Blog Details

The Ministry of Electronics and Information Technology recently released the draft Digital Personal Data Protection Bill, 2022 (hereinafter DPB, 2022) for public consultation. The Indian Government has been working on a comprehensive data protection law since 2018 and this is the fourth draft of the proposed legislation. Previous drafts of the proposed digital data protection legislation were heavily influenced by the European Union's GDPR and were lengthy documents. However, the current bill under consideration takes inspiration from Singapore's Personal Data Protection Act, 2012 and is shorter and more straightforward.

Application and Extent

The application of this very piece of statute (if passed by the Parliament) is two folded as it separates the processing of data with respect to the India territory and the rest of the world. For any processing in the territory of India it applies to any data taken online or any data taken offline but digitized subsequently, whereas for any processing outside the territory of India it is applicable only if the processing concerns profiling or the “activities offering goods or services to the data principles within the territory of India”.  

Personal Data

Further, the act also defines the expression “Personal Data”. Section 2 (13) states, “any data about an individual who is identifiable by or in relation to such data”. A bare reading of the definition clears that all the personnel data have been included under one single monolithic expression. This definition marks a significant shift from the definition in both the currently existing data privacy legislation in India and in previous drafts of this very bill.

Notice and Consent

Under the DPB, 2022, data fiduciaries (organizations that collect and process personal data) are required to provide a detailed notice to individuals (data principals), as a compliance mentioned under Section 6 of the act, outlining the specific data sets that will be collected and the purpose of the processing. Moreover, obtaining the consent of the data principle is of the prime value as mentioned under Section 5, before processing their personal data. The notice must be written in clear, easy-to-understand language and the consent must be freely given, specific, informed, and unambiguous. 

Moreover, notice may be provided in a separate document or as part of the same document in which the personal data is being collected, or in a prescribed form. If a data principal has already given consent for personal data to be processed prior to the implementation of the DPB, 2022, the data fiduciary must provide a detailed notice in clear language outlining the data that has been collected and the purpose for which it was processed as soon as reasonably practicable. The data fiduciary must also give the data principal the option to access the request for consent in English or any of the languages listed in the Eighth Schedule to the Constitution of India. Furthermore, for this very reason, the entity collecting data need to have a clear-cut document relating to their privacy policy for the user to understand and to give their consent. 

Deemed Consent

This bill introduces the concept of "deemed consent," in which individuals (data principals) are assumed to have given their consent for the processing of their personal data in certain circumstances. These include:

• When data principals voluntarily provides their personal data to the data fiduciary and it is reasonable to expect that they would do so;

• For the performance of any legal function or the provision of any service or benefit to the data principal, or the issuance of any certificate, license, or permit related to their activities or actions;

• To comply with any court order or judgment issued under any law;

• In response to a medical emergency that poses a threat to the life or immediate health of the data principal or any other individual;

• To provide medical treatment or health services to any individual during an epidemic or outbreak of diseases;

• To ensure the safety of, or provide assistance or services to, any individual during a disaster or breakdown of public order;

• For employment-related purposes, such as preventing corporate espionage, hiring and firing, maintaining confidentiality, and verifying attendance and performance;

• In the public interest, as defined by the DPB, 2022 to include credit scoring, debt recovery, mergers and acquisitions, 

• ‘any fair and reasonable purpose as may be prescribed,’ after taking into account certain considerations.

Data Principal and it's Rights and Duties

"Data Principal" as defined under Section 2 (6) means an individual to whom the personal data relates to and where such individual is a child, includes the parents or lawful guardian of such child. The data principals have certain rights with respect to their personal data, as outlined in the DPB, 2022. However, the DPB, 2022 does not specify the procedures for exercising these rights.

1. Right to information about personal data: The data principal has the right to confirm if personal data is being processed, receive a summary of the data being processed, and know the identities of data fiduciaries with whom their data has been shared. The data principal also has the right to know the categories of data shared and other information as specified by the central government.

2. Right to correction and erasure of personal data: Data principals have the right to request the correction or erasure of their personal data. Upon receiving such a request, the data fiduciary must correct inaccurate or misleading data, complete incomplete data, and update relevant data. The data principal may also request the erasure if it is no longer necessary for its original purpose, unless retention is required by law.

3. Right to grievance redressal: Data principals have the right to file a grievance with the data fiduciary. If the data fiduciary's response is not satisfactory or if no response is received within seven days (or a shorter prescribed period), the data principal may file a complaint with the board.

4. Right to nominate: In the event of the data principal's death, they have the right to nominate another individual to exercise the rights outlined in the DPB, 2022 on their behalf.

Furthermore, data principals have also been bestowed with several duties under the DPB, 2022, such as prohibition from registering false or frivolous grievances or complaints with a data fiduciary and from providing false information or suppressing material information, or impersonating another person when applying for documents, services, proof of identity, or proof of address. Any non-compliance with these duties by the data principal may result in a penalty of up to Rs. 10,000/-. 

Data Fiduciary and it's Obligations

Further, the DPB, 2022 also envisages the duties and obligation for the other side of the table i.e., Data Fiduciary under Chapter 2 from Section(s) 5 -11. The expression “Data Fiduciary” has been defined under Section 2 (5) and means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. 

According to DPB, 2022, data fiduciaries are required to take reasonable security measures to protect personal data in their possession or under their control in order to breach. This includes implementing appropriate technical and organizational measures, as well as ensuring the accuracy and completeness of personal data that is likely to be used to make decisions that affect the data principal or that will be shared with other data fiduciaries. 

In the event of a personal data breach, data fiduciaries must notify the relevant authorities and affected data principals with respect to Section 9 (5). They must delete personal data or remove any information that could link the data to a specific data principal when it is no longer needed for the purpose it was collected or for legal or business purposes. They must also publish the business contact information of a Data Protection Officer or other designated representative who can answer data principals' questions about the processing of their personal data. Finally, data fiduciaries must obtain the consent of data principals before sharing, transferring, or transmitting their personal data to any other data fiduciaries or processors.

Data Processor and it's Obligations

Data Processor means any person who processes personal data on behalf of a Data Fiduciary. They are subject to certain legal requirements under the DPB, 2022, including the obligation to:

• Implement reasonable security measures to protect personal data and prevent data breaches;

• Notify the Board and affected individuals in the event of a data breach; and

• Sub-contract processing activities if permitted under the contract with the Data Fiduciary.

Further, the duties and obligation of both the data fiduciary and the data processor are more or less same, and the obligations of the data fiduciary as mentioned under Section 9 also applies to the data processor.  

Significant Data Fiduciaries

The DPB, 2022 gives power to the Central Government to notify and make a Data Fiduciary or a group of Data Fiduciaries as Significant Data Fiduciaries (SDFs) under Section 11 of the bill based on various criteria, including the volume and sensitivity of the data processed, the potential risk of harm to individuals, and the impact on the sovereignty and integrity of India. As SDF, a Data Fiduciary would have additional obligations, such as the appointment of a Data Protection Officer in India and an independent Data Auditor, as well as the completion of data protection impact assessments.

Data Protection Board of India

The DPB, 2022 provides for the creation of an adjudicating authority known as the Data Protection Board of India under Section 19. This Board will be responsible for receiving complaints, conducting hearings, and pronouncement of decisions, among other functions. Chapter from Section(s) 19-25 envisages the powers, functions appeal procedures and other functions, powers and procedures bestowed upon the authority. 

Personal Data Breach

“Personal Data Breach” has been defined under Section 2 (14) as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data. In the event of a Personal Data Breach, the Data Fiduciary or Data Processor is required to notify the Board and the affected individuals.

Penalties

If an inquiry by the Board finds that an individual has engaged in significant non-compliance, the Board may impose a financial penalty of up to INR 500 crore. The DPB, 2022 also includes specific penalties ranging from INR 50 crore to INR 250 crore for failure to implement reasonable security measures, failure to notify the Board and affected individuals in the event of a data breach, and non-compliance with additional obligations for Significant Data Fiduciaries.

References

https://corporate.cyrilamarchandblogs.com/2022/11/the-digital-personal-data-protection-bill-2022-part-i/

https://corporate.cyrilamarchandblogs.com/2022/11/the-digital-personal-data-protection-bill-2022-part-ii/

https://www.mondaq.com/india/privacy-protection/1256536/third-times-the-charm-unpacking-the-draft-digital-personal-data-protection-bill-2022

https://www.nishithdesai.com/NewsDetails/8453

https://iapp.org/news/a/indias-digital-personal-data-protection-bill-2022-does-it-overhaul-the-former-pdpb/

https://www.khaitanco.com/thought-leaderships/Digital-Personal-Data-Protection-Bill-2022-A-snapshot-of-the-much-awaited-draft-law