Digital India

 

DIGITAL DATA PROTECTION BILL 2022

“The right to privacy is inextricably bound up with all exercises of human liberty – both as it is specifically enumerated across Part III, and as it is guaranteed in the residue under Article 21. It is distributed across the various articles in Part III and, mutatis mutandis, takes the form of whichever of their enjoyment its violation curtails.”

The Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. This case serves as the foundation for Indian law regarding the "Right to Privacy."  The right to privacy was reiterated by the nine-judge bench in this case as a basic one guaranteed by the Indian Constitution. The Supreme Court ruled that the right to privacy was essential to the liberties protected by the other fundamental rights and was a fundamental component of human dignity, autonomy, and liberty. The initial contention in the case concerned whether the right to privacy was a basic right, which was raised in 2015 during discussions about the constitutionality of the Aadhaar database. The Bench said in unanimity that "the right to privacy is safeguarded as an integral component of the right to life and personal liberty under Article 21 and as an element of the freedoms granted by Part III of the Constitution." This case established the requirement for a new data privacy law, widened the definition of privacy in personal spaces, and considered privacy as an intrinsic value in addition to establishing the right to privacy as a fundamental right.

The following year, a 10-member team led by a former Apex Court judge, Justice B.N. Srikrishna drafted the Bill between August 2017 and July 2018. The bill was then examined by a Joint Parliamentary Committee (JPC), which delivered its report in December 2021. A few members of the JPC contended that the bill gives the government sweeping authority without providing sufficient safeguards. Hence, on August 4, 2022, the Personal Data Protection (PDP) Bill, 2019, was subsequently withdrawn from Parliament by the Indian government.

According to the United Nations, by 2023, India will be the most populous country in the world. A huge amount of digital data is generated by users, as a result of the rising population's interactions with digital gadgets and the internet. And as a result, the Indian government has made numerous attempts to create an act that can effectively protect the privacy of its more than 760 million active internet users. The current legal framework, which primarily regulates privacy under the Information Technology Act, 2000 (IT Act) and the Information Technology Rules, 2011 (IT Rules), almost fails to keep up with the technological advancements and the growing necessity to have a proper data protection law, especially in light of the aforementioned 2017 privacy judgment.

Finally, in its fourth iteration, the Ministry of Electronics and Information Technology (MeitY), tabled the Draft Digital Data Protection Bill, 2022 (DPDP Bill). This bill makes an effort to create a more thorough legal framework by establishing a triad of three roles: data principle, data fiduciary, and grievance resolver. The bill is built on the ideas of, and draws upon, best practices from, nations like Singapore, Australia, and the European Union, namely (i) Lawfulness, Fairness, and Transparency, (ii) Purpose limitation, (iii) Data minimization, (iv) Accuracy, (v) Storage limitation, and (vi) Accountability.

In addition to the aforesaid six principles upon which the government is basing this regulation, it seems that the government is adhering to another principle—‘progress over perfection’. The DPDP Bill lays out its purpose to “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes”.

The Digital Personal Data Protection Bill's scope, as the name implies, is limited to processing digital personal data within the territory of India. As a result, this legislation will not apply to any offline personal data or anything that has not been digitised. The DPDP Bill seeks to regulate only personal data and excludes non-personal data from its scope. Such a scope excludes a large number of processing operations that continue to rely on paper forms as the primary data collection mechanism. Moreover, for the first time in India, the DPDP Bill includes the pronouns 'she/her' to refer to individuals of any gender. Unlike the current Information Technology Rules, 2011, which only apply to body corporates, "Data Fiduciary" now includes HUFs, artificial judicial persons, individuals, and the State.

Keeping with the global trend, the bill has extraterritorial application. It will apply to all organisations processing digital personal data outside of India's territory if such processing involves profiling or offering goods and services to data principals within India's territory. When this criterion is met, the Proposed Law will apply to foreign entities as well. The DPD Bill does not expressly prohibit cross-border data transfers or impose any specific compliance requirements (such as standard contractual clauses or prior Government approval) for the transfer of Personal Data (or any subset of Personal Data) outside India. Instead, it allows a Data Fiduciary (i.e., a data controller) to transfer Personal Data outside of India to such countries and under such terms and conditions as the Central Government may notify. The DPD Bill's explanatory statement acknowledges the importance of cross-border data transfers in a globalised economy. This explanation implies that the government will not be overly picky about which regions to trust. Since the bill does not define what qualifies as an offering of goods and services, the proposed Data Protection Board of India will need to provide specific guidance. The DPB will be India's first regulatory body in charge of protecting Indians' privacy. While it will determine noncompliance and impose penalties, the central government retains the authority to make rules regarding the bill's provisions. There is no specific guidance on the types of orders that the Board may issue.

The DPD Bill does not define or recognise 'Sensitive' or 'Critical' Personal Data or any other subset of Personal Data. The DPD Bill merely defines 'Personal Data' to mean "any data about an individual who is identifiable by or in relation to such data". Furthermore, the bill makes no mention of decentralised consents or any requirement for specific consent for individual processing activities, despite the fact that the 2019 and 2021 bills contained provisions implying that independent consents would be required for processing Sensitive Personal Data for particular purposes.

The current bill retains the concept of significant data fiduciaries, which was proposed in previous iterations. Subsequent to a notification issued by the central government, organisations would be categorised as significant data fiduciaries. The government is empowered to notify "significant data fiduciaries" (SDFs) based on the volume and sensitivity of the personal data they process, the risk of harm to the data principal, their future implications on India's sovereignty and integrity, the risk to electoral democracy, and other factors. SDFs must meet additional requirements, such as appointing an independent data auditor to assess their compliance with the 2022 Bill and conducting data protection impact assessments. Additionally, they must also appoint an Indian-based data protection officer. However, the phrase "such other measures" is left open in this Section. The Act should include guidance on what types of measures can be levied on SDFs.

The proposed approach's defining component is cross-border data transfers. Previous versions of the bill were heavily criticised by different sectors for proposing data localization, citing India's "digital sovereignty" as justification. However, the current bill eliminates the requirement for localization and instead takes a vague approach, stating that the central government will notify countries outside of India to whom a data fiduciary may transfer personal data. With such notifications, the conditions and guidelines governing such transfers will be specified. Data localization references have been removed, and the central government has been given the power to sanction cross-border data transfers to whitelisted countries. Regrettably, the continued application of cross-border transfer restrictions to personal data of data principals located outside of India is inefficient and contradictory to the intent of providing an exemption for outsourcing activities. Furthermore, we note that the State and its instrumentalities have been exempted from the stipulation to erase data at the end of processing and when the purpose of the personal data collection has been met. This may result in arbitrary data retention for prolonged periods of time with no reasonable justification.

 

                                                   The Data Protection Bill, 2022 fails Indians substantively and procedurally

If the Board finds significant noncompliance by an individual after conducting an inquiry, it may enforce a financial penalty of up to INR 500 crore. The proposed law also imposes specific penalties ranging from INR 50 crore to INR 250 crore for failing to implement reasonable security safeguards to prevent personal data breaches, failing to apprise the Board and affected data principals of data breaches, and failing to comply with additional SDF obligations. The most serious penalties under the Proposed Law are for failing to comply with the Proposed Law's data-breach obligations. Previous versions of the bill drew inspiration for imposing fines from the EU General Data Protection Regulation, capping fines at 4% of the data fiduciary's total worldwide turnover to ensure they were proportionate to the size of the organisation. The Act should require the Board to publish guidelines for determining the number of penalties (to bring in transparency). Furthermore, the Board's decisions should be made accessible to the public.

If passed, the 2022 Bill will take precedence over other laws in the event of a conflict. It will also apply in addition to existing sectoral data governance laws and regulations. If there are conflicting requirements, the 2022 Bill may only override existing sectoral laws / regulations on data governance in sectors such as banking and finance, health, and others. While some changes to consent and data classification may have an impact on the overall protection of individual data privacy rights, the Bill is likely to be welcomed by companies in the IT and tech sectors. Some aspects, such as the Committee's operation, will have to be time-tested for effectiveness.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments

Popular Posts