain notified nations and territories”. The Bill does also state that before such notification, the Central Government will evaluate all pertinent factors.
MAJOR CHANGES IN THE BILL
The draft drastically narrows the Bill’s purview compared to earlier iterations by eliminating the right to be forgotten and leaving just the ability to delete personal data for a very precise reason. Once personal information is no longer required for the indicated purposes, individuals may request that their data be deleted.
Individuals have the right to know how their data is processed by Data Fiduciaries, including the names of the parties with whom their data has been shared for processing.
In contrast to earlier versions of the Bill, that required Data Fiduciaries to transfer data upon request, there is no provision for data portability.
However, with regards to the grievances of the Data Principals, a grievance redressal mechanism has been proposed in the Bill to address complaints from individuals within seven days of receipt of such grievance.
The Bill presented by the Government after years of deliberation grants Data Principals several rights, including the right to know how the Data Fiduciaries process their data, the right to the rectification and erasure of personal data, and the right to the redress of grievances. The collection of rights gives Data Principals the chance to stop or limit the ongoing dissemination of their data.
MAJOR CONCERNS RAISED BY THE BILL
1. The Bill, like previous versions, permits the Government to exclude any of its entities from any or all of its provisions for reasons including public safety, national security, etc.
Furthermore, the Government is permitted to keep personal data in its possession indefinitely. Additionally, without the need for any notification from the Government, the processing of personal data for crime prevention, investigation, etc. is automatically excluded.
2. The Bill eliminates both such classifications and limits on the sharing of sensitive and important personal data. Instead, all personal information may be sent to nations or regions that have received Government approval. However, it is unclear which nations will be permitted and on what grounds.
3. One of the provisions that enables the Government to inform a class of Data Fiduciaries that will be exempt from some of Bill’s purview based on the quantity and type of personal data they process. Although it appears that this provision can be used to categorize small Data Fiduciaries and exempt them from onerous requirements, the Bill contains nothing to guarantee the same.
4. There are no protections for sensitive and vital personal data: In the 2019 Bill, certain types of data were treated as subsets of personal data and were given stronger protections. However, the Bill eliminates such designations.
The proposed data protection scheme has been made simpler by the Bill, which also eliminates some problematic provisions that were objected to in earlier drafts. Particularly, compared to the 2019 Bill, data mirroring, data localization requirements, and overall compliances seem to be restricted.
The legislative goal appears to be to support cross-border data flows while being favorable to the Information Technology and tech industries. There is a chance that some parts that have been softened will lessen the total protection provided to individual privacy rights.
However, the issues raised by the Bill include limited independence of the proposed Data Protection Board as well as the Government and its agencies’ broad exemptions from regulations with few to no protections.
It is pertinent to note that the Bill comprises of only 30 provisions as opposed to the more than 90 in the 2019 Bill because many practical specifics have been left to subsequently adopt rule-making. However, only time will tell how the impact of the Bill unfolds in such a diversified digital economy like that of India.
– Team AMLEGALS assisted by Ms. Ishita Jaiswal (Intern)
For any queries or feedback, please feel free to get in touch with firstname.lastname@example.org or email@example.com.