A look at draft Digital Personal Data Protection Bill 2022, and what it proposes
The bill aims to outline the rights and duties of ‘digital citizens’ and lay out the process and rules for data collection for companies
The Ministry of Electronics and IT has released the draft Digital Personal Data Protection Bill 2022 and the government is now asking for public comments and consultations on the bill.
The bill aims to outline the rights and duties of ‘digital nagriks’ (digital citizens) and lay out the process and rules for data collection for companies. The bill imposes heavy penalties for violations of any provisions of the legislation to be decided by the Data Protection Board of India, which will be established by the new law. However, board’s orders can be challenged in a high court.
Seven principles
The bill is based on seven principles. While the first says that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals, the second principle is that personal data must be used only for the purposes for which it was collected.
Also read: India’s data protection law can give big fillip to digital economy: Facebook
This third principle talks of data minimisation, while the fourth emphasises on data accuracy during collection. The fifth principle clarifies that the collected personal data cannot be “stored perpetually by default”, and that storage should be limited to a fixed duration.
According to the sixth principle, there should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.” And, the seventh principle says that “the person who decides the purpose and means of the processing of personal data should be accountable for such processing.”
The nomenclature
The individual whose data is being collected will be termed “data principal” and the term “data fiduciary” is for the entity that decides the “purpose and means of the processing of an individual’s personal data.”
In the case of children – those under the age of 18, as per the draft bill — their parents or lawful guardians will be considered their ‘data principals.’
Under the law, personal data is “any data by which or in relation to which an individual can be identified.” Processing means “the entire cycle of operations that can be carried out in respect of personal data.”
The bill also makes it clear that individual needs to give consent before their data is processed and that “every individual should know what items of personal data a data fiduciary wants to collect and the purpose of such collection and further processing.” Individuals also have the right to withdraw consent from a data fiduciary.
Significant data fiduciaries
‘Significant data fiduciaries’ will deal with a high volume of personal data. The Central government will define who is designated under this category based on a number of factors — the volume of personal data processed, risk of harm to the potential impact on the sovereignty and integrity of India, etc.
“This category needs to fulfil certain additional obligations to enable greater scrutiny of its practices,” according to the bill’s explanatory note.
‘Significant data fiduciaries’ will have to appoint a ‘data protection officer’, who will be the point of contact for grievance redressal, and an independent ‘data auditor’, who shall evaluate their compliance with the act.
Granted rights
Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary. They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
The bill also gives consumers the right to file a complaint against a ‘data fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
Cross-border storage
The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.” However, “an assessment of relevant factors by the Central Government would precede such a notification,” it says.
Also read: Data Protection Bill pulled: what’s behind U-turn, what’s in the offing
The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen. Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined an amount as high as Rs 250 crore.
The government could also exempt certain businesses from adhering to provisions of the bill on the basis of the number of users and the volume of personal data processed by the entity. This has been done keeping in mind start-ups of the country who had complained that the previous version of the bill was too “compliance intensive”.
