Recently, the latest draft of Digital Personal Data Protection Bill, 2022 has been made open for public comment and the government is going to introduce the Bill in the budget session of 2023.
The Union Information Technology Minister announced the withdrawal of The Personal Data Protection Bill, 2019in the Lok Sabha.
He stated that the government has decided to come up with a fresh bill that fits into the comprehensive legal framework with reference to the suggestions made by the Joint Committee of Parliament (JCP) on the Bill.
Apart from that, the panel, headed by the former Union Minister, had recommended about 97 corrections and improvements to the Bill.
Now, the new bill has come up with a new set of guidelines addressing the loopholes in the previous statement and demarcating more stringent lines for violators.
Who are Data Fiduciaries?
The government has defined 'data fiduciary' as any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data. A data fiduciary can process the personal data of a data principal (user) who has given or is deemed to have given her consent.
Key features of the New Bill:
Regarding Data protection principles: The current draft removes explicit reference to certain data protection principles such as collection limitation.
This would allow a data fiduciary to collect any personal data consented to by the data principal.
Concept of ‘Deemed consent’: The DPDP Bill, 2022 also introduces the concept of “deemed consent”.
It bundles purposes of processing that were either exempt from consent-based processing or were considered “reasonable purposes” for which personal data processing could be undertaken on the ground of “deemed consent”.
Fines and Penalties: For breach of Law; According to the new bill, Companies dealing with the personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs.200 crore.
Under the previous bill, the penalty proposed on a company for violation of the law was 15 crores or 4 percent of its annual turnover, whichever is higher.
For intimidating: Penalties are expected to vary based on the nature of non-compliance by data fiduciaries — entities that handle and process the personal data of individuals.
Companies failing to notify people impacted by a data breach could be fined around Rs.150 crore, and those failing to safeguard children’s data could be fined close to Rs.100 crore.
Administration body: The Data Protection Board, an adjudicating body proposed to enforce the provisions of the Bill, is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
Scope of Data being protected: The new Bill will only deal with safeguards around personal data and is learned to have excluded non-personal data from its ambit.
Non-personal data essentially means any data that cannot reveal an individual's identity.
Why the bill has been reconsidered many times?
The current legal framework for privacy enshrined in the (Information Technology Rules, 2011) is wholly inadequate to combat harm to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court (S. Puttaswamy vs. Union of India).
Therefore the previous bill was inadequate on four levels:
The extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to the processing of personal data by the government;
It has a limited understanding of the kinds of data to be protected;
It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract and;
There are only minimal consequences for the data fiduciaries for the breach of these obligations.
The new bill does not consider the concept of “sensitive personal data”. This includes biometric data, health data, genetic data, etc.
This personal data is afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments.
The DPDP Bill, 2022 seems to suppose that a notice is only to be provided to take consent of the data principal. This is a limited understanding of the purpose of the notice.
A notice is also important for the data principal to exercise data protection rights such as the right to know what personal data is being processed by whom, whether that data needs correction or updating, and also to request deletion of data that may not be relevant for processing.
Data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical.
The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned.
With technological evolutions, an optimum data protection law design needs to be future-proof — it should not be unduly detailed and centered on providing solutions to contemporary concerns while ignoring problems that may emerge going forward.
The law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power concerning data fiduciaries.