24 August 2023

The Digital Personal Data Protection Bill, 2023

Dr Gulshan Rai

Background

India, currently, does not have a standalone law on data protection. The Information Technology Act, 2000 regulates the use of personal data. In the year 2017, Committee of Experts on Data Protection, chaired by Justice B. N. Srikrishna, was constituted by the Central Government to examine issues relating to data protection in the country. In July 2018, the said Committee submitted its report. The Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019 based on the recommendations of the said Committee. The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021. In August 2022, the Bill was withdrawn from Parliament. In November 2022, a Draft Bill was released for public consultation. In August 2023, the Digital Personal Data Protection Bill, 2023 (“2023 Bill”) was introduced in Parliament.

The 2023 Bill provides for a legislative backing to the Supreme Court’s landmark judgement in Justice K. S. Puttaswamy (Retd) Vs Union of India Case (2017)[1]. A nine-judge bench of the Supreme Court unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.

Given herein below are the key features of the 2023 Bill which have been provided in a questionnaire form for ease of understanding:

What is the applicability of the 2023 Bill?

The 2023 Bill will apply to the processing of digital personal data within India where the said data is collected in digital form or in a non-digital form and digitised subsequently[2]. It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India[3].

What is outside the ambit of the 2023 Bill?

The 2023 Bill does not apply to personal data processed by an individual for any personal or domestic purpose; and personal data that is made or caused to be made publicly available by the data principal to whom such personal data relates; or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available[4].

Who is a data principal?

The 2023 Bill defines a data principal as an individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf[5]. In other words, an individual whose data is being processed is a data principal.

Who is a data fiduciary?

The 2023 Bill defines data fiduciary as a person who alone or in conjunction with other persons determines the purpose and means of processing of personal data[6].

What are the grounds for processing personal data (of data principal) by data fiduciary?

A person may process the personal data of a data principal only in accordance with the provisions of the 2023 Bill and for a lawful purpose, for which the data principal has given his consent; or for certain legitimate uses[7].

What are the obligations of data fiduciary?

Data fiduciary must: (i) be responsible for complying with the provisions of 2023 Bill and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a data processor[8]; (ii) implement appropriate technical and organisational measures to ensure effective observations of the provisions of 2023 Bill and rules made thereunder; (iii) in the event of data breach, give the Data Protection Board established by the Central Government and the each affected data principal, intimation of such breach; (iv) establish effective mechanisms to redress grievances of data principals; etc. [9]

What are the pre-requisites of obtaining consent from the data principal by data fiduciary?

Every request made to a data principal for consent shall be accompanied or preceded by a notice given by the data fiduciary to the data principal, informing about: (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which data principal may exercise his rights to withdraw consent and rights of grievance redressal; and (iii) the manner in which the data principal may make a complaint to the Data Protection Board established by the Central Government[10].

What should be the nature of consent of data principal?

The consent given by the data principal must be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and must signify an agreement to the processing of his personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose[11].

What happens when the consent is withdrawn by the data principal?

If data principal withdraws his consent to the processing of personal data, the data fiduciary will have to, within a reasonable time, cease and cause its data processors to cease processing the personal data of such data principal unless such processing without his consent is required or authorised under the provisions of the 2023 Bill or the rules made thereunder or any other law for the time being in force in India[12].

What are the rights of data principal?

Following are the rights of data principal: (i) right to access information about personal data[13]; (ii) right to correct and erasure of personal data[14]; (iii) right of grievance redressal[15]; and (iv) right to nominate any other individual, who will, in the event of death or incapacity of data principal, exercise the rights of data principal in accordance with the 2023 Bill[16].

What are the duties of data principal?

Following are the duties of data principal[17]: (i) to comply with the provisions of all applicable laws; (ii) to ensure not to impersonate another person while providing his personal data for a specified purpose; (iii) to ensure not to suppress any material information while providing his personal data; (iv) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and (v) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of 2023 Bill or the rules made thereunder.

Whether the 2023 Bill allows transfer of personal data outside India?

Yes. The 2023 Bill allows transfer of personal data outside India, except to countries restricted by the Central Government through notification[18].

Are there any exemptions to the rights of data principal and obligations of data fiduciaries?

Yes. Obligations of data fiduciaries (except data security); rights and duties of data principal; processing of personal data outside India will not apply in specified cases which includes: (i) processing of personal data is for enforcing any legal right or claim; (ii) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law; (iii) processing is necessary for a scheme or compromise or arrangement or merger, etc. of two or more companies, etc approved by a court or tribunal or any other competent authority; etc. The Central Government may, by notification, exempt certain activities from the application of the 2023 Bill. These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes[19].

Who will establish the Data Protection Board of India and what will be their powers and functions?

The Central Government will establish the Data Protection Board of India. The said Board will have the following powers and functions: (i) on receipt of an intimation of personal data breach, direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in the 2023 Bill; (ii) on a complaint made by a data principal in respect of a personal data breach or a breach in observance by a data fiduciary of its obligations in relation to his personal data or the exercise of her rights under the provisions of the 2023 Bill, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, to inquire into such breach and impose penalty as provided in the 2023 Bill; etc.[20].

Can an appeal be filed against the Order of the Data Protection Board?

Yes. Any person aggrieved by an order or direction made by the Board under the 2023 Bill may file an appeal before the Appellate Tribunal[21]. Every appeal has to be filed within a period of 60 days from the date of receipt of the order or direction appealed against[22].

What are the penalties under the 2023 Bill[23]?

Some of the penalties provided under the 2023 Bill have been provided below:

For breach in observing the obligation of data fiduciary to take reasonable security safeguards to prevent personal data breach: Penalty may extend to 250 crore rupees.

For breach in observing the obligation to give the Data Protection Board or affected data principal notice of a personal data breach: Penalty may extend to 200 crore rupees.

No comments: