New Delhi: The creation of a Data Protection Board and a Rs 500-crore penalty for non-complaince of laws are among the features of the new draft Digital Personal Data Protection Bill, 2022, released Friday. Coming three months after the original bill was surprisingly withdrawn from Parliament by the Modi government, the long-awaited new draft bill also proposes to relax norms for cross-border data localisation.
While withdrawing the original bill , which had drawn flak for alleged violation of fundamental rights of citizens, in August, Electronics and Information Technology Minister Ashwini Vaishnaw had said the government would come out with a new draft.
The new draft has now been released for public consultations and comments till 17 December, after which it will be tabled in the next budget session.
While the relaxed norms for data localisation in the draft bill means that personal data flow could now be facilitated via “trusted nations”, it also proposes a comprehensive legal framework of how personal data should be used.
“The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” according to the explanatory note of the draft bill.
“Personal data means any data about an individual who is identifiable by or in relation to such data”, it added.
The draft bill is based on some key “principles” like the “lawful” use of personal data by organisations, usage of data “for the purposes for which it was collected”, data minimisation — collecting only “personal data required for attaining a specific purpose”, among others.
The IT ministry has reportedly reviewed personal data protection legislations of Singapore, Australia, the European Union and prospective federal legislation of the United States of America before releasing the draft bill for further consultations.
However, the draft bill has also already invited criticism from the non-profit digital rights platform Internet Freedom Foundation, which alleged the data protection board will not remain independent since appointments at this stage will be made by the government. They also claimed that since there are no specific details on how data should be stored outside the country, there may be exploitation.
Also read: India is the sixth most data-breached country in world, says study by cybersecurity firm
Concessions on data localisation norms
An important feature of the proposed bill is that it has relaxed norms for cross-border data localisation. This means that companies can store personal data in “trusted” nations. Major technology companies like Meta had expressed reservations over related provisions in the previous version of the bill. They had claimed that stringent data localisation norms will deter services in the country.
In March this year, India signed a joint declaration with the European Union, Australia, Comoros, Japan, Mauritius, New Zealand, South Korea, Singapore and Sri Lanka on privacy and the protection of personal data. The idea was to strengthen “trust in the digital environment”, indicating a partnership in cross-border data flows.
“Transfer of personal data outside India the Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified, the new draft bill read.
Collecting, storing and processing personal data
The proposed bill has listed some of the “obligations” that a data fiduciary has to follow. According to the draft bill, a “Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data”.
A company is expected to provide clear communication to a citizen regarding their personal data. This should ideally include the nature of the data, purpose and duration of data storage, which should be known to a person, the draft bill has stated.
“On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in a clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of the processing of such personal data,” the draft bill read.
The proposed bill defined a “Data Principal” as an “individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child”.
This means that organisations including banks have to state explicitly the purpose of collecting data.
Also Read: Why Modi govt withdrew the Personal Data Protection Bill
Data protection officers
The government has proposed that every data fiduciary must appoint data protection officers who would be responsible for all communications from the data consent point of view.
This means data fiduciaries across the country, including banks and social media intermediaries, will need to appoint data protection officers who will represent the organisation.
“The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. The Data Protection officer shall be the point of contact,” the draft bill read.
These officers will also be responsible to ensure that if an individual withdraws consent, then the data fiduciary is obligated to stop processing their personal data immediately.
“Where consent given by the Data Principal is the basis of the processing of personal data, the Data Principal shall have the right to withdraw her consent at any time,” the draft bill said.
However, the draft also said that the “consequences of such withdrawal shall be borne by such Data Principal”. This means that the services for which the personal data was stored could also be stopped.
Personal data of children
One of the most contentious aspects of the draft bill in the past centered around storing and processing data related to children and minors. The current draft legislation has listed some obligations for fiduciaries to process the personal data of children.
The consent of a lawful parent has been given importance for “processing any personal data of a child”.
“A Data Fiduciary shall not undertake such processing of personal data that is likely to cause harm to a child, as may be prescribed. It shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children,” the bill read.
A penalty of up to Rs 200 crore is expected to be levied if an organisation is unable to comply with this clause.
Earlier, digital rights activists had claimed that collecting data on minors and verification of their actual age may not make sense. It could also be expensive for the companies to oblige.
Grievance redressal mechanism
According to the draft bill, the Ministry of Electronics and Information Technology will build a framework for grievance redressal mechanisms that will function within the draft’s provisions. This will ensure, the draft added, that citizens will have the right to obtain relevant information about their data processing from the company and seek action whenever necessary.
An independent data protection board will be set up to address redressals of grievances.
“The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India. The allocation of work, receipt of complaints, formation of groups for hearing, the pronouncement of decisions, and other functions of the Board shall be digital by design,” the proposed bill read.
The ministry is yet to unveil the process of selection, terms and conditions of appointment and service.
Some of the functions of the board, according to the draft bill, will be to determine “non-compliance with provisions of this Act and imposing a penalty”, performing functions prescribed by the Union government to the board, giving a person a reasonable opportunity of being heard and migrating personal data during data breaches among others.
If a data fiduciary is found non-compliant by the data protection board then they could be fined up to 500 crore rupees.
The board will have the power to decide the amount of a financial penalty after determining “the nature, gravity and duration of the non-compliance, the type and nature of the personal data affected by the noncompliance, repetitive nature of the non-compliance among others”.
If the data fiduciary has failed “to notify the Board and affected Data Principals in the event of a personal data breach”, they will have to pay a fine of up to 200 crore rupees, the draft bill said.
(Edited by VS Chandrashekhar)
Also Read: Disguised ads, hidden costs — regulator ASCI now tackling ‘dark pattern’ ad tactics, says its CEO