An analysis of the Digital Personal Data Protection Bill, 2022 (Part – I)

The Union Ministry for Electronics and Technology (MeitY) has reportedly launched the Digital Data Protection Bill, 2022, and begun the process of consultation with the general public and other stakeholders, according to a brief affidavit given by the Centre before a constitution bench. MeitY started a stakeholder consultation process on the draft Bill on November 18, 2022, and the deadline for submission of comments was January 2, 2023. According to the four-page document, MeitY is now compiling and analyzing the comments and ideas received in order to move the draft Bill forward.[1]

The features of the 2022 Bill, which incorporate modifications from the JPC Bill and the 2019 Bill, are outlined below, along with what happens next in India’s effort to pass personal data law.

Analysis of the Digital Personal Data Protection Bill, 2022.

  1. Application – The Bill aims to govern the processing of “digital personal data,” or personal information that is either obtained online or that is digitised after being gathered offline.[2]

Processing carried either manually or by persons for “personal or domestic purposes” is not included. Additionally, the bill aims to exclude “personal data included in a record that has existed for at least 100 years.”[3]

Although the cited wording has its roots in the PDPA, it may use some tightening. For instance, whereas entries on a tax or court record in India may be fresh and deserving of preservation, the record itself may be more than a century old. Similar to the Previous Drafts, the Bill aims to govern the processing of data outside of India in connection with the creation of Indian Data Principals’ profiles or the provision of goods or services to them.[4]

With the offering no longer having to be “systematic,” the second requirement is now more inclusive and may make it harder to seek to limit the applicability of the Bill by relying on “targeted” criteria or the intention to supply goods or services in India. Reintroducing this criterion might aid in bringing the Bill into compliance with international norms like the GDPR.

  1. Personal Data – All “personal data,” or information about a person who may be identified by, or in connection with, such information, is described as a single category, which is a substantial departure from both the Previous Drafts and India’s current data privacy policy.[5] Gradual consent methods and penalties are made possible by classifying ‘sensitive’ portions of important personal data, such as biometric and healthcare data, which demand additional security. Although the goal of establishing a straightforward compliance regime is admirable, the current strategy could have the unintended effect of “treating unequals equally” and force organizations to choose between protecting highly sensitive data and increasing the compliance burden for less important data. Similar to this, the Bill no longer contains explicit limitations for the processing of anonymized data or, maybe, “bright line” norms for such anonymization.[6] The goal of the Bill may be achieved by reintroducing a clear exclusion of data that has been de-identified or anonymized to a certain standard, which may increase business efficiency. It would bode well for important industries like healthcare, where new digital healthcare services, AI, and even treatment approaches can be developed with the use of such data.
  1. Personal data breach – “Personal Data Breach has been defined as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”[7]

In the case of a personal data breach, the data fiduciary or the data processor is required by the Proposed Law to notify the Board and the affected data principals.[8] Currently, Indian legislation does not require data principals to be notified. Why the Board and the data principal must first be notified is not really obvious. The requirement should ideally be confined to alerting the Board, and should the Board decide that the data principal needs to be notified based on the seriousness of the problem or its potential impact on the data principal, they may be. Even if data principals must be notified in the first instance, this should only occur in circumstances when the data principal must take specific security-related action, such as resetting a password.

  1. Notice and Consent – Currently, Indian legislation does not require data principals to be notified. Why the Board and the data principal must first be notified is not really obvious. The requirement should ideally be confined to alerting the Board, and should the Board decide that the data principle needs to be notified based on the seriousness of the problem or its potential impact on the data principal, they may be. Even if data principals must be notified in the first instance, this should only occur in circumstances when the data principal must take specific security-related action, such as resetting a password. It will be termed “deemed permission” if the data principle freely gives the data fiduciary their personal information. Relevantly, as shown in the draught Bill, presumed consent can only be granted in a small number of circumstances.[9]
  2. Deemed consent – Introduced under the 2022 Bill is the idea of “deemed consent.”[10] It refers to instances in which permission is not expressly required; examples include when the data principal freely gives their information or may be reasonably anticipated to do so, and while performing legal obligations, among other things. The 2022 Bill also acknowledges presumed consent where it is in the public interest to do so, such as when fraud prevention, network security, and fair and reasonable goals are concerned.[11] Through regulations, the government can define just and acceptable goals.[12] A number of grounds stated in the 2019 Bill, such as fraud, network security, and others, were sought to be codified by industry stakeholders and are now included in the 2022 Bill’s public interest grounds.[13] Despite being a long-standing business need, the 2022 Bill does not specifically include “legitimate interests” or “performance of a contract” as justifications for processing personal data without consent.[14] The federal government now has the jurisdiction to define fair and reasonable aims, as opposed to past versions when the data protection authority might do so through rules.[15]
  1.  Obligations of the data fiduciary – The draft Bill imposes some significant responsibilities on the data fiduciaries, to ensure that personal data is processed, stored or erased in a safe and proper manner. These obligations include:

a. Security measures – The data fiduciary must ensure that it is taking necessary measures to protect personal data, failing which, it can be subject to a heavy penalty (discussed below). At any rate, if there is a breach, the data fiduciary or data processor (who processes data on behalf of the data fiduciary) must inform the Board and the data principal. This provision is critical since it ensures transparency in case of a breach, and enables the affected persons to take remedial measures to prevent further damage. It may, however, be worthwhile to identify a specific timeline for intimation to the data principal once the data fiduciary or processor becomes aware of a breach.[16]

b. Deletion of data (Right to be Forgotten?) – The draft Bill contemplates deletion of personal data once the purpose for collection is no longer served, or the retention is no longer necessary. This is in addition to the right of withdrawal provided to data principals (as mentioned above) and suggests that personal data should not be retained longer than necessary. The right to deletion is recognized as an obligation for data fiduciaries and (separately) as a right of the data principals.[17]

c. Appointment of a Data Protection Officer (DPO) – Every data fiduciary must appoint a DPO who will address the data principal’s queries and concerns. However, the Bill does not suggest a timeframe for this response either.[18]

Thus, a window view of the aforementioned clauses caters to safeguarding people’s privacy in relation to their personal data and creating an Indian Data Protection Authority to handle issues with people’s personal data. In part II of the analysis, we’ll be diving into deeper aspects of the bill.


[1] https://www.hindustantimes.com/cities/delhi-news/new-personal-data-protection-bill-at-the-earliest-govt-to-sc-101673891461169.html

[2] Clause 4(1), Bill

[3] Clause 4(3), Bill

[4] Clause 4(2), Bill

[5] Clause 2(13), Bill

[6] Clause 2(B), previous Bill

[7] Clause 2(14), Bill

[8] Clause 9(5), Bill

[9] https://www.barandbench.com/columns/analysis-of-the-draft-digital-personal-data-protection-bill-2022

[10] Clause 8, Bill.

[11] Clause 8(8), Bill.

[12] Clause 8(9), Bill.

[13] See, https://www.bsa.org/files/policy-filings/02252020indpdp.pdf, page 13.

[14] https://blog.mozilla.org/netpolicy/files/2020/06/India-Joint-Parliamentary-Committee-Submission-Data-ProtectionBill-2019-25.02.2020.pdf, page 10.

[15] Clause 14, JPC Bill and Clause 14, Personal Data Protection Bill, 2019 (2019 Bill).

[16] Clause 9 (5), Bill

[17] Clause 9 (6), Bill

[18] Clause 9 (7), Bill

Pranita Srivastava

Author

Experiencing the field of law has always been exciting. It has helped me understand society and at the same time blessed me in becoming skillful, a problem solver, and an ambitious personality. Presently pursuing a specialization in Intellectual Property Rights and Technology Laws, I am sure that with the help of my writings, I’ll be able to erudite minds and help the audience understand current and upcoming pieces of information. Having said that my vision is to provide my audience with the best out of my experiences and elevate their knowledge.

About Pranita Srivastava 2 Articles
Experiencing the field of law has always been exciting. It has helped me understand society and at the same time blessed me in becoming skillful, a problem solver, and an ambitious personality. Presently pursuing a specialization in Intellectual Property Rights and Technology Laws, I am sure that with the help of my writings, I'll be able to erudite minds and help the audience understand current and upcoming pieces of information. Having said that my vision is to provide my audience with the best out of my experiences and elevate their knowledge.

Be the first to comment

Leave a Reply

Your email address will not be published.


*