India’s Union Cabinet has granted approval to the Digital Personal Data Protection Bill, 2022, marking a pivotal moment in the country’s journey towards enhanced digital privacy. This bill, set to be presented during the upcoming monsoon session of parliament, forms a vital component of India’s holistic framework for technology regulations, working alongside the Digital India Act. Let’s delve into the intricate details of this groundbreaking bill.
Origins and Evolution: In a series of evolutionary steps, the government initially introduced the Personal Data Protection Bill, 2019 to parliament in 2019. However, it was later withdrawn in August 2022. Following extensive public consultations, a revised draft called the Digital Personal Data Protection Bill was unveiled in November 2022. Incorporating invaluable feedback received, a second draft was meticulously prepared and has now received official endorsement.
Scope of the Bill: The Digital Personal Data Protection Bill primarily revolves around the processing of personal data in India, regardless of its origin, be it online or offline, subsequently transformed into digital form. Personal data encompasses both direct information, such as name and contact details, as well as indirect data like vehicle numbers, location, and employee codes. For data to be classified as personal, it must possess the ability to identify an individual.
Jurisdiction and Consent: Expanding its reach beyond national borders, the bill applies to personal data collected outside of India if utilized for offering goods or services within the country or profiling individuals residing in India. The bill places significant emphasis on the acquisition of an individual’s consent for the processing of their data. Companies are mandated to provide a comprehensive notice, outlining the details of collected data and the purpose of processing, in order to secure consent. However, consent is presumed in cases where data processing is deemed necessary.
Rights and Duties of Individuals: Referred to as “Data Principals,” individuals whose data undergoes processing are granted an array of rights. These include the right to access a summary of their data, withdraw consent for data processing, request rectification or erasure of their data, and appoint a representative to exercise their rights in the event of death or incapacity. It is incumbent upon individuals to exercise their rights as prescribed by the bill and abstain from lodging false or frivolous complaints.
Data Fiduciaries and Safeguards: Entities responsible for data processing, termed “Data Fiduciaries,” bear fiduciary responsibilities concerning the personal data of Data Principals. They are obligated to implement reasonable safeguards to forestall data breaches. In case of a breach, Data Fiduciaries must expeditiously notify both the Data Protection Board of India and the affected individuals.
Data Retention and Transfer: The bill mandates data fiduciaries to delete personal data once the purpose of processing has been fulfilled, except in cases where retention is necessary due to legal or business requirements. Government entities enjoy exemptions from data storage limitations. Data fiduciaries are only permitted to transfer personal data to countries explicitly notified by the Central government.
Data Protection Board and Penalties: The bill establishes the Data Protection Board of India as the central authority entrusted with monitoring compliance and imposing penalties. This board will address grievances, issue directions to fiduciaries in case of data breaches, and oversee the appointment and removal of its members. Penalties for non-compliance range from fines of up to Rs. 10,000 for Data Principals, to staggering penalties of up to Rs. 250 crore for Data Fiduciaries failing to adopt necessary measures to prevent data breaches. Any penalty imposed by the board can be contested before the High Court.
The approval of the Digital Personal Data Protection Bill signifies a significant stride towards ensuring digital privacy in India. By regulating the processing of personal data and establishing rights and responsibilities for individuals and entities, this bill paves the way for a more secure digital landscape. As the bill progresses through parliament, maintaining a vigilant approach to safeguarding personal data and fostering a culture of data protection remains of paramount importance.