- INTRODUCTION
1.1. On November 18, 2022, the Ministry of Electronics and Information Technology released the fourth iteration of India's draft data protection law, the Digital Personal Data Protection Bill, 2022 ("Bill"). With the aim of simplification, the Bill has reduced the number of provisions from 90+ sections (as was in the draft Data Protection Bill, 2021, as recommended by the expert committee) to 30 sections. While the business-friendly outlook of the Bill has been welcomed, criticisms have been raised by industry that the simplification is excessive.
1.2. The Bill also fails to recognize the fundamental right to privacy of individuals, which is in contrast with the previous iterations of the Bill (as established in the case of K.S. Puttaswamy v. Union of India1). This is an irony, considering the fact that the Bill is the outcome of an exercise undertaken to safeguard the right to privacy of individuals. Further, the Bill also narrows the scope of the law from data protection to protection of digital personal data (thereby excluding non-personal data and offline data processing from its purview). Additionally, myriad provisions in the Bill are subject to determination by the central government, 'as may be prescribed', or by an equivalent clause. This may create the unguided and arbitrary power for the central government to frame rules under the Bill.
The salient features of the Bill are captured below.
- SALIENT FEATURES OF THE BILL
2.1. Applicability. The Bill covers processing of digital personal data within the territory of India where: (a) such personal data is collected from Data Principals2 online; or (b) such personal data is collected offline and then digitized. It also applies to processing of digital personal data outside the territory of India, if it is in connection with any profiling or offering of goods or services to Data Principals within the territory of India. It, however, does not apply to the processing of data of foreign residents in India by an entity in India (where such processing is done pursuant to a contract between such Indian entity and the person resident outside India). The Bill also excludes the non-automated processing of personal data and personal data processed for individual or domestic purposes.
2.2. Personal data. The Bill applies to processing of 'personal data' i.e., any data about an individual who is identifiable by or in relation to such data. Tiered regulations for specific categories of personal data, such as sensitive personal data, critical data etc., have been done away with.
2.3. Notice requirement. The Data Fiduciary3 is required to give notice to the Data Principal, describing the personal data sought to be collected from the Data Principal, and the purpose for its processing. The Bill also requires that notice should be given by the Data Fiduciary as soon as reasonably practicable, if Data Principals have provided their consent to the collection of personal data prior to the commencement of the Bill. The notice must be presented in a form 'as may be prescribed'. Further, the Data Principal must be given the option to access the notice in English or any of the 22 languages specified in the Eighth Schedule to the Constitution of India.
Download
Infolex_Draft_digital_personal_data_protection_bill_2022.pdf (induslaw.com)
Footnotes
1 (2017) 10 SCC 1, AIR 2017 SC 4161.
2 Section 2(6) of the Bill defines data principals as the "individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child" ("Data Principal/s").
3 Section 2(5) of the Bill defines data fiduciaries as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data" ("Data Fiduciary/ies").
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
