Digital Personal Data Protection Bill 2023, India

Today on 7 August, 23, The Digital Personal Data Protection Bill 2023 was passed in the Lok Sabha. The bill seeks to establish a robust framework for the protection of personal data in the digital realm for India.

Key Features:

1.?????Applicability:?The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.??It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.?Personal data is defined as any data about an individual who is identifiable by or in relation to such data.?Processing has been defined as an automated operation or set of operations performed on digital personal data.?It includes collection, storage, use, and sharing.

2.?????Consent:?Personal data may be processed only for a lawful purpose for which an individual has given consent.?A notice must be given before seeking consent.?Notice should contain details about the personal data to be collected and the purpose of processing.?Consent may be withdrawn at any point in time.?Consent will be deemed given where processing is necessary for: (i) performance of any function under a law, (ii) provision of service or benefit by the State, (iii) medical emergency, (iv) employment purposes, and (v) specified public interest purposes such as national security, fraud prevention, and information security.?For individuals below 18 years of age, consent will be provided by the legal guardian.

3.?????Rights and duties of data principal:?An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.?Data principals will have certain duties.?They must not: (i) register a false or frivolous complaint, (ii) furnish any false particulars, suppress information, or impersonate another person in specified cases.?Violation of duties will be punishable with a penalty of up to Rs 10,000.

4.?????Obligations of data fiduciaries:?The entity determining the purpose and means of processing, called data fiduciary, must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, and (iii) cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).?The storage limitation requirement will not apply in case of processing by government entities.

5.?????Transfer of personal data outside India:?The central government will notify countries where a data fiduciary may transfer personal data.?Transfers will be subject to prescribed terms and conditions.

6.?????Exemptions:?Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases including prevention and investigation of offences, and enforcement of legal rights or claims.??The central government may, by notification, exempt certain activities from the application of provisions of the Bill.??These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.

7.?????Data Protection Board of India: The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.?The central government will prescribe: (i) composition of the Board, (ii) selection process, (iii) terms and conditions of appointment and service, and (iv) manner of removal.

8.?????Penalties: The schedule to the Bill specifies penalties for various offences such as: (i) up to Rs 150 crore for non-fulfilment of obligations for children and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches.?Penalties will be imposed by the Board after conducting an inquiry.

Key Issues and Analysis:

1.?????Exemptions to the State may have adverse implications for privacy

Personal data processing by the State has been given several exemptions under the Bill.?As per Article 12 of the Constitution, the State includes: (i) central government, (ii) state government, (iii) local bodies, and (iv) authorities and companies set up by the government.?We discuss certain issues with these exemptions below.

2.?????The Bill may enable unchecked data processing by the State, which may violate the right to privacy

The Bill empowers the central government to exempt processing by government agencies from any or all provisions, in the interest of aims such as the security of the state and maintenance of public order.?None of the rights of data principals and obligations of data fiduciaries (except data security) will apply in certain cases such as processing for prevention, investigation, and prosecution of offences.

The Bill does not require government agencies to delete personal data, after the purpose for processing has been met.?Using the above exemptions, on the ground of national security, a government agency may collect data about citizens to create a 360-degree profile for surveillance.?It may utilise data retained by various government agencies for this purpose.?This raises the question whether these exemptions will meet the proportionality test.?

3.?????Processing without consent for preventing dissemination of false statements of fact

The Bill specifies “preventing dissemination of false statements of fact” as one of the public interest purposes for deemed consent.?This raises the question about the need for such a ground.??It may be argued that any harm or adverse implication due to such dissemination is already covered under grounds such as prevention of incitement of offence, public order, and security of the state.

4.?????Whether consent requirement should apply where government agencies provide commercial services

The Bill provides that consent will be deemed to have been obtained for processing of data to provide benefits and services by the State and its instrumentalities.?Consent requirement provides individuals control over the extent of data collection and processing.?Government and public sector utilities owned by it provide various services to individuals such as health, banking, telecom, and electricity.?Thus, government health departments and companies such as SBI, BSNL, and state discoms need not take consent from individuals for processing their data.?The question is whether this is appropriate.?

5.?????The Bill accords differential treatment towards public and private entities performing the same function

As discussed above, a government company can process the personal data of its customers without obtaining their consent, and it may retain the data for an unlimited period.?However, its competitors in the private sector would have to comply with these requirements.?Thus, these provisions will result in differential treatment towards public and private entities performing the same function.?This may violate the right to equality protected under Article 14 of the Constitution.

6.?????Implications of exemption from data fiduciary obligations

For certain public interest purposes such as national security and law enforcement, the consent requirement would be meaningless due to the covert nature of such actions.?However, it may be argued that other principles should continue to apply to safeguard privacy.?As these obligations do not apply, a data breach at the National Crime Records Bureau or the Unique Identification Authority of India need not be reported as per the mechanism under the Bill.?Data collected by police for the investigation and prosecution of one offence may be utilised for other purposes.

7.?????Bill may not ensure independence of the Data Protection Board of India

The Bill requires the central government to set up the Data Protection Board of India.?It provides that the Board will function as an independent body.?The composition, terms of appointment, and manner of removal of the members will be prescribed by the central government.?The question is whether these details should be provided in the principal legislation to ensure the independence of the Board.

8.?????Right to data portability and the right to be forgotten not provided

The Bill does not provide for the right to data portability and the right to be forgotten.??The 2018 Draft Bill and the 2019 Bill introduced in Parliament had sought to provide for these rights. The Joint Parliamentary Committee, examining the 2019 Bill, recommended retaining these rights. General Data Protection Regulation (GDPR) of the European Union also recognises these rights. The Srikrishna Committee (2018) observed that a strong set of rights of data principals is an essential component of a data protection law. These rights are based on principles of autonomy, transparency, and accountability to give individuals control over their data.

9.?????Taking verifiable parental consent may require verification of everyone’s age on digital platforms

The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child.??

Please reach out to me on [email protected] for a 1-1 detailed analysis and consultation. I am part of the Data Privacy implementation program in my current organization

#dataprivacy #DPDP #Digital Personal Data Protection Bill?