HIGHLIGHT OF THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022

HIGHLIGHT OF THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022

Background

??The Ministry of Electronics and Information Technology (MeitY) on November 18 released the much-awaited?Digital Personal Data Protection (DPDP) Bill, 2022, the?fourth iteration of India’s draft data protection law.

??A data protection law has been in the works since 2017, when the Supreme Court, in the landmark?Puttaswamy judgement,?ruled that privacy is a fundamental right of Indian citizens, putting the government under the obligation to pass legislation to protect this right.

??MeitY has invited feedback from the public on the draft Bill by December 17, 2022.?The feedback may be submitted on the?MyGov website. Notably, MeitY has?informed?that “no public disclosure of the submissions will be made.”

??We will be updating this post with a guide to our coverage of the Bill—summaries, comparisons to previous iterations of the Bill, analysis, opinions, stakeholders’ feedback, etc.

Timeline of key events

??July 2018:?After a year of consultations and deliberations,?the PDP Bill, 2018,?drafted by an expert committee headed by Justice BN Srikrishna, is presented to MeitY.?Subsequently, MeitY begins?drafting?the next iteration of the Bill.

??December 2019:?The PDP Bill, 2019, prepared by MeitY, is?referred?to a Joint Parliamentary Committee (JPC) for review and BJP MP Meenakshi Lekhi is appointed chairperson.

??December 2021:?After?multiple extensions, and?a leadership change, JPC Chairperson PP Chaudhary tabled the report of the JPC on the PDP Bill, 2019, as well as the draft?Data Protection Bill 2021, in the parliament.

??August 2022:?On August 3 this year, MeitY?withdrew?the Data Protection Bill 2021 from the parliament, stating that a more “comprehensive legal framework” will be presented soon.

??November 2022 – On 18th November 2022 the new draft, now called the Digital Personal Data Protection Bill, 2022, has provisions on “purpose limitations” around data collection; specified grounds for collecting and processing of personal data; penalties ranging from Rs 50 crore to Rs 500 crore and a Data Protection Board as the adjudicating body to enforce the provisions of the Bill.

Definitions U/s 2

??“automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

??“data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;

???“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

???“Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;

???“Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;

??“harm”, in relation to a Data Principal, means –

ü?any bodily harm; or

ü?distortion or theft of identity; or

ü?harassment; or

ü?prevention of lawful gain or causation of significant loss;

??“loss” means –

ü?a loss in property or interruption in supply of services, whether temporary or permanent; or

ü?a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration.

??“Person” Includes - an individual, a Hindu Undivided Family, a company, a firm, ?an association of persons or a body of individuals, whether incorporated or not, the State and every artificial juristic person, not falling within any of the preceding sub-clauses;

Application of the Act U/s 4

??The provisions of this Act shall apply to the processing of digital personal data within the territory of India where such personal data is collected from Data Principals online; and

??For the purpose of this sub-section, “profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.

??The provisions of this Act shall not apply to:

ü?non-automated processing of personal data;

ü?offline personal data;

ü?personal data processed by an individual for any personal or domestic purpose; and

ü?personal data about an individual that is contained in a record that has been in existence for at least 100 years.

Grounds for processing digital personal data U/s 5

??A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act.

??For the purpose of this Act, “lawful purpose” means any purpose which is not expressly forbidden by law.

General obligations of Data Fiduciary U/s 9

??A Data Fiduciary shall, irrespective of any agreement to the contrary, or non-compliance of a Data Principal with her duties specified in this Act, be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.

??A Data Fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete, if the personal data:

Disclosed

ü?is likely to be used by the Data Fiduciary to make a decision that affects the Data Principal to whom the personal data relates; or

ü?is likely to be by the Data Fiduciary to another Data Fiduciary.

ü?Illustration: ‘A’ has instructed her mobile service provider ‘B’ to mail physical copies of monthly bills to her postal address. Upon a change in her postal address, ‘A’ duly informs ‘B’ of her new postal address and completes necessary KYC formalities. ‘B’ should ensure that the postal address of ‘A’ is updated accurately in its records.

??A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act.

??Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.

??In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed. For the purpose of this section “affected Data Principal” means any Data Principal to whom any personal data affected by a personal data breach relates.

?A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that:ü?the purpose for which such personal data was collected is no longer being served by its retention; and

ü?retention is no longer necessary for legal or business purposes.

ü?Illustration (A): ‘A’ creates an account on ‘X’, a Social Media Platform. As part of the process of creating the account, ‘A’ shares her personal data with ‘X’. After three months, ‘A’ deletes the account. Once ‘A’ deletes the account, ‘X’ must stop retaining the personal data of ‘A’ or remove the means by which the personal data of ‘A’ can be associated with ‘A’.

ü?Illustration (B): ‘A’ opens a savings account with a bank. As part of KYC formalities, ‘A’ shares her personal data with the bank. After six months, ‘A’ closes the savings account with the bank. As per KYC rules, the bank is required to retain personal data for a period beyond six months. In this case, the bank may retain ‘A’s’ personal data for the period prescribed in KYC Rules because such retention is necessary for a legal purpose.

??Every Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data.

??Every Data Fiduciary shall have in place a procedure and effective mechanism to redress the grievances of Data Principals.

??The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.

Additional obligations of Significant Data Fiduciary U/s 11

??The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including:

ü?the volume and sensitivity of personal data processed;

ü?risk of harm to the Data Principal;

ü?potential impact on the sovereignty and integrity of India;

ü?risk to electoral democracy;

ü?security of the State;

ü?public order; and

ü?such other factors as it may consider necessary;

??The Significant Data Fiduciary shall:

ü?appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act and be based in India. The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. The Data Protection officer shall be the point of contact for the grievance redressal mechanism under the provisions of this Act;

ü?appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act; and

ü?undertake such other measures including Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act, as may be prescribed.

??For the purpose of this section, “Data Protection Impact Assessment” means a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed.

Right to information about personal data U/s 12

The Data Principal shall have the right to obtain from the Data Fiduciary:

??the confirmation whether the Data Fiduciary is processing or has processed personal data of the Data Principal;

??a summary of the personal data of the Data Principal being processed or that has been processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to the personal data of the Data Principal;

??in one place, the identities of all the Data Fiduciaries with whom the personal data has been shared along with the categories of personal data so shared; and

??any other information as may be prescribed.

Duties of Data Principal U/s 16

??A Data Principal shall comply with the provisions of all applicable laws while exercising rights under the provisions of this Act.

??A Data Principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board.

??A Data Principal shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address, furnish any false particulars or suppress any material information or impersonate another person.

??A Data Principal shall furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.

Transfer of personal data outside India U/s 17

??The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.

Exemptions U/s 18

The provisions of Chapter 2 except sub-section (4) of section 9, Chapter 3 and Section 17 of this Act shall not apply where:

??The provisions of Chapter 2 except sub-section (4) of section 9, Chapter 3 and Section 17 of this Act shall not apply where:

ü?the processing of personal data is necessary for enforcing any legal right or claim;

ü?the processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function;

ü?personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law;

ü?personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.

??The Central Government may, by notification, exempt from the application of provisions of this Act, the processing of personal data:

ü?by any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these; and

ü?necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards specified by the Board.

??The Central Government may by notification, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries

Data Protection Board of India U/s 19

??The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design.

??The strength and composition of the Board and the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members shall be such as may be prescribed.

??The chief executive entrusted with the management of the affairs of the Board shall be such individual as the Central Government may appoint and terms and conditions of her service shall be such as the Central Government may determine.

??The Board shall have such other officers and employees, with such terms and conditions of appointment and service, as may be prescribed.

??The Chairperson, Members, officers and employees of the Board shall be deemed, when acting or purporting to act in pursuance of provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code.

??No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee or officer for anything which is done or intended to be done in good faith under the provisions of this Act.

Functions of the Board U/s 20

??The functions of the Board are:

ü?to determine non-compliance with provisions of this Act and impose penalty under the provisions of this Act;

ü?to perform such functions as the Central Government may assign to the Board under the provisions of this Act or under any other law by an order published in the Official Gazette.

??The Board may, for the discharge of its functions under the provisions of this Act, after giving a person, a reasonable opportunity of being heard and for reasons to be recorded in writing, issue such directions from time to time as it may consider necessary, to such person, who shall be bound to comply with the same.

??The Board may, in the event of a personal data breach, direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.

??The Board may, on a representation made to it or on its own motion, modify, suspend, withdraw or cancel any direction issued under sub-section (2) and in doing so, may impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

Process to be followed by the Board to ensure compliance with the provisions of the Act U/s 21

??The Board shall function as an independent body and, as far as possible, function as a digital office and employ such techno-legal measures as may be prescribed.

??The Board may, on receipt of a complaint made by an affected person or on a reference made to it by the Central Government or a State Government or in compliance with the directions of any court or in case of non-compliance with section 16 of this Act by a Data Principal, take action in accordance with the provisions of this Act.

??The Board may authorise conduct of proceedings relating to complaints, by individual Members or groups of Members.

??The Board shall first determine whether there are sufficient grounds to proceed with an inquiry. In case the Board determines that there are insufficient grounds, it may, for reasons recorded in writing, close such proceeding.

??In case the Board determines that there are sufficient grounds to proceed with inquiry, it may, for reasons recorded in writing, inquire into the affairs of any person for ascertaining whether such person is complying with or has complied with the provisions of this Act.

??The Board shall conduct such inquiry following the principles of natural justice including giving reasonable opportunity of being heard and shall record reasons for its actions during the course of such inquiry.

??For the purpose of conduct of inquiry under this section, the Board shall have powers to summon and enforce the attendance of persons, examine them on oath and inspect any data, book, document, register, books of account or any other document.

??Inquiry under this section shall be completed at the earliest. The Board or its officers shall not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.

??The Board may require the services of any police officer or any officer of the Central Government or a State Government to assist it for the purposes of this section and it shall be the duty of every such officer to comply with such requisition.

??During the course of the inquiry if the Board considers it necessary for preventing non-compliance with the provisions of this Act, it may, for reasons to be recorded in writing, issue interim orders after giving the concerned persons a reasonable opportunity of being heard.

??On conclusion of the inquiry and after giving the concerned persons a reasonable opportunity of being heard, if the Board determines that non-compliance by a person is not significant, it may, for reasons recorded in writing, close such inquiry. If the Board determines that the non-compliance by the person is significant, it shall proceed in accordance with section 25 of this Act.

??At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.

??Every person shall be bound by the orders of the Board. Every order made by the Board shall be enforced by it as if it were a decree made by a Civil Court. For the purpose of this sub-section, the Board shall have all the powers of a Civil Court as provided in the Code of Civil Procedure, 1908.

Review and Appeal U/s 22

??The Board may review its order, acting through a group for hearing larger than the group which held proceedings in a matter under section 21, on a representation made to it, or on its own, and for reasons to be recorded in writing, modify, suspend, withdraw or cancel any order issued under the provisions of this Act and in doing so, may impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

??An appeal against any order of the Board shall lie to the High Court. Every appeal made under this section shall be preferred within a period of sixty days from the date of the order appealed against.

??No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act.

Financial Penalty U/s 25

??If the Board determines on conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance.

??While determining the amount of a financial penalty to be imposed under sub-section (1), the Board shall have regard to the following matters:

ü?the nature, gravity and duration of the non-compliance;

ü?the type and nature of the personal data affected by the non-compliance;

ü?repetitive nature of the non-compliance;

ü?whether the person, as a result of the non-compliance, has realized a gain or avoided any loss;

ü?whether the person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action;

ü?whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the provisions of this Act; and

ü?the likely impact of the imposition of the financial penalty on the person.

Note - The draft is up for public consultation until December 17 and the final version is expected to be tabled in the Budget session of Parliament next year2023.

*Source-

Notice - Public Consultation on DPDP 2022

https://www.meity.gov.in/writereaddata/files/Notice%20-%20Public%20Consultation%20on%20DPDP%202022_0.pdf

The Digital Personal Data Protection Bill, 2022

https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf

Explanatory Note- The Digital Personal Data Protection Bill, 2022

https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf

The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2018