The Digital Personal Data Protection Bill, 2022

Introduction

The 21st century has witnessed a rapid rise in use of the internet. With nearly 5.07 billion users around the world at present, this new age phenomenon has given rise to the famous axiom of our times, “data is the new gold”.

In order to carefully cultivate, process and regulate the “new gold”, several sovereign entities have attempted to legislate on the protection and safeguard of data. The European Union's General Data Protection Regulation¹ is often hailed as the gold standard for data protection laws. Several other entities such as Australia, China and the United States of America have attempted to successfully legislate on the usage of data along with the European Union.

India too, attempted to legislate on the topic through the Digital Personal Data Protection Bill, 2022² which is India's fourth experiment at trying to create holistic data protection legislation.

Applicability

The provisions of the Bill are applicable to the processing of personal digital data collected online or to the digitisation of offline data.

Furthermore, it will also be applicable to processing of personal data outside the territory of India if it is connected to profiling and provision of goods and services of data principals within Indian territory.

Obligations of a data fiduciary

A data fiduciary is obliged to process personal data of a data principal for lawful purposes for which a data principal has given or is deemed to have given her consent in accordance with the provisions of this Act.

Data fiduciaries are obligated to provide an itemised notice to the data principal in clear and plain language regarding the data sought to be collected as well as the data finally collected.

A data fiduciary must provide adequate safeguards to protect personal data breach, and in case a breach occurs it must inform each data principal and the Data Protection Board in manner prescribed.

Data fiduciaries should also provide an apparatus for grievance redressal to data principals.

Rights of data principal

A data principal can give, manage, review, or withdraw his/her consent through an accessible, transparent, and interoperable platform.

The Bill also provides the data principal with the right to correction and erasure of his/her personal data, which is conceived to be a desirable inclusion.

The data principal shall have the right to register a grievance with the data fiduciary and may register the case with the Board in case of no reply within the stipulated time-frame.

Transfer of data

The Central Government may notify such countries or territories outside India to which a data fiduciary may transfer personal data in accordance with the specified terms and conditions.

Exemptions

The Central Government may, by notification, exempt the application of provisions of this Act.

The Central Government may exempt any instrumentality of the State in the interest of protecting the sovereignty and integrity of the country, security of the State, friendly relations with foreign States, maintaining public order or for preventing incitement to any cognizable offence relating to any of these.

The instrumentalities of the State are exempted from complying with provisions of sub-section (6) read along with Section 9³ of the Act. In simple terms, instrumentalities of the State are not required to cease retention of personal data or remove means by which personal data can be associated with particular data principals.

Data Protection Board of India

The Central Government should by law establish Data Protection Board and prescribe the strength and composition of the Board along with the process for selecting members, establish the terms and conditions of appointment and service, and procedures involved in the removal of its chairperson and other members.

The Board shall primarily be concerned with the determination of non-compliance with provisions of the Act and impose penalty under the provisions of the Act.

In addition to this, the Board shall also perform functions periodically assigned by the Central Government.

Positives

The Bill has been widely praised for the concise, precise, and simple manner in which it has been framed, making it easier to read and understand it. Furthermore, several additions to this Bill are welcome changes from the previous versions of the data protection legislation.

Firstly, it puts an obligation on data fiduciaries to provide an itemised notice to the data principal in clear and plain language regarding the data sought to be collected as well as the data finally collected by the data fiduciary. This will help enhance transparency in transactions of personal data between the data fiduciary and the data principal.

In addition to this, it also allows a data principal to withdraw his/her consent through a consent manager. Moreover, it also provides the data principal with the right to correction and erasure of his/her personal data, which is a desirable inclusion as it provides ample security to the data principal, which is the need of the hour in the fast developing and transforming area of data privacy.

Moreover, it has mandated all data fiduciaries to have an effective grievance redressal mechanism in place for the benefit of the data principals.

Lastly, the Bill grants powers to the Central Government to allow transfer of data to territories outside India in specific cases. This is a shift from the stringent stance of data localisation that was envisaged in the previous drafts of data protection legislations.

However, like any other Bill or piece of legislation, the current draft of the Digital Personal Data Protection Bill, 2022, has certain limitations that need to be addressed and reconsidered for the benefit of all parties concerned.

Drawbacks

First, the Bill states that the data principal is said to have deemed consent for serving the larger “public interest”. The definition as to what constitutes “public interest” is very wide and includes sovereignty and integrity of India, security of State, friendly relations with foreign States and maintaining public order. This can be misused against data principals leading to authoritative misuse of their personal data.

In addition to this, it grants the Central Government the power to exempt any “instrumentality of the State” from the provisions of the Act. Further, the “instrumentalities of the State” are not obliged to cease retention of personal data or remove means by which personal data can be associated with particular data principals. Such sweeping provisions grant excessive powers to the Central Government and fail to address the protection desired by the data principals from authorities of the State.

Moreover, it envisages the creation of Data Protection Board to safeguard the rights of data principals; however, it grants the Central Government extraordinary rights with respect to strength, composition, process of selection, terms, and conditions as well as appointment and removal of chairpersons and members. This is a significant step back from the Data Protection Authority envisaged in the Personal Data Protection Bill, 2019⁴.

There is an ardent need to create a data protection authority which is truly independent, and whose composition and functioning is not solely in the hands of the Central Government.

The Bill also seeks to amend the Right to Information Act, 2005⁵ since it makes it impossible to obtain personal information in totality. Under the previous data protection legislations, personal information could be provided if there was a larger issue of public importance involved, which has been negated in the current draft.

Lastly, the Bill does not adequately deal with the issue of surveillance. With the rise of surveillance States in different parts of the world, it is imperative that a data protection legislation provide sufficient safeguards to protect data principals from possible surveillance and their data being used against them.

Table 1

India's Personal Digital Data Protection Bill, 2022, and European Union's General Data Protection Regulation: A Comparative Analysis

(Source: Author)

Principle	India's Personal Digital Data Protection Bill, 2022	EU GDPR
Scope	The provisions of the Act are applicable to the processing of personal digital data collected online or digitised offline data. Further, it is also applicable to processing of personal data outside the territory of India if it is connected to profiling and provision of goods and services data principals within Indian territory.	Applicable to organisations that have an establishment in the European Union (EU) and process personal data in the EU establishment. In addition to this, it is also applicable to other organisations that offer goods or services in the EU or monitor the behaviour of individuals in the EU.
Processing of Data	There are eight main legal grounds on which personal data can be processed: consent, performance of function under law or providing any benefit, compliance with judgment or law, medical emergency, health services, to ensure safety or provide assistance in case of disasters, services related to employment and public interest.	There are six main legal grounds for the lawfulness of personal data processing: consent, performance of a contract, legitimate interest, vital interest, legal requirement, and public interest.
Right of Transparency	The Act states that data fiduciaries are obligated to provide an itemised notice to the data principal in clear and plain language regarding the data sought to be collected as well as the data finally collected.	The GDPR provides that information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. In addition to this, when data is collected directly from the data subject, notice regarding the collection and purpose must be given prior to the collection of data, and when it is collected indirectly, the data subject must be informed within a month from the collection of the data.
Right to Access	The data principal has the right to obtain a a summary of personal data being processed or that has been processed by the data fiduciary and the processing activities undertaken by the data fiduciary with respect to the personal data.	The data subjects have the right to receive information about how their personal data is processed and can ask for a copy of their data which is being processed by the organisation. However, in cases where personal data of other data subjects may be compromised or intellectual property rights violated, the organisations are not obligated to provide access to data.
Right to be Forgotten	The Act only provides for the Right to Erasure of Data and has no explicit provisions with respect to the Right to be Forgotten.	The EU GDPR provides the data subject with the Right to be Forgotten as well as the Right to Erasure of Data where the data subject withdraws consent, objects to processing or where processing is unlawful.
Rights of Minors	The data fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed. Parental consent includes the consent of lawful guardian, where applicable.	Any individual below the age of 16 is a minor. Consent of the parent/guardian is necessary for processing data of a minor.

Conclusion

The Personal Digital Data Protection Bill, 2022, is a necessary step in the right direction as India is in dire need of a holistic data protection legislation for its ever-growing number of internet users, which currently stands at 749 million according to certain estimates.

The Government must consult all stakeholders to present a Bill that is clear, concise, unambiguous and caters to commercial, governmental as well interests of the common man.

In order to achieve the objective of creating a balanced data protection legislation, it is important to bring instrumentalities of the State, businesses, data principals and data fiduciaries on a single platform and conduct rigorous discussions to give India the Data Protection Bill it deserves.