Digital Personal Data Protection Bill, 2022.
India’s New Bill Seeks Data Protection, Privacy
Introduction:-
The draft Digital Personal Data Protection Bill, 2022 (“DPDP” or the “Bill”) is India’s latest attempt at creating a legal framework to regulate digital personal data collection, usage, processing, and storage. Bouncing around for five years in the legislature, the previous bill, the Personal Data Protection Bill, 2019, was dropped in August. Now, the new version focuses only on digital personal data. You can view the Bill and the Explanatory Note here. The Ministry of Electronics & information Technology is soliciting feedback on the current version until December 17, 2022.
Purpose:-
“To provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for law enforcement purposes, and for matters connected therewith or incidental thereto.” – Ministry of Electronics & information Technology.
Keys to Know:-
- Scope:- The Bill applies to the processing of digital personal data outside of India if the processing involves the digital personal data of a Data Principal in India. The Bill only covers personal data collected online or digitized offline data.
- Regulator:- Data Protection Board of India (“DPB”) (Proposed) will oversee enforcement and compliance.
- Notice and Consent:- Notice and consent continue to be a requirement for processing personal data. Consent must be freely given, specific, informed, and unambiguous.
- Localization:- No Mandatory Localization Requirements – Central Government will determine trusted countries for cross-border data transfer.
What’s New?
Data Transfer Outside India:-
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”
- Personal data may be transferred to certain notified countries and territories. An assessment of relevant factors by the Central Government would precede such a notification.
- The prior bill required data localization and storage within India.
Establishes the Data Protection Board of India (“DPB”):-
- The bill establishes the Data Protection Board as India’s data protection watchdog. The DPB will enforce the provisions of the bill and ensure companies comply with data protection regulations. The Board will create the compliance framework and handle and complaints. Additional functions include determining compliance with the DPDB and impose penalties. Modifications.
- Current fines are a maximum INR 250 cores (~USD $30,179,250) for non-compliance and financial penalties for up to INR 500 crores (~ USD $70,950,000).
Weaknesses:-
The bill provides for certain carveouts, notably for Government data collection, providing essentially limitless intrusion into personal data. The Bill favors business and government needs while falling short of providing individual privacy protections. The allowances for the DPB to change the limitations of the Information Technology Act, 2000 is bad for personal privacy and would allow unrestricted government access to personal data. To further emphasis this point, it is important to distinguish between data privacy and data protection. The new bill is a data protection bill. Data protection does not equal data privacy.
Data privacy is the practice of protecting personal data collected by organizations. It involves the use of security measures, such as encryption and access control, to protect data from unauthorized access or modification.
Data protection is a set of laws and regulations that govern how organizations manage and protect personal data. It includes rules for data collection, storage, use, and transfer, as well as legal requirements for data breach notification.
Data Fiduciary:-
First, Data Fiduciaries must provide notice. The notice must describe the types of data being collected and the purpose for collecting and processing the data. Next, consent must be freely given, specific, informed, and unambiguous. The Data Fiduciary must appoint a spokesperson to communicate with Data Principals regarding their rights and their digital data. Significant Data Fiduciaries, as determined by the Central Government, must meet additional requirements, including having a data protection officer, and an independent data auditor.
A Data Fiduciary must have “reasonable security safeguards” to prevent or mitigate the risk of a data breach. If a data breach occurs, the data fiduciary, or the data processor working with the fiduciary, must notify the DPB as soon as possible. The DPB may direct the Data Fiduciary to adopt remedial measures if necessary.
Data Principal:-
A Data Principal is the individual to whom the personal data relates. The bill bestows the right to personal information, correction, and deletion. Principal has the right to nominate an individual to act on their behalf in the event of death or incapacity. Importantly, the Principal has the duty to comply with the provisions of the law, not register false or frivolous claims with the DPB, and not provide false information or impersonate another person. To process children’s data, which the bill defines as a ‘child’ below 18 years of old, data fiduciaries must get parental consent.
Data Deletion/Minimization:-
A Data Fiduciary must delete personal data, or anonymize personal data associated with specific Data Principals, when it is reasonable to assume that: (a) the purpose of collecting the personal data is no longer served by its retention; and (b) retention is no longer necessary for legal or business purposes.
Conclusion:-
The new Bill is meant to be concise and easier to interpret. Companies doing business in India should closely watch the progress of the Bill moving forward and consider the adequacy of the Bill with their own country’s laws. Any analysis above should be reviewed in the event of changes and future versions of the Bill. Further, please note there is more to the Bill than mentioned in the article.
About Ardent Privacy:-
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance, RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/ and find more resources here.
Note:- Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.