An Analysis of the Indian Digital Data Protection Bill, 2022
Introduction
The Internet has given birth to various sectors and professions and opened an entirely new market, which is more innovative, technical, and efficient. The 21st century has witnessed such an explosive rise in the number of ways in which we exchange information so to protect this information or the other we can call it personal data, on November 18, 2022, the Ministry of Electronics & Information Technology issued the draft Digital Personal Data Protection Bill, 2022. The purpose of this Act is s to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
Application & Extent
This bill will regulate the personal data which will be either collected online or which will be collected offline, is digitalized. It excludes processing through manual means or by individuals for ‘personal or domestic purposes’.[1]
It excludes processing through manual means or by individuals for ‘personal or domestic purposes’. The Bill also seeks to exclude personal data “contained in a record that has been in existence for at least 100 years”. The provision of this bill shall also be applied to digital personal data outside the territory of India.
Rights of Data Principal
Data principal is refers to the individual whose data is being collected, so Data principals have the right to (a) obtain information on the personal data being processed, the processing activities, and identities of all the data fiduciaries their data has been shared with;?(b) correction and erasure of their data,?(c) nominate an individual to exercise rights on their behalf in the event of their death or incapacitation; (d) grievance redressal,?among others. They can exercise these rights through the data fiduciary. The JPC (The Joint Parliamentary Committee on the Personal Data Protection Bill) and the 2019 Bill provided the right to data portability– i.e., the right to move personal data across different service providers – which has been removed from the 2022 Bill. The 2022 Bill also introduces duties for data principals – these include
?1) complying with the provisions of the Bill and other applicable laws while exercising their rights,
2)?refraining from registering false or frivolous grievances with the data fiduciaries,
3)?refraining from furnishing false particulars or suppressing material information, and
4) furnishing information that is verifiably authentic. Earlier iterations of the Bill did not include duties for data principals.[2]
Duties of Data Principal
A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information or impersonate another person while applying for any document, service, unique identifier, proof of identity or proof of address and to provide information that is verifiably authentic while exercising their right to correction or erasure. DPDP Bill has introduced a penalty up to ?10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.[3]
Data Protection Board
The Bill also provides that the central government will establish a Data Protection Board which will operate as an independent body and function as a digital office. The functions of the DPB will be ‘digital by design’.?The central government can prescribe the composition, qualifications and experience, process of selection, terms of appointment, removal, salary, allowances, and other matters through rules. The DPB will enforce the provisions of the bill and impose penalties for non-compliance. It can conduct hearings, summon and enforce attendance, and examine persons on oath, among other functions.?Notably, however, the DPB cannot prevent access to premises or take custody of any equipment or item that may disrupt the day-to-day functioning of any entity during its inquiries.?The DPB can also accept voluntary undertakings – i.e., an entity subject to proceedings for non-compliance can undertake to perform or abstain from a certain action, in which case the enforcement proceeding will stop.[4] The Data Protection Board is tasked with enforcing this Act's provisions. Digital by design compliance framework is the need of the hour particularly when it comes to digital personal data. This has been recognised in the Bill. Receipt of complaints, pronouncement of decision, etc has been envisaged as digital by design, in the Bill.[5]
Penalties
The Board will decide the amount of financial penalty based on factors which?inter-alia?include the gravity, nature, and duration of non-compliance, type and nature of personal data affected by the non-compliance, and the likely impact of the imposition of the financial penalty on the concerned person.
?If the non-compliance by a person is found to be significant, then the Board has the power to impose a penalty of up to ?500,00,00,000/- (Rupees Five Hundred Crore) provided that such person has been given a reasonable opportunity of being heard.[6] The government may amend penalties, but newly proposed penalties cannot be more than double of what is prescribed in the 2022 Bill.
领英推荐
Exception
The government can?exempt certain businesses from adhering to provisions of the bill?on the basis of the?number of users and the volume of personal data?processed by the entity. This has been done keeping in mind?startups?of the country who had complained that the Personal Data Protection Bill, 2019?was too “compliance intensive”.
National security-related exemptions,?similar to the previous 2019 version,?have been kept intact. The?Centre has been empowered?to exempt its agencies from adhering to provisions of the Bill in the interest of?the sovereignty and integrity of India, security of the state, friendly relations with foreign states,?maintenance of public order?, or?preventing incitement?to any cognizable offence.[7]
Suggestions
After the withdrawal of the bill in August 2019, this bill was reintroduced in November as Digital Data Protection Bill 2022. The 2019 will was revoked as it was not as per the international standards. But the new bill i.e. Digital Data Protection Bill 2022 also misses out on two main rights for data principle. The first is the right to data portability. The right to data portability allowed the data principal to receive in a structured format all the personal data they had provided to the data fiduciary and the second is data fiduciary which generated on the data principal while processing for provisioning of its services. This empowered data principals by allowing them to choose between different platforms and enhanced competition between data fiduciaries to increase consumer welfare.?This bill of 2022, does not provide for these rights.[8]
Conclusion
This Bill is an attempt by the government to balance national security, public order, ease of doing business, global diplomacy and cross-border cooperation, technology velocity, and data volumes. The government has not specified implementation timelines for the 2022 Bill. The government may assign different commencement dates for various provisions and also if the bill is enacted then it will have an overriding effect over other laws in case of conflicting provisions. If the bill is amended and reintroduced with its missing parts then it may help align the bill with a global standard like GDPR.
Written by- Akanksha Redij
[1]?Arun Prabhu?&?Anirban Mohapatra, “The Digital Personal Data Protection Bill, 2022”, November 23, 2022, available at- https://corporate.cyrilamarchandblogs.com/2022/11/the-digital-personal-data-protection-bill-2022-part-i/#_ftn8
[2] Available at, https://www.ikigailaw.com/our-analysis-of-the-draft-digital-personal-data-protection-bill-2022/#acceptLicense
[3] Available at, https://www.mondaq.com/india/data-protection/1259392/a-dive-into-the-digital-personal-data-protection-bill-2022#:~:text=Duties%20of%20Data%20Principal%3A%20A,%2C%20service%2C%20unique%20identifier%2C%20proof
[4] Available at, https://www.ikigailaw.com/our-analysis-of-the-draft-digital-personal-data-protection-bill-2022/#acceptLicense
[5] Available at, https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf
[6] Available at, https://www.mondaq.com/india/data-protection/1259392/a-dive-into-the-digital-personal-data-protection-bill-2022#:~:text=Duties%20of%20Data%20Principal%3A%20A,%2C%20service%2C%20unique%20identifier%2C%20proof
[7] Available at, https://www.drishtiias.com/daily-updates/daily-news-analysis/digital-personal-data-protection-bill-2022
[8] Available at, https://www.thehindu.com/sci-tech/technology/how-different-is-the-new-data-protection-bill/article66166438.ece