[Ananya Karnwal and Astha Agarwal are 5th year B.A. LL.B (Hons.) students at National Law University Odisha in Cuttack, Odisha]
Recently, on 5 July 2023 the Digital Personal Data Protection Bill (“The Bill”) received approval from the Central Cabinet. This Bill has been finalized after multiple attempts of the government to create a holistic legislation to govern digital data of individuals that is used by data fiduciaries and state for varied purposes. In November 2022, the Draft Digital Personal Data Protection Bill was brought in by the IT Ministry (“MeitY”) with a view to “framing out the rights and duties of the citizen (Digital Nagrik) on the one hand and the obligations to use collected data lawfully by the Data Fiduciary on the other.”
The idea to have a legislation governing data privacy originally developed following from a historic ruling in 2017 (Justice K.S. Puttaswamy (Retd.) & Anr. v Union of India & Ors), which recognized privacy of individuals as a right under Part III of Constitution. The government was directed to establish a law to protect citizens’ personal data from unauthorized use by both state and non-state entities. To address this requirement, the government formed a committee led by Justice B.N. Srikrishna to create a draft bill for protection of data. The committee completed its report and presented the first draft in form of the Personal Data Protection (PDP) Bill, 2018.
Subsequently, it was presented before the Lok Sabha after revision in 2019 as the PDP Bill. However, further scrutiny and public consultation were deemed necessary, so it was referred to a Joint Parliamentary Committee (JPC). After conducting thorough examination and gathering public feedback, the JPC submitted its observations and findings, along with a modified draft bill which was named as the Digital Personal Data Protection Bill (DPDP). The Bill approved by the cabinet is the revised version of the 2022 Bill based on public consultation.
Section 4(1) of the Bill specifies that it applies to all forms of transactions within India relating to personal data which is in digitized form. This includes two scenarios:
(i) when the data is collected online and
(ii) when the data is collected offline and subsequently digitized.
Any processing of information pertaining to provision of goods or services in India which involves the data collection of any Indian individual has also been covered in section 4(2) of the bill. Personal data has been interpreted as any information that facilitates the identification of an individual. Processing, as defined in the Bill, refers to automated operations or a series of actions performed on digital personal data, encompassing activities such as collection, storage, usage, and sharing.
However, according to section 4(3)(a), the Bill does not encompass the ‘non-automated’ processing of personal information, even if it exists in digital form. This means that a digitized record or document containing personal information on which automated data processing is not possible or not being carried out falls outside the scope of the Bill’s applicability. Additionally, concerning the processing of data for data principals located outside India, they were exempted from the obligations outlined in Chapter 2 of the Bill, specifically the obligations of a data fiduciary. This exemption applied if the processing of data was performed by an entity in India based on a contract executed with an entity outside India (as stated in section 18(1)(d)).
According to section 2(5), Data Fiduciaries under the Bill refer to “entities that carry out the collection, storage, or processing of personal data on behalf of individuals”. These entities bear the responsibility of ensuring the security and well-being of the data by preventing unauthorized access, misuse, or any form of harm.
Section 7 of the Bill stipulates that Data Fiduciaries must obtain consent from individuals prior to collecting or processing their data, with a few exceptions of Deemed Consent provided under section 8, which includes cases related to state functions, legal obligations, emergencies, or public interest. The consent obtained must be free, based on acquainted understanding, particular of the intended purpose, clearly communicated, and capable of being revoked.
Furthermore, section 9 of the Bill requires Data Fiduciaries to adhere to a set of principles while handling personal data. These principles include limitations on the purpose for which the data can be used, restrictions on the collection of data, ensuring data accuracy and quality, imposing limits on data retention, establishing accountability for data handling, and maintaining transparency in data processing activities.
Data Protection Boards
Section 19 covered under Chapter 5 of the legislation lays down the formation of a Data Protection Board (“The Board”) under which is vested with the responsibility of ensuring effective implementation and enforcement of the Bill. The Board will be established by the Central Government and will function as an independent body. The chairperson and other members of the Board will be considered as public servants and will be protected from legal proceedings for any actions taken by them in good faith under the provisions of the Bill. Majorly the Board will operate as a digital office which will ensure transparency and further allow it to perform its functions in a speedy, effective and seamless manner.
The primary function as given in section 20 of the Bill is “to ensure compliance with the provisions of the Bill and address the complaints raised by various stakeholders”. To fulfill these functions, the Board has been entrusted with sufficient authority under section 21 to issue directions, conduct inquiries, impose penalties and take necessary actions to remedy data breaches or tranquilize any loss borne by the users. Section 22 specifies that “The Board may conduct proceedings under through individual members or groups while following the principles of natural justice, providing a reasonable opportunity for all parties involved to be heard”. Furthermore, the Board has the authority to issue interim orders to prevent non-compliance and may impose warnings or costs on complainants if a complaint lacks merit. By virtue of section 21(13), all orders passed by the Board will be binding like that of a Civil Court making the existence of the Board worthy and effective.
As per section 2(6), Data Principal is defined as “the person with whom the personal data is associated”. The Data Fiduciaries are now required to take consent from the Data Principals before collecting their personal information.
Section 12 and 13 enable the Data Principal to seek what information is being used by a Data Fiduciary and ask for corrections if required. Also, if they have any grievance then they can get it registered with the Data Fiduciary and if they further receive a dissatisfactory or no response, they can freely compliant before the Board. While exercising these rights, Data Principals must fulfill certain duties given under section 16, such as complying with applicable laws, avoiding false or frivolous grievances, and providing authentic information during correction or erasure requests.
The objective of the legislation in safeguarding private data and holding data fiduciaries accountable. However, there are a few key concerns that may emerge in the future.
The most concerning issue is the independence and accountability of the Data Protection Board. The fact that its members are appointed by the government raises doubts about their impartiality in overseeing data protection matters. This could undermine public trust and confidence in the data protection framework.
Another challenge is the absence of a deadlines for various actions. For instance, there is no timeframe for deleting the collected data if the Data Principal wishes to withdraw consent. Similarly, the Bill lacks a specific timeline for the Board to adjudicate on complaints and for Data Fiduciaries to erase personal data once its intended purpose is served. Without clear and enforceable timelines, there is a lack of accountability and potential scope for abuse by Data Fiduciaries.
Further, the Bill proposes severe penalties for noncompliance but lacks clear guidelines on what constitutes “significant” non-compliance. This subjectivity raises questions about fairness and consistency in enforcement. To address this, it is crucial for the legislature to define the threshold for significance, providing clarity on how penalties will be applied. Alternatively, the Board can issue contextual orders to ensure consistent and objective assessments based on specific situations.
Another area of concern is that the Bill’s complex compliance regime presents challenges for SMEs, startups, and non-profit organizations. These entities may lack the resources and expertise to navigate the intricate requirements effectively. Complying with the Bill’s provisions can become a cumbersome task, diverting valuable time and resources from core business activities. The increased cost and administrative burden may hinder growth and discourage innovation, affecting the overall business environment in India.
The approval of the Digital Personal Data Protection Bill by the Union Cabinet marks a significant step towards safeguarding personal data and establishing a holistic legislation for preserving data in the country. However, as with any legislation, there are a few shortcomings that could act as a roadblock in ensuring its successful execution to protect the rights and privacy of individuals. While the Bill aims to protect personal data and hold Data Fiduciaries accountable, addressing the challenges mentioned above will be critical for its successful implementation. By ensuring the independence of the Board, establishing clear timelines, defining significant noncompliance, and considering the needs of smaller organizations, the legislation can strike a harmonious balance that protects individuals’ rights, encourages innovation, and supports economic growth.
– Ananya Karnwal & Astha Agarwal