By Ibrahim H Khatri
The draft Digital Personal Data Protection (DPDP) Bill represents a simplified version compared to the previous draft of the Personal Data Protection Bill, 2019, which encompassed non-personal data and imposed criminal penalties for non-compliance. This legislation, upon receiving parliamentary clearance, will establish India’s first comprehensive framework for data privacy and protection. The DPDP Bill is designed to complement other regulatory initiatives such as the proposed Digital India Act (DIA), amendments to the Indian Penal Code for addressing cyber crimes and the National Data Governance Policy.
The primary objective of this Bill is to uphold the privacy rights and individual freedoms of people in India. It covers various aspects, including the involved parties, governance frameworks, specific requirements, penalties, and mechanisms for addressing grievances. By empowering individuals and providing them with enhanced control over their personal data, the legislation aims to enable informed choices and ensure the protection of personal information.
According to a previously published Explanatory Note on the MeitY website, the DPDP Bill aligns with the fundamental principles of personal data processing that serve as the foundation for data protection laws in many jurisdictions worldwide. These principles include:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Security
- Accountability
SCOPE OF THE BILL
The proposed DPDP Bill encompasses the processing of digital personal data within India, regardless of whether it is collected online from data principals or collected offline and later digitized. Additionally, the Bill extends its reach to the processing of personal data outside India, specifically in cases involving profiling or offering goods and services to data principals in India. By encompassing both online and offline data collection processes, the DPDP Bill aims to establish a comprehensive regulatory framework that addresses the evolving nature of data processing.
KEY TERMS IN THE BILL
- Data Principal: As per the Bill, “Data Principal” indicates an individual to whom the personal data relates. Where such an individual is a child, their parents or lawful guardians would be considered Data Principal.
- Data Fiduciary and Data Processor: “Data Fiduciary” denotes any person, either alone or in conjunction with others, who determines the purpose and means of processing personal data. On the other hand, a “Data Processor” refers to a person who processes personal data on behalf of a Data Fiduciary.
- Personal data: The term “personal data” encompasses any information relating to an identifiable individual. It includes data that directly or indirectly identifies the person.
- Significant Data Fiduciary (SDF): The central government has the authority to designate any data fiduciary or category of data fiduciaries as a “Significant Data Fiduciary”. This designation takes into consideration factors such as the volume and sensitivity of personal data processed, the potential risk of harm to the Data Principal or electoral democracy, the impact on national sovereignty and security, as well as public order.
KEY FEATURES OF THE BILL
The Bill lacks a clear distinction between personal data and sensitive personal data. It takes a comprehensive approach to safeguarding all personal data, treating them with equal levels of protection, and emphasizing the need for explicit consent when collecting personal data.
- Consent and Notice: The draft Bill introduces provisions that permit the processing of personal data for lawful purposes with the consent of the Data Principal. Notably, this notice provision has a retrospective application, meaning that Data Fiduciaries must provide an itemized notice to Data Principals who had previously given their consent before the commencement of the Bill, within a reasonable timeframe. However, this retrospective application poses challenges for Data Fiduciaries who had already processed personal data based on the consent of Data Principals, as they now have to fulfil the requirements of the notice provision.
- Deemed consent: The Bill permits the processing of personal data based on deemed consent, which encompasses various legal bases such as legal obligation, contractual obligation, vital interest, public interest, and legitimate interest. However, consolidating these different bases of processing under deemed consent raises concerns. It means that Data Principals may later withdraw their consent, potentially impacting the processing of personal data. To address this, the Bill should consider introducing additional categories of lawful bases for processing that are independent of consent, providing more clarity and stability to data processing activities.
- Consent manager: The proposed Bill introduces the concept of a “consent manager” and outlines the requirement for every consent manager to register with the Data Protection Board of India. The registration process is subject to specific conditions, including technical, operational, financial, and other requirements as prescribed. However, the exact qualifications and criteria for consent managers are yet to be determined, leaving some ambiguity in the current draft of the Bill. Defining the qualifications and criteria for consent managers in a transparent and comprehensive manner will be crucial for ensuring the effective implementation of the legislation and maintaining the trust and confidence of data principals.
- Breach notification: In the event of a data breach, the Bill mandates that both Data Fiduciaries and Processors are obligated to notify each Data Principal affected. This proactive approach ensures that Data Principals are promptly informed about any breaches, enabling them to take appropriate actions to protect their interests. However, the Bill currently lacks a specific timeframe within which Data Fiduciaries are required to notify the Data Protection Board and the affected Data Principals about a data breach.
- Right to data portability: One significant omission in the Bill is the provision for the right to data portability. In today’s landscape of extensive data silos, it is crucial to empower individuals with the ability to extract their relevant data from these silos. Granting individuals the right to data portability not only enhances their control over personal information, but also serves as a measure to mitigate the consolidation of data in the hands of a few entities.
- Right to nominate: A distinctive provision within the Bill enables Data Principals to nominate a representative in cases of their incapacity or demise. This provision plays a crucial role in ensuring the continued protection and preservation of the rights of Data Principals. It offers valuable guidance to sectors that may encounter such situations, ensuring that the personal data of individuals is processed in alignment with the specified processing activities.
- Personal data of children: The Bill explicitly prohibits the tracking or behavioural monitoring of children, as well as targeted advertising directed at children. While this is a commendable step towards safeguarding the interests of minors, it may require major edtech and gaming organizations catering to children to re-evaluate their business models and marketing strategies. The provision of the Bill mandates obtaining verifiable parental consent before processing the personal data of children. However, further clarification is needed regarding what constitutes verifiable consent.
IMPACT ON INDUSTRY
The proposed Bill signifies a significant stride towards digitization. Its liberal approach aims to enhance India’s capacity to attract foreign investments, foster the start-up ecosystem and alleviate compliance burdens for organizations of various sizes. However, the effective handling of open-ended requirements within the Bill by the central government will shape the future of data protection. The government has taken a phased approach to address the need for a robust data protection regime in India, beginning with the release of an initial Bill. This may be followed by supplementary rules and guidelines to provide further clarity and specifics. The inclusion of phrases such as “as may be prescribed” indicates that there are ongoing developments and refinements yet to come.
Large-scale consumer-centric organizations operating in sectors such as technology, telecommunications, healthcare, banking, finance, and e-commerce, which extensively process personal data, are likely to face more stringent obligations. Parameters such as the volume and sensitivity of personal data are explicitly highlighted in the Bill, resulting in heightened responsibilities for these organizations.
The Bill has introduced a more flexible approach to cross-border data transfers, allowing Data Fiduciaries to transfer personal data to countries that have been notified by the central government. Additionally, the requirement for exclusive storage of personal data within India has been eliminated. This change brings significant relief to Data Fiduciaries that maintain servers in foreign countries and provide a favourable environment for start-ups by removing the mandatory investment in local storage solutions.
In summary, the draft Bill presents a simplified and innovative approach to general data protection in India. However, it does bring certain challenges and implementation hurdles. These include the absence of sensitivity-based classification, the need for clarity on various provisions, and the extensive powers granted to the Board. Many of these aspects will be further elaborated through rules and regulations introduced by the central government, ensuring a more comprehensive and refined data protection framework.
As a way forward, organizations need to be proactive and start working towards getting compliant with the regulatory obligations highlighted by the Bill in order to ensure a smooth privacy journey. By taking early action and diligently addressing the requirements outlined in the Bill, organizations can demonstrate their commitment to data protection and privacy, mitigate potential risks, and build trust with their customers.
—The writer is CEO and founder of Privezi Solutions. He has developed data privacy frameworks and operationalized privacy programmes for enterprises