ijalr

Trending: Call for Papers Volume 5 | Issue 2: International Journal of Advanced Legal Research [ISSN: 2582-7340]

DRAFT PERSONAL DATA PROTECTION BILL, 2022 – Rahul Jindal

Abstract

The data protection bill 2022 which is introduced by the ministry of electronics and information technology (MeitY), having the mixed reviews and this bill has narrowed down for ease understanding and reduced to 24-page draft bill. This bill gives penalties whoever breach the personal data. The bill give power to the government to offer exemption from its provision in the interest of integrity or sovereignty of India so that it could maintain the public order. The bill can be applicable on the processing of personal data either online & offline which is digitized. It also applicable for outside of India as if the processing is in connection with profiling people of India or offers goods & services to people in India.

Introduction

In this current year, the ministry of electronics and information technology (MeitY) has unveiled the new data protection bill, 2022[1]& that is known as digital personal data protection bill, 2022 (DPDPB). In India, the government did several iterations of DPDPB by (MeitY)& now this bill is the fourth version since 2017, which attempt a better legal framework. The bill is open in the public domain for the consultation from the public till 17th Dec, 2022.

The bill is replacement of the Data protection bill, 2021[2] which was withdrew by the MeitY on Aug 04, 2022. The government is expected to introduce the new bill in the parliament in the budget session of 2023. The bill is reduced to 24-page draft and there are several terms which are introduced in this new data protection bill, 2022.

The main objective of this new data protection bill is to give rights and duties to citizens and ‘Digital Nagrik’. If there are any penalties for any violation then the penalties are given in the schedule 1 of the bill[3]. If there is any dispute then the matter will go to board and the order can be challenged in High Court. This bill is trying to protect our personal data. And this bill is regulated to processing of digital personal data in a manner that recognizes both the right of individual to protect their personal data & need to process personal data for lawful purpose.

The bill can be applicable on the processing of personal data either online & offline which is digitized[4]. It also applicable for outside of India as if the processing is in connection with profiling people of India or offers goods & services to people in India. Profiling is known as any form of processing of data that can analysis or predict the behaviors or interest of data principal.

Principles of Data Protection Bill, 2022

In the data protection bill, 2022 there are several principles which are laid down and observed as[5];

(a) There should be usage of personal data by organization & that can be in fair and lawful manner which is concerned to an individual. The data must be used only for the purpose it is collected.

(b) The bill also talks about to minimize the data and remove the irrelevant information i.e., Data minimization.

(c) There should be a data accuracy when it comes to collection.

(d) The bill’s principle also talks that how personal data which is collected can’t be stored perpetually by default and the storage should be limited to fixed duration.

(e) There will be no unauthorized collection and processing of personal data. There should be reasonable safeguard to ensure that not to collect unauthorized data.

(f) If the person who decide the mean & purpose of processing of personal data then it should be accountable for such things.

Rights and duties[6]

There are some rights which are given in the DPDPB, 2022 as follows;

  1. Individual can access information in languages which are specified in the 8th schedule[7] of the constitution of India.
  2. Individual has right to consent which means that the person needs to give their consent before the data is processed & they should know that what the items are in personal data.
  3. Also they can withdraw the consent if they are not happy with data fiduciary.
  4. Individual have right to erase or demand to erase the data which is collected by the data fiduciary or they can demand for correction of data[8].
  5. If the data principal dies then they have right to nominate other individual who can exercise the rights given in this bill[9].

Duties of Data principal[10]

a). No register of complaint in case of false or frivolous grievance.

b). The Data Principal shall comply with all laws which are applicable while exercise the rights.

c). The Data Principal shall not furnish any false or impersonate another individual while applying for any of the document, services and proof of identity, etc[11].

Important terms introduced in the Data Protection bill, 2022

  1. Data Principal[12]: Individual whose data has been collected.
  2. Data Fiduciary[13]: It is basically any individual, entities or company having high volume of personal data of data principal.
  3. Personal Data: Individual’s Data that can be identifiable by or in relation to such data.
  4. Processing:[14] A set of operation or automated operation performed on personal data and operation like storage, collection, alteration and adaptation, etc.
  5. Data Protection officer:[15] Under the provision of the act, an individual who is appointed by significant data fiduciary.

There is one provision which is added in this bill as the pronoun ‘her’ or ‘she’ have been used for an individual irrespective of gender.[16]

Data fiduciary obligation

The obligation of data fiduciary is that it shall make efforts to ensure that personal data of data principal processed by or on behalf of data fiduciary must be accurate and complete. It shall implement the organizational measures and appropriate technical to ensure effective adherence.

If there is any breach of personal data then data fiduciary or processor shall have to notify the board and affective data principal in way which is prescribed in the act. Data fiduciary have to take reasonable safeguards to protect the breach of personal data of data principal.

Notice

There should be clear & plain notice before requesting a data principal for her consent which contain description of data which sought to be collected by data fiduciary. If the data principal give consent for processing of her personal data, then the data fiduciary must give notice i.e., itemized[17] in plain and clear way to data principal.

Consent, deemed consent and withdrew consent

These consents are introduced in this new bill which says that consent must be given by data principal for the personal data for processing by data fiduciary in a clear affirmative action. If the data principal is not happy with the data fiduciary, then they can withdraw the consent as they have right to withdrew it in this act[18]. The withdrawal of consent shall not be affecting the lawfulness of processing of the data. Due to withdrawal of consent by data principal then data fiduciary within in reasonable time cease the processing of personal data.

Data Principal is deemed to give consent to processing of her personal data when the data principal voluntarily provides personal data to data fiduciary and its reasonably expected that such data would be provided. The data principal gives her deemed consent if processing for the performance of any function which is under the law or issuance of certificate or permit for any action of data principal.

The deemed consent[19] is necessary if processing for taking any measures to provide the health services, medical emergency or any threat to public health.

Penalties given in the Data Protection Bill, 2022[20]

The penalties are in the bill if the failure of Data Processor or Data Fiduciary to take the reasonable security safeguards to prevent personal data breach given under sub-section (4) of section 9[21] of this Act, then the penalties are upto Rs. 250 cr. If there is non-fulfilment of additional obligations in relation to children which is given under section 10 of this Act, then the penalties are upto Rs. 200 cr.

According to previous Data Protection Bill 2021, it imposes the criminal liability for the re-identification of processing of personal data. The penalties for this offence may be imprisonment up to a term of 3 years or a fine which may extend to INR 200,000. These offences are cognizable and non-bailable. The courts may take cognizance of this offence only on a complaint made by the Data principal. But now, in this new bill no longer prescribes criminal penalties, only monetary penalties ranging 10k to 250 cr[22].

Data Protection Board of India

According to the new bill, there is data protection board[23] which is establish for the purpose of this act by the central government. The officer, employees, chairperson and members of the board may be appointed by the central government and all the terms and condition also issue by the central government. This board will handle the matter if there is any breach of personal data by the data fiduciary or any false and frivolous grievance. This board help to impose the penalties under this act and no one can suit against the board or any chairperson, members of the board[24].

ADR mechanism[25]

If there is any complaint which is appropriately to be resolved by the ADR mechanism then the board may direct to party to go for the alternate dispute resolution for resolving the dispute through mediation and group of people will be designated by the board.

Issue which are observed in the Data Protection Bill, 2022

According to the act, the board will be entirely handled by the central government and members of the board have no functional independence from the govt.[26] Due to this, it is difficult to saw how board will function independent of government when it enforces the law against the government. Because everything from appointment to term of services each measure is taken by central government which is entirely discretion of the central government.

Conclusion

The data protection bill 2022 which having the mixed reviews and this bill has narrowed down for ease understanding and reduced to 24-page draft bill. This bill gives penalties whoever breach the personal data. The bill give power to the government to offer exemption from its provision in the interest of integrity or sovereignty of India so that it could maintain the public order[27]. The bill also allows the cross-border data transfer and providing security to data and government can access the data from outside the India. It also offers soft stand on data localization requirements and permits the data to transfer to select global designation.

[1]Notice issued by MEITY, https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022 (accessed on Dec 02, 2022).

[2]Data protection bill, 2021 given athttps://economictimes.indiatimes.com/tech/technology/government-to-withdraw-data-protection-bill-2021/articleshow/93326169.cms (accessed on Dec 02, 2022).

[3]Section 25, bill.

[4]Section 4 (1)(a)(b), bill.

[5] Drishti IAS, “digital personal data protection bill, 2022”, Nov 21, 2022 (accessed on Dec 02, 2022).

[6] Section 12, bill.

[7]Schedule 8 of constitution of India.

[8] Section 13 clause 1, bill.

[9] Section 15, bill.

[10] Section 16, bill.

[11] Section 16 clause 4, bill.

[12] Data principal is defined under the section 2 clause 6 of the bill whichsays “individual to whom the personal data relates and where such individual is a child includes parents or guardian in case of such child if it is under 18 years”.

[13] Clause 5 of section 2, bill.

[14] Clause 16 of section, bill.

[15] Clause 8 of section 2, bill.

[16] Clause 3 of section 3, bill.

[17] Clause 2 of section 6, bill.

[18] Clause 4 of section 7, bill.

[19]Section 8 of the bill.

[20] Data protection Bill, 2022 gives penalties which is given under “schedule 1” of the bill.

[21] Clause 4 section 9, bill.

[22] Section 25, bill.

[23] Section 19, chapter 5 of the Bill.

[24]Clause6section19 of the bill.

[25] Section 23 of the bill.

[26] Gautam Bhatia, ‘why the new draft data bill must be reconsidered’, Hindustan times (Nov 29, 2022) (accessed on Dec 02, 2022).

[27] Digital data protection bill 2022, http://www.lawbrit.com,(accessed on Dec 02, 2022).