OBJECTIVE BEHIND DRAFTING THIS BILL

A citizen’s perspective:

The way technology has advanced globally and in our country, in particular, makes me kind of feel old since we come from a generation where television, PCs, and landline phones were considered a luxury then. I remember the time when we would go to the nearby ‘cyber cafes’ to browse through the internet or arrange printouts for our college assignments and projects. Not to forget the excitement and charm of holding a mobile phone for the very first time. Being a Nokia loyalist, I almost had 6 diverse models of Nokia mobile phones until it lost out in the smartphone segment which deeply saddened me. Cut to the last decade, presumably 2014 onwards wherein digital media and smartphones started ruling our lives. The biggest impact demonetization and the COVID-19 pandemic brought into the lives of the common man alias the consumer is the need to be digitally aware and store most of his/her information online. Gone are the days we would check twice if we were carrying wallets in our bags. Today, we can make most payments with apps like PhonePe, Gpay, Paytm, etc reducing even the need of having debit/credit cards barring a few big retailers or online sites which prefer card payments or internet banking. Today, most of us prefer to shop online thereby saving time, and energy and getting us various discounts as well.

Considering how our lives are completely occupied throughout the day and with OTT platforms at our disposal 24/7, the only reason we perhaps go out is for dinner or to meet our loved ones. The reason I mentioned all of the above is that the more we and our lives rely on technology and digitization, the little are we realizing how much of ourselves and our personal information is out there in the world with hundreds of stakeholders who are constantly scrutinizing and analysing our information and our preferences based on the last website we browsed through. We have tons of passwords for umpteen websites and internet banking, and we keep such information stored in our laptops and hard drives which is altogether another risk to our personal data. There is no dearth of the promotional and business calls we get each day and one has to understand that a lot of our personal information is being shared most of the time without our consent which nurtures the various kinds of cyber crimes and frauds we keep hearing of every single day. In today’s times, whether we like it or not, our privacy is constantly at risk.

I believe it is with the above-mentioned reason, motive, and background that the Government ought it extremely necessary to draft a law that not only protects the personal data of an individual but also gives him a right to know for what purpose his information is being used for also giving them a right to give and withdraw consent at any point in time. We are talking about the draft Digital Personal Data Protection Bill 2022 released by the Ministry of Electronics and Information Technology which released this bill in November 2022 for public feedback.

A Legislator’s Perspective:

Currently, India does not have a standalone specialized law on personal data protection. The usage of personal data is in fact regulated under the Information Technology (IT) Act, of 2000, however, it was felt that this piece of legislation was not sufficient to ensure the protection and safety of personal data. In 2017, the central government constituted a Committee of Experts on Data Protection chaired by Justice B. N. Srikrishna to examine issues relating to data protection in the country, which submitted its report in July 2018. Based on the recommendations of the Committee, initially, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019. The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021. However, in August 2022, the Bill was withdrawn from Parliament. Subsequently, in November 2022, the Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Bill, 2022 for public feedback.

Businesses as well as government entities process personal data for the delivery of goods and services. We all are aware that such processing and analysis of personal data allows for understanding the preferences of individuals, which may be useful for customization, targeted advertising, and developing recommendations. Sometimes, it may also aid law enforcement. It is often seen that unchecked and unregulated processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right under the Indian Constitution. It may subject individuals to harm such as financial loss, loss of reputation, and profiling Hence, the objective of this bill is to protect and safeguard the personal data of individuals while also allowing freedom to businesses for using such data albeit abiding by certain rules and regulations.

LET US TALK ABOUT THE DIGITAL PERSONAL DATA PROTECTION BILL

Now, let’s delve into the key aspects and highlights of this bill.

1. KEY TERMS

• Personal information- information/data that relates to an identified or identifiable individual.  

• Processing has been defined as an automated operation or set of operations performed on digital personal data.  It includes collection, storage, use, and sharing

• Data fiduciary: The entity determining the purpose and means of processing

• Data Principal: An individual whose data is being processed

1. The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India if it is for offering goods or services or profiling individuals in India.

2. Personal data may be processed only for a lawful purpose for which an individual has given consent.  Consent may be deemed in certain cases.

3. Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.

4. Rights and duties of data principal:  An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.  Data principals will on the other hand have certain duties as well.  They must not: (i) register a false or frivolous complaint, (ii) furnish any false particulars, suppress information, or impersonate another person in specified cases.  Violation of duties will be punishable with a penalty of up to Rs 10,000.

5. Obligations of data fiduciaries:  The entity determining the purpose and means of processing, called a data fiduciary, must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, and (iii) cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).  The storage limitation requirement will not apply in case of processing by government entities.

6. Transfer of personal data outside India:  The central government will notify countries where a data fiduciary may transfer personal data.  Transfers will be subject to prescribed terms and conditions.

7. Penalties: The schedule to the Bill specifies penalties for various offences such as: (i) up to Rs 150 crore for non-fulfilment of obligations for children and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry

8. The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.

CHALLENGES IN THE IMPLEMENTATION OF THIS BILL

• If I currently keep aside the fact that I am an Indian citizen who is fortunately from a legal background and is aware of the nitty-gritties of this bill and the protections it gives to an individual, the biggest challenge to this bill once it becomes an Act which I strongly feel about is the AWARENESS aspect. In our country, unfortunately, most citizens are unaware of their basic rights and legal remedies. In such a scenario, the first and foremost task of the government and the executive is to bring the knowledge of this law to the common man. Unless people are not informed and aware of the protections this bill gives them, organizations and businesses shall continue to misuse personal data without any fear. Simultaneously, the need is also for the data fiduciaries i.e. entities who seek personal information to know about their duties under this new legislation and the penalties which they may be liable to pay in case they breach any of its provisions. Hence, the government has a dual task of sensitizing both sides about their respective duties and rights so that the law can actually be implemented in spirit.

• The second challenge under this bill which I feel is of paramount importance is the various exemptions given therein which can cause a huge risk to the right to privacy. A bare reading of the draft bill reveals that personal data processing by the State has been given several exemptions under the Bill. As per Article 12 of the Constitution, the State includes (i) central government, (ii) state government, (iii) local bodies, and (iv)authorities and companies set up by the government. The bill states that the Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases including prevention and investigation of offences, and enforcement of legal rights or claims. The central government may, by notification, exempt certain activities from the application of provisions of the Bill. These include (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes. Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary.  This may in turn violate the fundamental right to privacy.

• In addition to the above, it is also prima facie clear that the Bill accords differential treatment on consent and storage limitation to private and government entities performing the same commercial function such as providing banking or telecom services. The Bill provides that consent will be deemed to have been obtained for the processing of data to provide benefits and services by the State and its instrumentalities. We have already seen the definition of State as per the Constitution. The requirement of consent gives individuals a certain amount of control over the extent of data collection and processing. Government and public sector utilities owned by it provide various services to individuals such as health, banking, telecom, and electricity therefore, government health departments and companies such as SBI, BSNL, etc need not take consent from individuals for processing their data. This may violate the right to equality of the private sector providers. A data principal does not have a choice to refuse consent if he needs the benefit or service. In such a situation, the idea of requiring consent is meaningless and is merely on paper. It is unclear why such an exemption has been extended to all services provided by the State, including commercial services. The question remains: Whether consent requirement should also apply where government agencies provide commercial services?

• Independence of the Data Protection Board of India: The Bill requires the central government to set up the Data Protection Board of India.  It provides that the Board will function as an independent body, however, the composition, terms of appointment, and manner of removal of the members will be prescribed by the central government.  The question is whether these details should be provided in the principal legislation to ensure the independence of the Board. Often, government entities may be subject to such investigations, as they process a significant amount of personal data.  This may raise questions about whether the Board will be able to function independently in such matters.  

• Another interesting aspect of this bill is that it requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child.   To comply with this provision, every data fiduciary will have to verify the age of everyone signing up for its services.  This may have adverse implications for anonymity in the digital space which contradicts the very purpose for which this bill is being enacted in the first place i.e. protection of personal data

Conclusion: Looking forward

Despite the challenges and the aspects mentioned above which need a re-look, I personally welcome this bill for it was much needed considering the amount of personal information of each individual which is out there in the digital space in our country and globally as well. I hope that the government promotes this new law in all forms of print, web-based and electronic mediums, FM, radio, television, etc so that each and every citizen gets to know about its provisions and how they need to protect their personal details in public space. As legal officers and persons having knowledge of the law, it is our duty to inform those around us at least our near and dear ones about all the latest legislations benefitting the common man. In my own small way through social media, I am doing my bit in creating news about it on various platforms. Are you…