After the withdrawal of the earlier Personal Data Protection Bill, 2019 ("PDP Bill"), the Ministry of Electronics and Information Technology has released a new Digital Personal Data Protection Bill, 2022 ("DPDP Bill"), which adopts a more simplified approach to handling 'personal data' in comparison to its predecessor. The DPDP Bill covers several key principles pertaining to lawful usage of personal data, limitation on collection of personal data, data minimisation, data storage and accountability of the person processing personal data.
Key Provisions of the DPDP Bill and our Analysis
The focus of this article is to discuss and analyse some of the key aspects of the DPDP Bill and critically analyse any areas of concern:
- Scope and Application: The DPDP Bill applies to 'personal data' (i.e., any data about an individual who is identifiable by or in relation to such data) which is processed digitally, including the personal data collected online as well as such personal data collected offline which is digitised for processing. However, it does not cover personal data processed manually unlike the earlier PDP Bill that had brought manual processing of data by small entities within its purview. The DPDP Bill extends its scope to processing of digital personal data outside the territory of India if such processing is in connection with any profiling of, or activity of offering goods or services to individuals within the territory of India. While the PDP Bill had categorised personal data into sensitive and critical personal data, the DPDP Bill does not have any such classification and this may oversimplify the criticality of protection of sensitive personal data.
- Obligations of Data Fiduciary: Data fiduciary under the DPDP Bill is a person who alone or together with other persons determines the purpose and means of processing personal data and has been subjected to several obligations including the following:
- Every data fiduciary is required to process personal data for lawful purposes only and with the consent of the data principal i.e., the individual whose personal data is processed. The data fiduciary is required to issue a notice to the data principal regarding the description of each type of personal data sought to be collected and the purposes of processing of such personal data. The notice to be issued to users should be in easy and plain language.
- When processing personal data of children i.e., users under the age of 18, data fiduciaries are required to obtain verifiable consent from the parents. The DPDP Bill has prescribed a penalty of up to ₹200,00,00,000/- (Rupees Two Hundred Crore) in case of non-fulfilment of additional obligations imposed on the data fiduciary with respect to the processing of personal data of children.
- In case of withdrawal of consent by data principal to the processing of personal data, the data fiduciary is obliged to cease and cause its data processors to cease processing of the personal data of such data principal within a reasonable time period, unless such processing without the data principal's consent is authorised under the DPDP Bill or any other law.
- In the event of a personal data breach, both the data fiduciary and the data processor i.e., any person who processes personal data on behalf of a data fiduciary, are required to notify the Data Protection Board ("Board") proposed under the DPDP Bill, and each affected data principal. However, no time frame has been prescribed within which such notification has to be made. Notably, the Joint Parliamentary Committee report on the PDP Bill ("JPC Report"), had suggested that companies should report data breaches within a period of 72 (seventy-two) hours.
- Further, any data fiduciary or data processor that fails to ensure reasonable security safeguards to prevent personal data breach will be fined as high as ₹250,00,00,000/- (Indian Rupees Two Hundred and Fifty Crore) whereas the earlier PDP Bill had proposed a penalty of ₹15,00,00,000 (Rupees Fifteen Crores) or 4% (four percent) of the company's total worldwide annual turnover, whichever is higher. It is apparent that severe penalties are being imposed to ensure strict compliance.
- Rights of Data Principal: The data principal, i.e., the individual to whom the personal data relates, has certain rights under the DPDP Bill including the: :
- right to obtain confirmation from the data fiduciary on whether the personal data of the data principal is being processed, summary of the personal data of the data principal being processed by the data fiduciary and the processing activities undertaken by the data fiduciary, and the identities of all the data fiduciaries with whom the personal data has been shared along with the categories of personal data so shared;
- right to make a request with data fiduciary for correction, completion, updating and erasure of personal data that is no longer necessary for the purpose for which it was processed;
- right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal; and
- right of grievance redressal by registering grievance with the data fiduciary or to register a complaint with the Board in case of dissatisfaction with the response of data fiduciary or in case no response is received from the data fiduciary.
- Surprisingly, the 'right of portability' of the data principal which could have allowed users to port or systematically transfer personal data from one data fiduciary to another data fiduciary has been left out and this possibly interferes with the spirit of consumer welfare and competitiveness among data fiduciaries.
- Duties of Data Principal: A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information or impersonate another person while applying for any document, service, unique identifier, proof of identity or proof of address and to provide information that is verifiably authentic while exercising their right to correction or erasure. DPDP Bill has introduced a penalty up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.
- Data Protection Board: The DPDP Bill provides for the establishment of an independent Board, namely, the Data Protection Board, to function as an adjudicating body to enforce the provisions of the Bill and to impose penalty in cases of non-compliance. In the event of breach of personal data, the Board has been given the power to direct the data fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to data principals. However, the independence of such an important functionary may come under scrutiny as matters concerning the strength and composition of the Board, the appointment and service conditions of the chief executive, chairperson and other members of the Board have been left to the discretion of the Government of India.
- Further, in case of an inquiry by the Board, the DPDP Bill does not specify any time limit for completion of the inquiry. The DPDP Bill has done away with the establishment of an Appellate Tribunal and laid down that an appeal against an order of the Board would lie to the High Court. In appropriate cases, the Board has been given the power to direct alternative dispute resolution to resolve disputes between concerned parties.
- Financial Penalties: The amount of financial penalty would be determined by the Board based on factors which inter-alia include the gravity, nature and duration of non-compliance, type and nature of personal data affected by the non-compliance and the likely impact of the imposition of the financial penalty on the concerned person. If the non-compliance by a person is found to be significant, then the Board has the power to impose a penalty of up to ₹500,00,00,000/- (Rupees Five Hundred Crore) provided that such person has been given a reasonable opportunity of being heard.
- Cross-border transfer of personal data: The DPDP Bill has eased the requirement of localising data which was proposed under the JPC Report and permitted the unrestricted transfer of personal data by a data fiduciary to those countries or territories outside India which would be notified by the Central Government. While this resonates with the ease of doing business, there is no clarity regarding the factors on which the Government would notify such trusted countries or territories, who could be granted access to all kinds of personal data of Indian residents.
- Exemptions from Applicability: The DPDP Bill gives the power to the Government to exempt any instrumentality of the state in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order etc., without any explanation. The exemptions under the DPDP Bill gives wide discretionary powers to the Government and does not take into consideration the JPC Report's recommendation to have a 'just, fair, reasonable and proportionate' procedure in place before allowing any such exemption.
The DPDP Bill is an attempt by the Government to formulate a simply worded and comprehensible law on data protection in the country as opposed to the earlier PDP Bill which was criticised by businesses and start-ups for being compliance intensive. However, in an endeavour to narrow down the earlier draft, the DPDP Bill has missed out in clarifying several provisions. For instance, the DPDP Bill has introduced the concept of 'deemed consent' in broad and vague terms, by allowing the processing of personal data without the individual's consent based on several wide factors which inter alia include the maintenance of public order, purposes related to employment and in public interest including credit scoring, recovery of debt, for any fair and reasonable purposes including the reasonable expectations of the data principal. As the balance between the individual's right to privacy and the right of the data principal to assume 'deemed consent' is missing, this aspect of law could be a contentious issue.
Despite the recommendation under the JPC Report, the DPDP Bill has kept the 'non-personal data' of the individuals such as information collected by the Government, NGOs and other private sector entities, outside its ambit.
The usage of phrases 'as it may consider necessary' and 'as may be prescribed' can lead to administrative ambiguities. The autonomy of the Board which is entrusted with overseeing the protection of individual's personal data and ensuring compliance with the provisions of the law is not reassuring.
Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled.
There is no mechanism to ensure accountability of those Government agencies or data fiduciaries who are exempted from the purview of the Act, particularly in view of the concerns around digital surveillance by Government functionaries. Undeniably, the Government needs to bring a codified data protection regime at the earliest, however, the DPDP Bill in its current form requires careful recalibration to bridge some of the above discussed gaps.
LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is not intended to constitute, and should not be taken as, legal advice, or a communication intended to solicit or establish any attorney-client relationship between LexCounsel and the reader(s). LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s) consequent to any information contained in this e-newsletter. The readers are advised to consult competent professionals in their own judgment before acting on the basis of any information provided hereby.