The Ministry of Electronics and Information Technology (MeitY) has released the draft of the Digital Personal Data Protection Bill 2022. According to the government, the purpose of the draft bill is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto.
According to an explanatory note for the bill, it is based on seven principles around the data economy. The first principle is that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected. The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected. The fourth principle of accuracy of personal data is that reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date. The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected. The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach. The seventh principle is that the person who decides the purpose and means of processing of personal data should be accountable for such processing. As per the note, these principles have been used as the basis for personal data protection laws in various jurisdictions. The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest and ease of doing business, especially for startups are balanced.
As per the draft bill, the Data Protection Board, a new regulatory body to be set up by the government, can impose a penalty of up to Rs 5 billion if non-compliance by a person is found to be significant. The bill proposes six types of penalties for non-compliance, including up to Rs 2.5 billion for failure to take reasonable security safeguards, up to Rs 2 billion for failure to notify the board and affected users in the event of a personal data breach, and up to Rs 2 billion for non-fulfilment of additional obligations related to children. Additionally, it proposes to impose a penalty of Rs 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a data fiduciary or with the board.
Additionally, the government has introduced the concept of ‘consent managers’ in the bill. Citing that it is not always possible to keep track of the instances in which one has given consent to the processing of personal data, the government said that a consent manager platform will enable an individual to have a comprehensive view of her interactions with data fiduciaries and the consent given to them.
Further, the bill provides for significant concessions on cross-border data flows. It proposes that the government will notify countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
According to the explanatory note, the bill will establish the comprehensive legal framework governing digital personal data protection in India. The bill provides for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.
MeitY has invited feedback from the public on the draft bill. The submissions will not be disclosed and held in a fiduciary capacity, to enable persons submitting feedback to provide the same freely. No public disclosure of the submissions will be made. The feedback on the draft bill in a chapter-wise manner may be submitted by December 17, 2022.
According to Ashwini Vaishnaw, Union Minister of Communications, Electronics and Information Technology and Railways, the focus of the draft Digital Personal Data Protection Bill 2022 is on protecting internet users from online harm and creating a safe and trusted digital ecosystem as India is a digital economy powerhouse today. He added that the language of the bill is simple and straightforward, attempted in the philosophy of women’s empowerment. He informed that consent notices from apps and platforms will now be available to users in all Indian languages. The minister urged all stakeholders to give feedback on the draft bill.
Meanwhile, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology and Skill Development and Entrepreneurship, said that the proposed Digital Personal Data Protection Bill 2022 simultaneously achieves contradictory objectives that are data protection of citizens, ease of doing business, public interest and national security. He noted that the bill is a modern legislation that is part of a comprehensive framework of laws and rules that include Information Technology (IT) Rules, National Data Governance Framework Policy, and a new Digital India Acr, that will be a global standard policy framework to catalyse India Techade and the country’s goal of $1 trillion digital economy. The minister said that extensive consultation and inputs will be sought from all stakeholders in the coming months.