CitiJan




Digital Personal Data Protection Bill, 2022


Basics

  • Who should care? : Any citizen sharing digital personal data, referred to as Data Principal in the Bill.
  • Data Principal includes parents or lawful guardian in case of children.
  • Bill defines personal data as any data about an individual, who is identifiable in relation to such data.
  • Data Fiduciary is any entity digitally collecting personal data from Data Principals.
  • Bill prescribes rights & duties of Data Principals and obligations of Data Fiduciaries.
  • Bill does not apply to offline personal data and non-automated processing of personal data.

Your Rights

As a Data Principal, you have the following rights on your digital personal data :
  • Right to Notice from Data Fiduciary on description of personal data sought and description of purpose.
  • Right to Consent with clear affirmative action agreeing to the processing of personal data for the specified purpose only.
  • Right to Withdraw Consent at any time.
  • Right to Information about summary of personal data, processing activities undertaken and identities of all Data Fiduciaries with whom personal data had been shared by Data Fiduciary.
  • Right to Correction or Erasure of personal data.
  • Right of Grievance Redressal with Data Fiduciary.
  • Right of Registering Complaint with Data Protection Board of India.
  • Right to Nominate other individual, who can exercise the rights of Data Principal in the event of death or incapacity.

Your Duties

As a Data Principal, you have the following duties with regard to digital personal data :
  • Data Principal shall comply with the provisions of all applicable laws while exercising rights under the Bill.
  • Data Principal shall not register a false or frivolous grievance or complaint.
  • Data Principal shall not furnish any false particulars, or suppress any material information, or impersonate another person.
  • Data Principal shall furnish only such information as is verifiably authentic with regard to Right to Correction or Erasure.
Non-compliance with your duties can attract financial penalty up to ₹ 10000 (Ten Thousand Rupees).

Deemed Consent

Your consent is assumed to have been given, without any notice,
  • When you voluntarily provide your personal data,
  • For provision of any Government Service,
  • For compliance with judgments,
  • During medical emergencies,
  • During disasters,
  • For purposes related to employment,
  • For purposes related to public interest &
  • For any fair and reasonal purpose as notified by Central Government.

Rights proposed to be Removed

  • Bill proposes to remove Right for Compensation in the event of personal data breach, presently guaranteed under Section 43A of IT Act, 2000. Under the proposed Bill, financial penalty will be imposed on Data Fiduciary for personal data breach, but you will not be eligible for any compensation.
  • Right to Information Act, 2005 is proposed to be amended to disallow disclosure of all personal information. Presently, certain categories of personal information can be disclosed under larger public interest, but proposed Bill disallows disclosure of all personal information.

Principles of Bill

Explanatory note attached with the Bill mentions the following principles :
  1. Usage of personal data by Data Fiduciary must be lawful, fair & transparent.
  2. Personal data must be used for the purpose for which it was collected.
  3. Only those items required for the specific purpose must be collected.
  4. Personal data must be kept accurate and up to date.
  5. Storage of personal data must be limited to such duration as is necessary.
  6. Reasonable safeguards must be taken to ensure no unauthorized collection.
  7. Data Fiduciary must be accountable for processing of personal data.

Obligations of Data Fiduciary

In addition to complying with the above principles (with few exceptions), Data Fiduciary is obligated to -
  • Notify Data Protection Board of India & each affected Data Principal in the event of a personal data breach.
  • Publish the business contact information of Data Protection Officer.
  • Redress grievances of Data Principles with efective mechanism.
  • Share personal data to other Data Fiduciaries or Data Processors only under a valid contract.
  • Undertake additional obligations related to personal data of children.

Significant Data Fiduciary

Central Government can notify certain Data Fiduciaries as Significant Data Fiduciaries, which are obligated to -
  • Appoint Data Protection Officer based in India.
  • Appoint Independent Data Auditor and conduct periodic audit.
  • Undertake Data Protection Impact Assessment and other such measures.
Non-compliance with obligations by Data Fudicaries can attract financial penalty up to ₹500 Crores.

Data Protection Board of India

Central Government shall appoint Data Protection Board of India, which will perform functions such as -
  • Hearing complaints,
  • Determining non-compliance,
  • Imposing penalties,
  • Issuing directions etc.
Board is proposed to follow principles of natural justice with recorded reasons for all of its actions. Board shall have powers of a Civil Court in enforcing orders and during inquiry. Board can review its own orders, and further appeals shall lie with High Court.

Alternative Resolutions

  • Bill permits Alternate Dispute Resolution methods such as mediation.
  • Bill also permits Voluntary Undertaking by Data Fiduciary to resolve issues of non-compliance.

Consent Manager

As it is not always possible to keep track of all the instances where Data Principals have given their consent; Bill proposes Consent Managers, who can exercise the rights of Data Principals on their behalf. Consent Manager is a Data Fiduciary registered with Data Protection Board of India, and is accountable to the Data Principal. A Consent Manager can manage, review & withdraw consent to other Data Fiduciaries on behalf of a Data Principal.

Other Details

  • Personal data can be transferred outside India to countries or territories notified by Central Government.
  • Section 18 of Bill proposes several Exemptions, with explanatory note acknowledging that national and public interest is at times greater than the interest of an individual.
  • Central Government can exempt any instrumentality of the State from all the provisions of the Bill.

NOTE : The following is the subjective analysis by CitiJan Team, and reader discretion is advised in drawing conclusions.
NOTE : The following is intended as constructive feedback from CitiJan Team, and is not intended to be mere criticism.

What's Great!

India direly needs digital data protection regime and presence of any law is better than that of absence. Proposed Bill introduces many significant provisions such as -
  • Clearly specified Definitions of personal data, Data Principal, Data Fiduciary etc,
  • Recognition of Rights of Data Principals,
  • Recognition of Obligations of Data Fiduciaries,
  • Establishment of Data Protection Board of India,
  • Mechanisms of Alternate Dispute Resolution etc.

What's Not!

  • Section 8 : Scope of Deemed Consent is very wide and is liable to misuse. Deemed consent for any fair and reasonable purpose may result in arbitrary discretion, and may lead to significant judicial challenges.
  • Section 9 (6) : Bill proposes Data Fiduciary to stop retaining personal data, as soon as it is reasonable to assume that retention is no longer necessary for business purposes. Such a provision is self-defeating, as no data-driven business will find it reasonable to make such an assumption. Every business will use this provision as a loophole to retain personal data perpetually.
  • Section 14 (2) : Bill prescribes a very strict period of seven days for Data Fiduciary to respond to a grievance. While larger organizations can comply with such a strict timeline, it may prove to be very difficult for smaller organizations and start-ups.
  • Section 15 : Bill proposes Right to Nominate under which, a nominee can exercise the rights of a Data Principal only in the event of death or incapacity, with incapacity being defined as only unsoundness of mind or body. The present definition of incapacity is very narrow and doesn't provide for usecases where a Data Principal may desire to exercise her rights through her nominee, despite being mentally and physically sound.
  • Section 15 : Presently proposed Right to Nominate overlooks the usecases of digitally illiterate. For the disadvantaged digitally illiterate, an appropriate mechanism must be in place for their Right to Nominate.
  • Section 18 : Scope of Exemptions is very wide and blanket exemption that can be provided to all instrumentalities of the State can result in discriminatory practices.
  • Section 18 (3) : While Exemptions from obligations are understandable, this provision specifically exempts Right to information about personal data. The fundamental premise of any data protection regime is the knowledge of use of one's personal data, and curtailing that very right strikes at the foundation of the proposed Bill.
  • Section 21 (8) : This clause merely proposes that inquiry shall be completed at the earliest, but does not provide for any timeline. Considering that any aggrieved Data Principal can approach the Data Protection Board of India directly, absence of timeline for inquiry can result in huge pendency of complaints.
  • Section 30 (1)(a) : Bill proposes omission of Section 43A of IT Act, 2000, which is the only law providing for compensation to the aggrieved individual affected by personal data breach. With its omission, an aggrived individual will have no recourse to seek justice in the event of personal data breach.
  • Subordinate Legislation : A law is robust, if it provides for all the major intended objectives, leaving only the supplementary details in the realm of subordinate legislation. However, present Bill leaves out several important provisions from the scope of the law, such as mechanism for Consent Managers, composition of Data Protection Board of India & mechanism for grievance redressal etc. The phrase as may be prescribed indicating provisions to be notified in future, appears 18 times in the proposed Bill, thus resulting in ambiguity and lack of clarity.

What You Can Do!

Described above and in earlier sections is the summary of proposed Digital Personal Data Protection Bill, 2022. As a citizen, you have the right to let the Government know your feedback, before the deadline of January 2nd, 2023, at this link.
If you need any assistance in making submissions, please do reach out to us at hello@citijan.in.

Kindly provide your feedback and let's build together responsible democracy!
Please consider sharing this, if it helps others.
Thank you,
CitiJan.