Followers

Wednesday, November 23, 2022

Draft Digital Personal Data Protection Bill 2022

 

Background

The first draft of the Personal Data Protection Bill, 2018 was proposed by Justice Srikrishna Committee, which was set up to provide recommendations on the new data protection law in India. The 2018 bill was revised and the Personal Data Protection Bill, 2019 was tabled at the Lok Sabha. The Lok Sabha passed a notion to refer the 2019 bill to a Joint Committee of both the House of Parliament. Due to delays caused by the COVID-19 pandemic, the joint committee submitted the report only in December 2021. The Data Protection Bill, 2021 was introduced by the government based on the recommendations of the joint committee. However, the bill was withdrawn because of the extensive changes proposed by the joint committee.

Why are there so many revisions to the data protection bill?

India is facing several challenges while formulating a data protection bill. These include:

  1. Protection of the rights of data principals (users) should not make even legitimate data processing impractical
  2. The need to create balance between the right to data privacy and the reasonable exception, especially when the government is processing personal data.
  3. The law must be future-proof so that it can keep pace with the current technological development.
  4. The rights and remedies should be made easily exercisable by data principals, who have unequal bargaining power with respect to data fiduciaries (companies).

What are the key features of the DPDP Bill, 2022?

  • The DPDP Bill, 2022 gives maximum control to the data principal. It mandates a comprehensive notice to the data principals on different aspects of data processing.
  • While non-consent based processing of personal data is present, the data principal is given the right to access, correct and delete their data.
  • The data fiduciary will be allowed to process the data only for the stated purposes and no more. The data can be retained only as long as it is required to fulfill the stated purpose.
  • The Bill penalizes entities for data breach. It also proposes the imposition of Rs.10,000 as a fine on individuals for providing false information, impersonating and filing frivolous complaints against social media.
  • The Bill removes the explicit reference to certain data protection principles like collection limitation, allowing the data fiduciary to collect any personal data permitted by the data principal. Making data collection solely based on consent does not consider the fact that data principals do not often have the requisite know-how of what kind of personal data is relevant for the particular purpose.
  • The bill removes concept of “sensitive personal data”, which recognizes the harm caused by the unlawful processing of certain personal data. It does not provide the extra protection for sensitive personal data, removing the need for explicit consent before processing and usage.
  • The Bill reduces the information that a data fiduciary is required to provide to the data principal to remove information overload. Previous versions required to provide considerable information in terms of the rights of data principals, grievance redressal mechanism, retention period of information, source of information collected etc.
  • The Bill proposes the setting up of the Data Protection Board of India. In case the data is breached, the data fiduciary or data processor is required to notify this board and each affected data principal. If they fail to do so, the Bill proposes a fine of up to Rs.200 crore.
  • The Bill introduces the concept of “deemed consent”. It categorizes purposes of data processing that are exempt from consent-based processing or are considered to be “reasonable purposes”. There are concerns regarding the grounds of deemed consent due to ambiguity of words such as “public interest”.