In November 2022, the Ministry of Electronics and Information Technology (MeitY) published its Digital Personal Data Protection Bill, 2022.
The Digital Personal Data Protection Bill of 2022 is an important piece of legislation that seeks to protect citizens’ rights concerning personal data. It outlines the duties and responsibilities imposed on both parties involved in collecting, processing, or using such information.
What happened to India’s Personal Data Protection Bill, 2019?
The Personal Data Protection Bill, 2019 was a proposed bill in India that aimed to protect the personal data of Indian citizens. The bill had undergone several delays and changes before being proposed, and this was reportedly the fourth attempt by the Indian government to present a bill on data protection.
The immediate driver for the personal data protection bill in India was the Supreme Court’s judgment that declared privacy to be a fundamental right. This decision came as the constitutionality of India’s biometric identification program, Aadhaar, was being challenged. In response, the Indian government assured the court that it would bring in a law to protect personal data privacy and formed a committee, led by former Supreme Court justice Srikrishna, to propose such a law.
The Personal Data Protection Bill (PDP Bill), 2019 was introduced by the Indian government in late 2019. However, in August 2022, the Minister of State for Electronics and IT, Rajeev Chandrasekhar announced that the government has withdrawn the Personal Data Protection Bill that was formulated in 2018, and re-written by the JPC in 2021, adding that new legislation by the government will be tabled in the parliament “very quickly”.
All about India’s Digital Data Protection Bill, 2022
During the drafting of the Personal Data Protection Bill, 2019, stakeholders widely debated and discussed various principles. These consultations and discussions helped shape the provisions of the draft Digital Personal Data Protection Bill, 2022.
Here’s an overview of the newly presented bill.
Scope of the Bill
The bill applies to the automated processing of personal data, which includes data collected online or offline but is digitized.
The law also has extra-territorial applicability, meaning it applies to cases where personal data is being processed outside of India for the profiling of Indian residents or for the provision of goods or services to Indian residents. This means that even if a company or organization is not based in India, but if they process the personal data of Indian citizens or offer goods or services to Indian citizens, they will be subject to the provisions of the bill.
However, the bill excludes certain types of processing from its applicability, such as non-automated processing, processing of offline personal data, and processing for personal or domestic use.
Obligations of Data Fiduciaries
The Digital Personal Data Protection Bill outlines the general obligations of data fiduciaries, which include the primary responsibility to process personal data only for a lawful purpose for which the data principal has given consent or is deemed to have given consent. This means that data fiduciaries are only allowed to process personal data for specific reasons and purposes for which the individual has given their consent.
Additionally, the bill requires data fiduciaries to give an option to Data Principals to access the privacy notice in English or any scheduled language. This is intended to ensure that individuals are fully informed about how their personal data is being collected, used, and stored and that they can make an informed decision about whether to give their consent.
Consent managers may be used by Data Principals for giving or reviewing consent and every consent manager is required to be registered with the Data Protection Board. This will help to ensure that the individuals have a proper channel to give or review their consent and that their personal data is protected.
Rights and Duties of Data Principal
1. Right to information about personal data.
Through Article 12 of the Bill, individuals are empowered with the right to access key information regarding their personal data. This includes confirmation around processing activities as well as summaries and identities related to any other entities that have accessed this data, along with a breakdown of what type of detail has been exchanged.
2. Right to correction of personal data
Data principals are now able to maintain and control their personal data with the right to correction, updating, completion, and erasure as stated in Article 13 of the Bill.
3. Right of grievance redressal
Article 15 of the Bill gives people control over how their data is used, providing them with a route to redress if they feel that it has been mishandled. With this article in place, individuals can take any grievances to the relevant fiduciary and even escalate complaints further up to the Board should responses be unsatisfactory or non-existent.
4. Right to nominate
Data Principals can nominate anyone to act on their behalf in the unfortunate event of death or incapacity.
The term “incapacity” refers to a physical or mental state that prevents an individual from exercising their rights under this Act.
5. Duties of data principles
The Digital Personal Data Protection Bill, 2022 also lists various duties for data principals, which are individuals who have personal data processed by data fiduciaries. The explanatory note of the bill explains that the inclusion of these duties aims to ensure that there is no misuse of rights and that the exercise of rights does not lead to adverse effects on the rights of others.
For example, Article 16(2) of the bill prohibits data principals from registering false or frivolous grievances or complaints with a data fiduciary or the Data Protection Board. This is intended to prevent abuse of the complaint and grievance mechanism and ensure that the data fiduciary and the board can focus on legitimate complaints and grievances.
Furthermore, the bill also includes specific prohibitions and penalties for data principals who provide false or misleading information while giving their consent, which can lead to an adverse effect on the rights of others.
Special Provisions
The bill contains provisions on cross-border transfers of personal data and exemptions. The bill allows for the transfer of personal data outside of India to notified countries and territories based on an assessment of certain factors by the Central Government. This assessment will ensure that the country or territory to which the data is transferred has an adequate level of data protection.
Exemptions are also carved out for certain types of data processing activities such as the processing of personal data for judicial functions, for the prevention of offenses, for actions by State instrumentalities, and the enforcement of legal rights. These exemptions are intended to ensure that important public interests, such as the administration of justice, criminal investigations, and national security, are not hindered by data protection regulations.
Compliance Framework
The bill also focuses on the framework, composition, and structure of the Data Protection Board of India (DPB). The DPB will be the main regulatory body responsible for enforcing the provisions of the bill and protecting the rights of individuals concerning their personal data.
It focuses on the methods of grievance redressal, review, appeal, dispute resolution, and penalties. It provides an efficient and effective mechanism for individuals to raise complaints or grievances about the processing of their personal data. The DPB also has the power to investigate and enforce penalties for violations of the bill.
What are the penalties for non-compliance?
The Bill provides the Board with substantial authority to address non-compliance through financial penalties, up to a maximum of INR 500 crore. To ensure that this power is not abused, and criminalization avoided, detailed regulations are laid out in Schedule 1 of the bill.
How to deal with non-compliance at your workplace?
Dealing with non-compliance at the workplace can be a complex process, and the specific steps to take will depend on the nature of the non-compliance and the policies and procedures in place at your workplace.
Are you collecting the right data, storing and protecting it with the right access?
ZNetLive is ready to help with Acronis, a complete cyber protection solution. Acronis is a global software company that provides data protection and disaster recovery solutions. The PDP Bill aims to enhance data privacy and security, which aligns with the goals of Acronis and the services it provides.
With Acronis, you can protect your business from crippling financial penalties with secure data storage and backups at India-approved sites. Our advanced defense systems can put the brakes on malware attacks, so you can rest assured that confidential information is safe and sound.
To get more information, contact us by dropping a comment below or directly reaching us via email: sales@znetlive.com.
It’s important to note that the Digital Data Protection Bill, 2022 is not yet passed, so you should also be aware of the laws and regulations that currently apply to your workplace and ensure that you comply with those.