The Digital Personal Data Protection Bill, 2022: Analysis
The Digital Personal Data Protection Bill, 2022: Analysis
Dec 26, 2022
The Ministry of Electronics and Information Technology (MeitY) issued the Digital Personal Data Protection Bill, 2022, on Friday, 18 November. It is a 24-page concise Bill created after analyzing the data privacy laws of the European Union (EU), Singapore, Australia, and the United States.
The most recent iteration of India’s Data Protection Bill is the country’s fourth attempt to enact this law. It only addresses personal data and concentrates on safeguards for digital personal data. The government is anticipated to present the Bill in Parliament during the 2023 budget session now that it is available for public feedback.
Read the article and find out more about the Digital Personal Data Protection Bill, 2022. Let us discuss the impact the Bill will bring on the Data Principals and Data Fiduciary.
What is a Data Protection Act?
The Data Protection Act seeks to provide guidelines for the processing of digital personal data. It focuses on all digital personal data processing in a way that acknowledges the necessity to process personal data for legitimate reasons and matters related to or incidental to those goals, as well as the right of persons to have their personal data protected.
Overview of the Digital Personal Data Protection Bill, 2022:
The goal of the Digital Personal Data Protection Bill 2022 is to establish a balance between Data Principals’ rights to secure their digital personal data and Data Fiduciaries’ obligations to process that data. Let us provide you with an overview of “The Digital Personal Data Protection Bill, 2022.”
1. Scope and application of Digital Personal Data Protection Bill, 2022:
The Digital Personal Data Protection Bill 2022 only applies to the processing of digital personal data within the territory of India. This includes both online and offline data that has been converted to digital form for processing. It includes the digital personal data outside of the territory of India, but only if such processing is related to any activity that involves creating profiles of or providing goods or services to Data Principals on the territory of India. The Bill forbids the processing of offline data as well as data used for personal purposes. Additionally, it does not apply when personal data is processed manually.
2. Obligations of Data Fiduciary:
A Data Fiduciary is any individual who specifies the purpose and the means of processing personal data, whether alone or in partnership with others. The Digital Personal Data Protection Bill, 2022 explains a Data Fiduciary’s obligations while processing the Data Principals’ digital personal data since a Data Fiduciary must be aware of its obligations. The Bill strongly emphasizes consent for data processing, providing the Data Principals the most control over their personal information. The following are the obligations of a Data Fiduciary:
Grounds for processing digital personal data: The Data Fiduciary should only process the personal data of the Data Principal lawfully and with their consent.
Notice: The Data Fiduciary is required to give the Data Principal a notice requesting its consent in clear and plain language that is written in either English or any other language listed in the Eighth Schedule to the Indian Constitution, outlining the personal data that will be sought to be collected and its intended use.
Consent: The Data Fiduciary should obtain consent before processing the Data Principal’s personal data for the intended purpose. English or any other language listed in the Eighth Schedule to the Indian Constitution should be used to communicate this content simply and concisely. The Data Principals may grant, manage, evaluate, or withdraw their consent to the Data Fiduciary. Unless such processing without the Data Principal’s consent is permitted under the Bill or any other law, the Data Fiduciary must cease and make sure that its Data Processors stop processing the personal data of such Data Principals within a reasonable amount of time. The Bill allows the Data Principal to revoke their consent at any time. However, such a withdrawal would not have an impact on the legality of processing carried out before the withdrawal. The Data Principal alone is responsible for any implications of withdrawing consent. Any portion of consent that violates this Act’s provisions will be null to the extent of the breach. If the Data Principal’s consent is the foundation for the processing of personal data and a dispute emerges in a procedure, the Data Fiduciary must demonstrate that a notification was sent to the Data Principal and that the Data Principal provided consent in accordance with the law.
Deemed consent: A Data Principal is deemed to have given consent for the processing of its personal data if necessary. When a Data Principal freely provides personal information to the Data Fiduciary, and it is “reasonably expected that such data would be provided,” deemed consent is presumed. In addition, the Bill lists a few circumstances in which consent may be deemed as deemed consent, including judicial compliance, medical emergencies, actions taken to provide medical treatment or health services, to ensure the safety of, or to provide assistance or services to, any individual during a disaster, for employment, and more.
General obligations of Data Fiduciary: Any personal data processing must comply with this Act’s rules, and a Data Fiduciary is in charge of ensuring that the personal data being processed is correct, complete, and secure. They should implement the proper organizational and technical controls to provide the same. Both the Data Fiduciary and the Data Processor are required to notify the Data Protection Board proposed by the Bill, as well as each affected Data Principal, in the event of a personal data breach. They must also take reasonable security measures to safeguard personal data in their possession or control. The Data Fiduciary be held accountable for the activities of the Data Processors. When there is no longer a need for collecting the data and its keeping is not necessary for “legal or business purposes,” every Data Fiduciary is required to delete the personal data of the Data Principal.
Note: Notably, this obligation is agnostic to any non-compliance by the Data Principals of the provisions of the Bill.
Additional obligations in relation to processing of the personal data of children: Data Fiduciary must obtain parental permission before collecting personal data about children (those under the age of 18). Additionally, it prohibits Data Fiduciary from using data in ways that could damage children and from “tracking or behaviorally monitoring children or engaging in targeted advertising geared at children.”
Additional obligations of Significant Data Fiduciary: The Bill maintains the concept of a Significant Data Fiduciary, a person or organization that manages a significant amount of personal data, and it gives the government the authority to notify a Significant Data Fiduciary based on factors like the volume and sensitivity of Personal Data that organization processes, the risk that it poses to Data Principals, potential national repercussions, and potential effects on public order. Such Significant Data Fiduciaries are now subject to additional requirements, including the appointment of a Data Protection Officer with a basis in India and an independent data auditor, as well as the completion of data protection impact assessments.
3. Rights and duties of Data Principal:
Right to information about personal data: The Data Principals are entitled to the basic information regarding their personal data. Along with this right, Data Principals have the right to the confirmation of processing, a summary of their personal data, identification of Data Fiduciaries with whom their digital personal data has been shared, etc. Data Principals can inquire with the Data Fiduciary about the fundamental details of the data they have provided, such as the scope and purpose of the data’s usage.
Right to the correction and erasure of personal data: Data Principal’s personal information can occasionally need to be updated. As a result, the Data Principals have the right to make a request to the Data Fiduciary to correct, complete, update, or erase any personal data that is no longer needed for the processing for which it was originally collected.
Right of grievance redressal: In case of a lack of response or an unsatisfactory response, the Bill includes the right to make a complaint with the Data Fiduciary and the right to file a grievance with the Data Protection Board.
Right to nominate: The Data Principal will be able to nominate a different person in the event of death or incapacity due to this provision of nomination rights.
Duties of Data Principal: The duties of Data Principals are to ensure that rights are not abused and that exercising rights does not have a negative impact on the rights of others. Therefore, duties are just as crucial as rights. Data Principals must adhere to the provisions of all applicable laws, refrain from filing a false complaint with a Data Fiduciary or Board, and refrain from providing any false information or impersonating someone else.
4. Special provisions:
Transfer of personal data outside India: The Bill aims to permit data transfer outside India, and it enables the storage and transfer of data across international borders to several designated nations and territories. However, the central government would need to evaluate all pertinent aspects.
Exemptions: An explicit grounds-based explanation of exemptions has been added to the Bill in recognition that sometimes the national and public interest is stronger than the interest of an individual. The Bill grants the government the authority to exempt without justification any state instrument in the interests of India’s sovereignty and integrity, security, cordial relations with other countries, maintenance of public order, etc.
5. Compliance framework:
Data Protection Board of India: The Data Protection Board of India is a group of people that the Central Government will choose. All the tasks of the Board will be done digitally by design. The number of members on the Board, how they are chosen, the terms and conditions of their appointment and service, and how the Chairperson and other members can be removed will be set by law. The Central Government will select who will run the Board’s business and decide the terms and conditions of the job. All the officers and employees of the Board will follow the rules of work. If the members, employees, or officers of the Board do anything in good faith, then no lawsuit, prosecution, or other legal action can be taken against them.
Functions of the Board: The Board can impose penalties when the rules of the Act have not been followed, and they also follow orders from the Central Government published in the Official Gazette. A person must follow instructions given by the Board. In case of a data breach, the Data Fiduciary must take urgent steps if told by the Board. The Board can change, suspend, withdraw, or cancel any direction given under the subsection.
Process to be followed by the Board to ensure compliance with the provisions of the Act: The Board shall be independent and, as much as practicable, operate as a digital office using prescribed techno-legal measures. The Board may take action in accordance with this Act if an affected person complains, the Central Government or a State Government refers it, a court orders it, or a Data Principal violates section 16 of this Act. The Board may authorize individual or group members to undertake complaint proceedings. The Board must first decide whether to investigate a matter; they may close it on finding insufficient grounds. The Board shall pursue natural justice, including affording reasonable chances to be heard and record its activities during such inquiry. The Board may summon and compel anyone to appear, examine them under oath, and review any data, book, document, register, books of account, or other documents. The Board or its officers shall not restrict access to premises or seize equipment or items that may impair a person’s daily life. The police officer or officer of the Central Government or a State Government must comply to assist the Board if requested. During the inquiry, the Board may impose interim orders for reasons to be documented in writing to prevent non-compliance with this Act after giving the interested parties a reasonable opportunity to be heard. If the Board considers that non-compliance by a person is not serious, it may end the investigation. If the Board finds a complaint unfounded, it may warn or charge the complainant. The Board enforces its orders as if they were Civil Court decrees.
Review and Appeal: The Board can review its order alone or through a larger hearing group. The reasons for doing this must be written down. The Board can then modify, suspend, rescind, or cancel any order issued under this Act, with conditions. The High Court can challenge Board orders. No civil court can hear a case or take action on an issue covered by this Act, and no court or other authority can prohibit it.
Alternate Dispute Resolution: Suppose the Board considers a complaint would be better settled by mediation or another method. In that case, it can tell the parties to try to settle the disagreement through mediation by a body or group chosen by the Board or any other method it deems is best.
Voluntary Undertaking: The Board can accept any voluntary assurance concerning following this Act at any time. A voluntary undertaking can involve a commitment to do something at a specific period, a promise to avoid doing something, and a promise to inform others. The Board can amend the terms of the voluntary undertaking if the giver agrees and the Board accepts. If the Board accepts the voluntary pledge, this Act cannot be used to take action against the person. The Board can proceed under section 25 of this Act if a person violates the Board’s voluntary undertaking after providing them a chance to be heard.
Financial Penalty: The Board can offer a person a chance to be heard and then impose a financial penalty. The Board shall consider the nature, severity, length, the type of data affected, whether the person made a profit or avoided a loss, and its impact on the person while deciding the amount of a financial penalty. The Bill includes imposing stiff fines on companies that suffer data breaches or neglect to notify users when they do. Penalties for non-compliance and violations could range from Rs. 10,000 to Rs. 500 crores.
Key highlights of the Digital Personal Data Protection Bill, 2022:
So below are the key highlights of the Digital Personal Data Protection Bill, 2022.
It is based on globally accepted principles of data protection:
Lawfulness, fairness, and transparency
Integrity and confidentiality
It focuses on processing digital personal data.
It excludes data processed manually.
It gives importance to the Data Principal’s consent.
It uses “she/her” pronouns as standard for all genders.
It emphasizes the data being used for a sole purpose.
It provides the right to information for personal data.
It obligates for the erasure of data after the closure of the account.
It excludes non-personal data.
It describes monetary penalties.
It outlines guidelines for obtaining information on children (minors).
It allows the cross-border transfer of data.
It provides Data Principal the right to nominate.
It describes the obligations of the Data Fiduciary.
Why does the Digital Personal Data Protection Bill matter?
Personal data is our most valuable asset; after all, it tells a lot about us and goes beyond being just static information. Today, though, we can observe how quickly technology is developing. Because we engage with digital gadgets frequently and these technologies are reshaping society, we (Data Principals) constantly create enormous volumes of personal data. This data can be handled in ways that increasingly undermine the autonomy, freedom of choice, self-determination, and privacy of the Data Principal when combined with the computing capability currently available to companies (Data Fiduciaries).
Therefore, an ideal data protection law design requires continual attention to how you safeguard and preserve it due to the rate at which technology advances.
Digital technologies are transforming societies at an expeditious pace, and we exchange much of our personal information digitally with private or public entities for even basic daily activities. Although it has many benefits, it could be dangerous if it comes into the hands of malicious individuals who could exploit it.
However, InfosecTrain can help you if you are interested in discovering more about how you can protect your digital personal data and protect privacy. We provide a range of data privacy and data protection certification training courses that will teach you about privacy laws, regulations, and best practices for collecting, processing, and sharing personal data while minimizing intrusions to data privacy.
Monika Kukreti holds a bachelor's degree in Electronics and Communication Engineering. She is a voracious reader and a keen learner. She is passionate about writing technical blogs and articles. Currently, she is working as a content writer with InfosecTrain.
Disclaimer: Some of the graphics on our website are from public domains and are freely available. This website may include copyright content, use of which may not have been explicitly authorized by the copyright owner. The names, trademarks, and brands of all products are the property of their respective owners. The certification names are trademarks of the companies that own them. This website's company, product, and service names are solely for identification reasons. We don't own them, don't hold the copyright to them, and haven't sought any kind of permission. The use of these names, logos, and trademarks does not indicate that they are endorsed. Please contact us for additional details.
CISSP® is a registered mark of The International Information Systems Security Certification Consortium ((ISC)2).