Is this it? Understanding the Digital Personal Data Protection Bill, 2022
While discussing privacy and data protection, the biggest question is: is privacy a right or a pre-requisite? Indian policy think tanks, Parliament, and even lawyers have had this dilemma for over five years now. This has ultimately led us to have another draft.
On November 18, 2022, the Ministry of Electronics & Information Technology (MEITY) released the draft of the Digital Personal Data Protection Bill, 2022. The draft arrived a few days earlier than it was anticipated. The old Data Protection Bill was withdrawn earlier in the Parliament’s monsoon session. MEITY has now added “Digital” in the bill’s name, emphasising exclusively personal data laws. The bill stipulates the creation of a regulator and penalties of up to ₹500 crores for non-compliance. Amidst all the discussions, it is worth mentioning that MEITY has set positive precedence with the pronouns they have used. Section 3(3) of the Bill reads, “The pronouns her and she have been used for an individual irrespective of gender”.
Background
In December 2019, the Personal Data Protection Bill was initially introduced in the Lok Sabha. Later, a joint parliamentary committee’s report, presented to the Parliament on December 16, 2021, stated that the bill should cover personal and non-personal data. After working on the bill for multiple years, the government withdrew it in August 2022. The old bill had many concerns. For example, Section 35 of the bill allowed the Central Government to exempt any law enforcement agency from the obligations set under the bill. Section 12 permitted the state to process the personal data of data principals without their consent.
Essential Takeaways from the 2022 Bill:
- Once the primary purpose of data collection is completed, the data fiduciary must remove the personal data or erase the means through which data can be linked to specific data principals.
- A data fiduciary can only retain user data for business or legal reasons.
- Data principals should have the option to give, manage, and withdraw their consent for sharing their personal data.
- If an employer requires their employees’ biometric information for attendance, they will need explicit consent. An employee will have full authority over their biometric information.
- Banks shall mandatorily maintain KYC data for at least six months after the closure of an account.
- The bill also contains guidelines for collecting and managing the personal data of minors. Data fiduciaries shall take parental consent into consideration. Social media companies should avoid tracking, monitoring, or having child-specific targeted advertising. The bill prescribes a penalty of up to ₹200 crores in case of failure to comply with duties related to children’s personal data.
Critical Points
- On data localisation, the new bill merely says that it will be subject to later specified rules and restrictions. The Central Government may notify nations where a data fiduciary may transmit data. Data localisation was a hot topic before the old bill was withdrawn.
- The new bill introduces the concept of significant data fiduciaries. This is based on the volume of data processed, the risk to users, etc. These entities will have additional obligations to enable greater scrutiny of their data protection practices. This is analogous to significant social media intermediaries’ obligations under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
- The bill also includes a section focussing on the duties of a data principal. A data principal should provide accurate information when they claim the right to correct or erase their data. They should refrain from filing an unfounded or unjustified grievance or complaint with a data fiduciary or the Data Protection Board. It is not apparent if there will be any consequences for failing to fulfil these duties.
End Notes
Like every bill, this bill introduces a few new concepts. For instance, it suggests a system of graded penalties for data fiduciaries. It also covers new terms and provisions, which appear to be a comprehensive approach based on a cursory reading. Will it stand firm compared to the EU’s GDPR or California’s CCPA? And did we successfully bring the Orwellian Big Brother into the purview of the law?
The draft is open for public comment till December 17, 2022.
Have a suggestion regarding the draft bill? Reach out to the author here.