The Ministry of Electronics and Information Technology (“MeitY”) finally released the draft Digital Personal Data Protection Bill, 2022‟ (“DPDP Bill”) on November 18, 2022 for public consultation.
The Bill aims to establish a comprehensive data privacy legislation governing digital personal data in India. It applies to personal data collected from Data Principals online and personal data that is collected offline, but digitized. It also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or is an activity of offering goods or services to Data Principals within the territory of India. This provision seeks to bring in extra-territorial applicability.
The DPDP Bill excludes non-automated processing of personal data, offline personal data, personal data processed by an individual for any personal or domestic purpose and personal data about an individual that is contained in a record that has been in existence for at least 100 years. In the Indian context, revenue records may be more than 100 years old but may still need protection. Therefore, the rationale and detailing of the exclusions will need to be factored in as also the balance for the compliance requirements of less important data.
With respect to notices to be given for the purpose of consent, Data Principals are given an option of requiring that notice be provided in any of the 22 languages specified in the Eighth Schedule of the Constitution of India. There would be complexities that could arise due to the translated versions.
The main ground for processing personal data remains consent of the Data Principal. However, the concept of “deemed consent” has been introduced where a data principal is deemed to have given consent for the processing of their personal data if (a) such data has been shared voluntarily, (b) the processing is necessary for the performance of any function under law, or the provision of any service or the issuance of any licenseby the State, (c) the processing is necessary for compliance with any law or judgment, (d) the processing is necessary for responding to a medical emergency or medical treatment, (e) the processing is necessary to ensure safety or to provide services during any disaster or breakdown of public order (f) processing is related to employment (g) if the processing is necessary for public interest (h) if the processing is for any fair and reasonable purpose after taking into consideration the legitimate interests of the Data Fiduciary, the public interest and the reasonable expectations of the Data Principal.
A Data Fiduciary is required to cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer being served by its retention; and retention is no longer necessary for legal or business purposes.
With an intent to safeguard the processing of personal data of children, the DPDP Bill does provide for parental consent. The Data Fiduciary is required to, before processing any personal data of a child, obtain verifiable parental consent. A Data Fiduciary cannot undertake such processing of personal data that is likely to cause harm to a child and cannot undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
The DPDP Bill has a wide set of exceptions, the implications of which need to be closely examined so that sensitive personal data is not affected by the exclusions.
Every Data Fiduciary is required to appoint a Data Protection Officer, who shall be responsible to the Board of Directors of a company and an Independent Data Auditor to evaluate the compliances. A company is also required to prepare a Data Protection Impact Assessment and conduct period audits.
Cross-border data transfer is sought to be regulated and the Central Government can notify the jurisdictions where personal data may be transferred.
A Data Protection Board is proposed to be set up for enforcing the provisions of the DPDP Bill. It shall address user complaints and monitor compliances. An appeal to an order of the Board can be filed in the High Court. The Board also has the power to refer complaints to mediation or other dispute resolution mechanisms.
The DPDP Bill prescribes that the Board has the power to impose financial penalties of up to Rs. 500 crores in each instance. While determining the financial penalty, the Board shall give regard to several factors including the nature, gravity and duration of the non-compliance, repetitive nature of the non-compliance, whether any action was taken to mitigate the effects and consequences of the non-compliance and the likely impact of the imposition of the financial penalty on the person. Failure by the data processors and data fiduciaries to take reasonable security safeguards to prevent personal data breach can entail a penalty of upto Rs 250 crores.
The public consultations on the bill are open till 17 December 2022. The DPDP Bill seeks to introduce transparency and is a simplified version of the previous drafts. However, it will need to be further articulated to address issues relating to practical difficulties in deletion of personal data once its purpose has been served and withdrawal of consent. The “significant” non-compliance resulting in a large quantum of penalties and the timelines for compliance will also need to be debated so that the legislation, when implemented, has meaningful compliance and acts as a deterrent to commit a breach.
Authored By Ms. Parveen Mahtani, a gold medallist in law and the Chief Legal Officer of Mahindra Lifespace Developers Ltd.