Center's Ministry of Electronic and Information Technology recently tabled
another version of data protection bill called Digital Personal Data Protection
Bill, 2022. This is the fourth instance when center presented the bill on data
protection. After the Supreme Court judgment in
Justice K.S Puttuswamy (Retd)
v. UOI & others, 2017, government set up a parliamentary committee under
chairmanship of Justice B.N Srikrishna that advance its report along with a
Draft Data protection Bill in 2018. The bill was never enforced and the revised
version was introduced as Personal Data Protection Bill (PDP Bill), 2019.
The PDP Bill was consequently referred to the Joint Parliamentary Committee and
the committee on PDP Bill submitted a report accompanied by the Draft Data
Protection Bill, 2021 which was scrapped by the center and the current bill on
data protection came in 2022.
The advent of the General Data Protection Regime ("GDPR") was a watershed moment
for the European Union and was also the first formal recognition of data as a
vital resource in the digital economy and established a comprehensive data
protection and privacy regime. Since then, the global conversation on data
protection and privacy has expanded, notable examples being California's
Consumer Privacy Act and South Korea's updating of its Personal Information
Protection Act.
As per the UN, India is set to be the most populated country in the world in
2023. The growing population implies growing interactions with digital devices
and the internet, consequently resulting in a humongous amount of generated
digital data by the users or the "data principals."
This data, which is largely available on the internet, can be effectively
accessed and used by the mega-companies or organizations which are referred to
as "data fiduciaries" sometimes even without intimidating the data privacy and
infringing their Right to Privacy which is a fundamental right under Article 21
of the constitution.
These data fiduciaries generally have very strong bargaining power to the extent
they can influence the economy of a country. The Digital Data Protection Bill,
2022, provide a provision of right and duties of data principles so that the
disproportionate power of data fiduciaries vis-à-vis data principles get
addressed.
There is also another sub-category of data fiduciaries called the 'significant
data fiduciaries' which, depending upon the extent of volume and sensitivity of
the information processed, turnover of the data fiduciary, the risk of harm
posed by processing, use of new technologies for processing, the processing of
data relating to children or provision of services to them etc. are required to
register themselves with the Data Protection Authority (Authority), proposed to
be established under the Bill 2022.
Significant Data Fiduciaries are required to meet certain additional compliances
including appointment of a data protection officer, undertake data protection
impact assessment and maintain accurate and up to date records in the form and
manner specified.
Data processors are persons that are involved in the processing of personal
data, including activities such as collection, recording, organization, storage,
etc. or otherwise making available, restriction, erasure or destruction, who do
such processing on behalf of the data fiduciaries.
Applicability of the Bill
The Bill applies to processing of digital personal data within India and
processing related to offering goods and services and profiling of Data
Principals within India, it does not highlight whether it would apply to any
individual whose personal data is processed within the territory of India.
Privacy notice
The Bill requires Data Fiduciaries to provide Data Principals with a notice
stating the personal data collected and the purpose of processing. The Bill
should also consider inclusion of elements such as details of Data Fiduciary,
information about the third parties with whom the personal data has been shared
with, and any other such information that would help the Data Principal to make
an informed decision.
The provision of providing notice to the data principals have retrospective
application where the Data Fiduciary is required to provide the itemised notice
to the Data Principal who has given her consent prior to commencement of the
Bill within reasonable time. This retrospective application would be challenging
for Data Fiduciaries who had processed personal data based on consent of the
Data Principal.
Non-automated means
The provisions of the Bill do not apply to non-automated processing of personal
data. This could lead to exclusion of number of Data Fiduciaries who do not
carry out processing of personal data by automated means.
Breach notification
In the event of data breach, the Bill imposes an obligation on Data Fiduciary
and the Processor to notify each affected Data Principal. But the Bill doesn't
specify any particular time period in which the Data Fiduciary is required to
inform the Data Protection Board and data principal regarding the breach.
Rights of Data Principal
One of the significant aspects of the Bill 2022 is the rights granted to the
Data Principal with respect to processing of their personal data. Apart from
other basic rights such as obtaining of consent, provision related to notice,
etc. data principal will enjoy the following right:
- Right to seek confirmation on whether the data fiduciary is processing
or has processed data of personal data principal and further right to access
personal data processed and a summary of such data;
- Right requiring data fiduciary to correct misleading or inaccurate data
and to seek erasure of personal data when purpose of collection is satisfied
or when consent is withdrawn;
- Right to grievance redressal where the Data Fiduciary is required to
respond to the grievance of Data Principal within 7 days or shorter period
that may be prescribed. If the data principal is not satisfied with the
response, may register a complaint with the board in manner prescribed; and
- Right to nominate a representative in case of incapacity or death of the
Data Principal to exercise their right.
Duties
The peculiar feature which is special to the current bill is the set of duties
imposed on the data principals in clause 16. As specified in Schedule 1 of the
bill, non-compliance with any of the sub-clause of clause 16, a penalty of
10000 may be imposed on the data principal.
Cross Boarder data transfer
The Bill has eased the cross-border data transfer requirement where the Data
Fiduciaries can transfer the personal data to other countries that are notified
by the Central Government. Further, eliminated the requirement to store
sensitive personal data within India.
Compliance Requirement
The following fundamental compliant procedure need to be undertaken by
organisation for smooth privacy journey:
- Appointment of Data Principal Officer and publishing the business
contact
- Privacy notice to inform data principal
- Information to data principal about types of personal data and the
purpose of collection
- Designing and implementing privacy policies and procedure
- Enforcing templates for responding to Data Principal Rights Requests
- Implementing a procedure to redress the grievances of Data Principals
- Implementing technical and organisational measure and reasonable
security safeguards
- Involving a data processor if required pursuant to valid contract
- Maintaining Personal Data Breach notification templates for Board and
Data Principal
- Undertaking Data Impact assessment
- Appointment of Independent Data Auditor
- Penalties on Non-Compliance
The DPDP Bill prescribed upper limits on the financial penalty for
non-compliance and the same has been limited to not more than INR 500 cores.
Further Schedule I of the Bill lays down different penalties for different
categories of non-Compliance.
Impact on Industries
Firstly, large scale, consumer centric organisations, which include
telecommunication, healthcare, banking and financial and e-commerce that process
personal data in large scale are likely to encounter stringent obligations than
others due to parameters such as volume and sensitivity of personal data being
explicitly highlighted in the bill, Secondly, this Bill has excluded data
localisation requirements which will help in enabling small, medium and large
enterprises to store data across geographies resulting in reduction of costs and
time spent on localised data storage, and thirdly, this Bill provides greater
emphasis to digitise personal data.
Key Difference between GDPR and DPDP
The DPDP Bill shall be implemented in a phased manner, i.e., different dates of
enforcement shall be accorded to different sections, unlike the GDPR which was
implemented in toto and provided two years for ensuring compliance. Further, the
DPDP Bill provides for an implied obligation to address grievances within seven
days, unlike the GDPR which provides for a time period of one month, further
extendable to two months on grounds of complexities.
The concept of "Significant Data Fiduciary" is novel to the DPDP Bill, and the
GDPR finds no mention of such classification.
Please Drop Your Comments