Examining the Digital Personal Data Protection Bill of 2022
Introduction
In the Indian context, when there is so much thrust on ‘digital India’ and the Indian society is transforming each day into a digital society and knowledge economy, data privacy and the security of personal information are issues that are receiving more attention. In view of these, the government is taking action to address the issues with data privacy in the digital era, collaborating with a number of stakeholders.
The developed nations have their strong and exhaustive laws to safeguard personal data, for example, the European Nation’s General Data Protection Regulation (GDPR),[1] American Data Privacy Protection Act (ADPPA), 2022,[2] Brazil’s General Data Protection Law (LGPD),[3] etc. On the other hand, the Indian Government is still struggling to formulate a law on data protection. There have been steps taken by the government to propose bills in Parliament for the protection of personal data yet India lacks a competent legislative framework for the regulation of data privacy issues.
With the landmark ruling of the K.S. Puttaswamy (Retd.) and Anr. v. Union of India & Ors.,[4] wherein the court held that the right to privacy is the fundamental right within the ambit of Articles 14, 19 and 21 of the Indian Constitution, the demand for data protection and security of personal information has been increased leading to the necessary introduction of the privacy laws in India.[5] Thereafter, a committee of experts led by Justice BN Srikrishna was established by the Ministry of Electronics and Information Technology to consider an Indian data protection framework.[6]
On 18th November, 2022, the Ministry of Electronics and Information Technology has released a draft of Digital Personal Data Protection Bill, 2022 for public consultation, after the withdrawal of the Personal Data Protection Bill, 2019.[7] The 2019 bill was withdrawn because the changes suggested by the Joint Parliamentary Committee were so numerous that it was deemed fit to replace it with a new bill.[8]
The present write-up is an attempt to analyze the Digital Personal Data Protection (DPDP) Bill, 2022[9] with the help of recent notifications and amendments by the Reserve Bank of India (RBI) and the Companies Act, 2013[10] to an extent. Furthermore, the article highlights the comparison of the DPDP bill with the GDPR and ADPPA.
Examination of DPDP Bill, 2022
The intricacies of the DPDP bill, 2022 can be listed down in the following points:
- Objective: “The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.”
- Applicability: If digital personal data is processed in India and is either (i) gathered online or (ii) collected offline and converted to digital form, the Bill will be in effect. If processing is done to create profiles of people in India for the purpose of selling them products or services, it will also apply to processing done outside of India. Any information on a person who may be identified from or in connection with that information is referred to as personal data. An automated action or series of operations carried out on digitally stored personal data is referred to as processing. It consists of collecting, storing, using, and sharing.[11]
- Overriding provision: In the event of any conflict with the provisions of the Bill and the provisions of any other law in India, the former will prevail in the event of such conflict.[12]
- Data localisation under RBI: Data localisation ensures that the data of residents be collected, processed and stored inside the country, frequently being moved globally, and are typically only transferred after complying with local privacy or data protection legislation. Recently, the RBI issued a notification that in order to ensure better monitoring, all system providers shall ensure that the entire data relating to payment systems operated by them should be stored in a system only in India.[13] However, the current DPDP bill, 2022 says that the Central Government, after assessing necessary factors, can notify jurisdictions to which personal data can be transferred across the border with of course specified terms and conditions.[14] This provision can thus pose serious security concerns and make it tough to ensure a similar level of security to the data which is being stored in the other country.[15]
- Books of accounts under Companies Act, 2013: The Companies (Accounts) Rules, 2014 states the manner in which the books of account should be kept in electronic mode.[16] The said rule is applicable on Section 128 of the Companies Act, 2013.[17] The rule states that the books of account and other relevant books and papers, maintained in electronic mode, shall remain accessible in India, at all times so as to be usable for subsequent reference. Furthermore, the books of accounts shall be retained completely in the format in which they were originally generated, sent or received. Also, the information contained in the electronic records shall remain complete and unaltered.
In furtherance to the same, Section 21 of the DPDP Bill, 2022 states that the Data Protection Board of India may, on the receipt of a complaint by an affected person or on reference made to it by the Central Government or a State Government or in compliance with the directions of any court or in case of non-compliance with of the duties of Data Principal (Section 16 of the Bill), take action in accordance with the provision of the DPDP bill. The Board is empowered to conduct inquiry if there are sufficient grounds to do so and for the purpose of such inquiry, the Board can examine and inspect any data, book, document, register, books of account or any other document.[18]
- Analysis with respect to the European Union’s GDPR and American ADPPA: The legislative intent behind these legislations is more or less harmonious as they intend and aim to lay down rules to safeguard and protect the personal data of an individual, however, the intricacies of the documents represent the differences between them. The following table can be referred for the better understanding of the three legislations:
| S.No. | Subject | GDPR | ADPPA | DPDP Bill |
| 1. | Categorization of Data | Classification of data as personal data and data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data.[19] | Classification of covered data into sensitive covered data.[20] | No classification of personal data. |
| 2. | Processing of Children’s Data | Permission required for the processing of children’s personal data where the child is below the age of 16 years (can be lowered to 13 years by Member States).[21] | No permission is required for collecting, processing or transferring the data of an individual who is under the age of 18 years, in order to submit information to certain entities,[22] however, parental consent is required for transferring of data of a minor to a third party.[23] | Parental consent is required for processing any personal data of a child.[24]
(Child: Individual below the age of 18 years).[25] |
| 3. | Guiding Principles | The processed personal data should be lawful, fair, and transparent in nature.[26] | Each covered entity must be readily apparent to the public and in a way that is clear, evident not deceptive, and simple to read.[27] | None |
| 4. | Cross-border flow of Data | Exhaustive procedure under Chapter V.[28] | Not expressly permitted or prohibited. | Allowed after an assessment by the Central Government, in accordance with terms and conditions specified.[29] |
| 5. | Consent Managers | None. | None | Introduction of ‘Consent Managers’, serving as a link between Data Principal and Data Fiduciary.[30] |
| 6. | Data Breach Notification | Mandatory reporting of data breaches which are likely to result in a risk to the rights and freedom of the data subject.[31] | State laws, rules, regulations or requirements that address notification requirements in the event of data breach.[32] | In case of Personal Data Breach, the data fiduciary or data processor shall notify the Board and each affected Data Principal.[33] Moreover, urgent measures to remedy such personal data breach should be adopted.[34] |
| 7. | Penalties | General Conditions for imposing administrative fines subject to conditions prescribed under Article 83.[35] | Third-party collecting entity that fails to register or provide the notice as required shall be liable as per Section 206(c).[36] | Penalties for non-compliance are limited up to Rupees Five Hundred Crores.[37] |
Effectiveness of the DPDP Bill, 2022
The new DPDP bill, 2022 is a welcome and better step than the last bill of 2019, wherein there were around 100 provisions which are now narrowed down to 30 provisions in the new bill. However, there are still many ambiguities in the new bill as the bill is subject to interpretation and can be interpreted in various ways. For example, the term ‘personal data’ is ambiguous in nature as the bill does not define the term clearly as to which data about an individual will be covered under the term ‘personal data’.
Though there are various pros of the new bill, but there are around 18 provisions that include the term ‘as may be prescribed’ to which there is no clarity yet. With such an amount of ambiguity in the draft of the new bill, the application of the bill can be problematic.
The aftermath of the DPDP Bill, 2022
The DPDP Bill, 2022 is a much-awaited step of the Indian Government to protect the personal data from unauthorized use and make the digital space of India to be much more reliable, safe and trustworthy. The bill is yet to be passed by the Parliament, however, once this bill is enacted, it will replace the existing framework of the Information Technology Act, 2000, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Right to Information Act, 2005.[38]
Conclusion
In a digitally connected world, the importance of protection of personal data is huge. The present draft of the DPDP bill, 2022 looks promising for the beginning of India’s privacy law journey. It is simplified in nature as compared to previous bills. However, a thorough read of the bill gives us the scope for the additional nuances and changes in the structure of the bill. On the other hand, the simplified nature of the bill fulfills the demand of easy understanding of the data protection law in India.
As the Indian economy is moving towards the digital economy, it is the time that the government should enact the data protection law because the technological advancement is really on rise and after the COVID-19 pandemic situation, the demand of privacy law and protection of personal data has been increased, therefore, looking at the current situation, the bill should be converted into a law, subject to amendments based on the sovereign interests of the citizens.
This article is written by Miss. Srishti Sinha, a 4th year B.A. LL.B.(Hons.) student at Institute of Law, Nirma University, Ahmedabad, and co-authored by Ms. Upasana Khati, Senior Legal Counsel at Thales India Pvt. Ltd., Noida
References:
[1] General Data Protection Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1
[2] American Data Privacy Protection Act (ADPPA) 2022
[3] Brazil’s General Data Protection Law (LGPD) 2020
[4] AIR 2017 SC 4161
[5] Krishnadas Rajagopal, ‘New Digital Personal Data Protection Bill in Monsoon Session’ The Hindu (New Delhi, 11 April 2023) < https://www.thehindu.com/news/national/new-data-protection-bill-likely-to-be-introduced-in-monsoon-session-in-parliament-centre-to-supreme-court/article66723887.ece> accessed 12 June 2023
[6] Ministry of Electronics and Information Technology, Data Protection Committee Report (2018)
[7] Anuj Bhatia, Shruti Bhat and Aastha Saily, ‘The Digital Personal Data Protection Bill, 2022’ (Mondaq, 17 April 2023) <https://www.mondaq.com/india/data-protection/1305212/the-digital-personal-data-protection-bill-2022#:~:text=The%20Ministry%20of%20Electronics%20and,in%20the%20coming%20budget%20session> accessed on 16 June 2023
[8] Krishnadas Rajagopal, ‘New Digital Personal Data Protection Bill in Monsoon Session’ The Hindu (New Delhi, 11 April 2023) < https://www.thehindu.com/news/national/new-data-protection-bill-likely-to-be-introduced-in-monsoon-session-in-parliament-centre-to-supreme-court/article66723887.ece> accessed 12 June 2023
[9] Digital Personal Data Protection (DPDP) Bill 2022
[10] Companies Act 2013
[11] Digital Personal Data Protection Bill 2022, s 4
[12] Digital Personal Data Protection Bill 2022, s (2)
[13] Storage of Payment System Data RBI/2017-18/153 < https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244> accessed 13 June, 2023
[14] Digital Personal Data Protection Bill 2022, s 17
[15] Lalit T Khanna, ‘Digital Personal Data Protection Bill 2022 and its impact on India’s booming data centre industry’ The Times of India (6 January 2023) < https://timesofindia.indiatimes.com/blogs/voices/digital-personal-data-protection-bill-2022-and-its-impact-on-indias-booming-data-centre-industry/> accessed 17 June 2023
[16] The Companies (Accounts) Rules 2014
[17] Companies Act 2013, s 128
[18] Digital Personal Data Protection Bill 2022, s 21
[19] General Data Protection Regulation 2016, art. 9
[20] American Data Privacy Protection Act 2022, s 2 (28)
[21] General Data Protection Regulation 2016, art 8
[22] American Data Privacy Protection Act 2022, s 205 (2)
[23] American Data Privacy Protection Act 2022, s 205 (1)
[24] Digital Personal Data Protection Bill 2022, s 10
[25] Digital Personal Data Protection Bill 2022, s 2 (3)
[26] General Data Protection Regulation 2016, art 5
[27] American Data Privacy Protection Act 2022, s 202
[28] General Data Protection Regulation 2016 Chapter V
[29] Digital Personal Data Protection Bill 2022, s 17
[30] Digital Personal Data Protection Bill 2022, s 7
[31] General Data Protection Regulation 2016, art 33
[32] American Data Privacy Protection Act 2022, s 404 (b)
[33] Digital Personal Data Protection Bill 2022, s 9 (5)
[34] Digital Personal Data Protection Bill 2022, s 20 (3)
[35] General Data Protection Regulation 2016, art 83
[36] American Data Privacy Protection Act 2022, s 206 (c)
[37] Digital Personal Data Protection Bill 2022, s 25 & Schedule I
[38] Digital Personal Data Protection Bill 2022, s 30