News and developments
THE DIGITAL PERSONAL DATA PROTECTION BILL 2022 - An Analysis
MeitY has significantly altered the framework of DPDPB compared to the PDPB 2019, though there are important aspects that MeitY has sidestepped.
Meanwhile, one of the most concerning issues with DPDPB is the fact that the provisions cover a basic framework for data protection and privacy, leaving it largely for the Central Government to assess and notify further protections at a later stage, as and when deemed necessary. This not only puts the ambit of governmental scrutiny with a wider reach but also prevents adequate protection of fundamental rights to privacy and protection.
This paper provides an overview of the provisions of DPDPB and analyses its impact.
Key Definitions
Before looking into the intricacies of DPDPB and examining its applicability and exceptions, it is pertinent to note the definitions of certain key terms:
- Data: Data is defined as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.
- Personal Data: It is defined as the Data concerning an individual who is identifiable by or in relation to such data. Thus, not only Data that simply identifies an individual but also such Data which “relates to” or concerns with an individual in some manner, will be classified as Personal Data. It is interesting to note that the definition of Personal Data is not restricted to factual information about an individual but covers ‘opinions’ and ‘inferences’ as well if the individual can be identified from such data, either directly or indirectly.
- Data Principal: The individuals to whom the Personal Data relates are called “Data Principals”. In case of a child, i.e., an individual who is below 18 years, his parents or lawful guardian will be regarded as Data Principals. Thus, a child’s Personal Data may be shared by his parents or a local guardian.
- Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data is a “Data Fiduciary”. Impliedly, in respect of a particular set of Personal Data, there can be more than one Data Fiduciary, i.e., when more than one person decides the purpose and means of processing of Personal Data. This is similar to the concept of “Data Controller” under the General Data Protection Regulations (“GDPR”), though not elaborated under DPDPB.
- Processing: It means automated operations or set of operations performed on Personal Data, and may include operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. To simplify, it refers to one or more operations on the Personal Data that is automated through the use of computers and computer software.
- the personal data provided to the data fiduciary;
- the data which was generated in the course of provision of services or use of goods by the data fiduciary; and
- the data which forms part of any profile on the data principal or which the data fiduciary has otherwise obtained, in a structured, commonly used and machine-readable format.
- password;
- financial information such as bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history; and
- biometric information;
- Informed Consent: DPDPB states that consent[1] given by the Data Principal should be free, specific, informed and unambiguous and such consent should be given by a clear affirmative action which signifies an agreement to processing personal data for a specified purpose. Further, for consent to be given under Section 7, the Data Fiduciary must give a notice[2] to the Data Principal. The said notice has to be itemized and must contain in clear and plain language (i) the description of the data sought; and (ii) purpose for processing such data.By focusing on informed consent, DPDPB aims to fill the existing void of information asymmetry where previously, the Data Principal may not be aware about the extent to which her personal data was being used or processed. There is a further requirement of furnishing contact details of a Data Protection Officer or an authorized person of the Data Fiduciary[3] as part of notice. This reflects the legislature’s intent is to ensure transparency and empower the Data Principal by providing a convenient and ready grievance redressal mechanism.While DPDPB lays down detailed parameters for express consent, there is no guidance on what would constitute or free, specific, informed and unambiguous consent, or any precise definitions thereof. Further, DPDPB fails to enumerate what is “clear and plain language” in a notice. The parameters governing express consent are rather subjective and overly broad.
- Right to Withdraw Consent: DPDPB allows the Data Principal to withdraw her consent at any time[4]. It further mandates the Data Fiduciary to ensure that the process for withdrawal is as easy as the one for giving consent. This ensures that there are no complicated or long procedural requirements for withdrawal of consent by the Data Principal.
- Effect of Withdrawal of Consent: On withdrawal of consent for processing of personal data by the Data Principal, the Data Fiduciary and its Data Processors must cease processing the personal data of the Data Principal. This must be done within a reasonable period[5]. While DPDPB does not define or provide any contours for what would constitute “reasonable period”, it will be interesting to see how this provision is interpreted especially for significant data fiduciaries Significant Data Fiduciary (“SDF”) handling and processing large volumes of personal data.
- Role of a Consent Manager: For the purpose of managing “consent” of the Data Principal, DPDPB envisages that a Data Fiduciary may engage the services of a “consent manager” – an entity that must register itself with the Data Protection Board of India (“Board”), the regulatory body being created under DPDPB. A consent manager is accountable to the Data Principal and acts on its behalf to give, manage, review or withdraw consent[6]. Under DPDPB, a consent manager is also deemed to be a Data Fiduciary.
- Burden of Proof on Data Fiduciary: In any proceedings for non-compliance with provisions of DPDPB, the onus of proof is on the Data Fiduciary to demonstrate that (a) a notice was given by it to the Data Principal; and (b) consent was obtained in accordance with provisions of DPDPB.
- For the performance of any laws, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State;
- Compliance with any judgment or order issued under law;
- Taking measures to ensure medical treatment and ensure safety in case of threat to life or immediate threat to the health of any individual during an epidemic or any other threat to public health;
- In the interests of the general public, such as, prevention of fraud, network and information security, credit scoring, debt recovery, in case of mergers, acquisitions or any other similar combination or corporate restructuring, for the purposes related to the employment, maintenance of confidentiality of intellectual property;
- For any fair and reasonable purpose after considering any public interest in such processing, whether the legitimate interests for such processing outweigh any adverse effect on the rights of the Data Principal, and reasonable expectations of the Data Principal; and
- For the purposes related to employment, including maintenance of confidentiality recruitment, termination of employment, etc.
- the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;
- the obligations of data fiduciaries;
- the technology used in the processing of personal data which has to be in accordance with commercially accepted or certified standards;
- how the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
- the protection of privacy throughout processing from the point of collection to deletion of personal data;
- the processing of personal data in a transparent manner; and
- the interest of the data principal is accounted for at every stage of processing of personal data.
- make reasonable efforts to maintain accuracy and completeness of the Personal Data processed when it is likely to be used for making decisions that affect the Data Principal, or it may be disclosed to another Data Fiduciary;
- implement appropriate technical and organizational measures for compliance with DPDPB;
- take reasonable security safeguards to protect Personal Data and prevent Personal Data breach, failing which could entail a penalty up to INR 250 Crore;
- notify incidents of Personal Data breach[8] to the Board, as well as the affected Data Principal, failing which could entail a penalty up to INR 200 Crore;
- cease to retain Personal Data or remove the means to identity the Personal Data as soon as the purpose for its collection is completed and the data is no longer required for any legal or business purposes. It must be noted that DPDPB does not define ‘business purposes’, and the term can be used by Data Fiduciaries to retain data longer than required, negating the effectiveness of this obligation;
- publish contact information of a grievance redressal officer who can answer the Data Principals’ queries with respect to their Personal Data; and
- effect mechanism for grievance redressal for Data Principals.
- Power akin to a regulator: The Board has to perform the functions of determining non-compliances and impose penalties[14] and is to be guided by the principles of natural justice[15]. The Board further has power to direct the Data Fiduciary to adopt any urgent measures in cases where there is a breach of personal data, to mitigate harm or remedy personal data breach[16].
- Complaints/ Reference made to the Board: Section 21 of DPDPB empowers the Board to take action based on (i) a complaint made to it by an affected person; (ii) reference made by the Central or State Government; (iii) directions of any court; or (iv) breach of duty by the Data Principal[17].
- Excessive discretion with the Board: Based on a determination as to a non-compliance being significant or non-significant[22], the Board may impose a financial penalty. DPDPB lays down no basis to come to the determination on what is a “significant” non-compliance and such a vacuum may give rise to the claim that the Board has broad and unfettered discretion.
- Provision of Voluntary Undertaking: The Board has discretionary powers to accept voluntary undertaking with respect to matters related to non-compliance. On acceptance of voluntary undertaking, there shall be a bar on proceedings to the extent of the undertaking. Such a provision allows those who are non-compliant with DPDPB to avoid hefty penalties by curing non-compliance.
- (i) Situations which fall within the category of Deemed Consent[26].
- (ii) Additional Obligations in relation to processing of personal data of children[27].
- (iii) Additional Obligations of SDF to undertake Data Protection Impact Assessment[28].
- (iv) Data Principal’s Right to information about personal data from Data Fiduciary[29].
- (v) Data Principal’s right to correction and erasure of personal data[30].
- (vi) Transfer of Personal data outside India[31].