2022 marks five years, since Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India. A landmark case, where the judgement was given by the Hon’ble Supreme Court of India. The judgment given in the case by the Bench gave a new perspective to the Right to Privacy of the citizens. The judgement held that the Right to Privacy is a Fundamental Right under Articles 14, 19 and 21 of the Indian Constitution.
Since its recognition, we have introduced three versions of the data protection bill. In all its sense, the core motive due to which the bill was introduced has become alienated. Initially the bill was meant to advance the privacy and dignity of the citizens, but right now it has failed to provide both substantive and procedural justice to India’s “digital nagriks.”
What are the Key Features of the Digital Personal Data Protection Bill?
Data Principal and Data Fiduciary:
Data Principal refers to the individual whose data is being collected. In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.
Data Fiduciary is the entity (individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data”.
Personal Data is “any data by which an individual can be identified”, while processing means “the entire cycle of operations that can be carried out in respect of personal data”.
Significant Data Fiduciary:
Significant Data Fiduciaries are those who deal with a high volume of personal data. The Central government will define who is designated under this category based on a number of factors. Such entities will have to appoint a ‘Data protection officer’ and an independent Data Auditor.
Rights of Individuals:
Access to Information: The bill ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
Right to Consent:
Individuals need to give consent before their data is processed and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing”. Individuals also have the right to withdraw consent from a Data Fiduciary.
Right to Erase:
Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
Right to Nominate:
Data principals will also have the right to nominate an individual who will exercise these rights in the event of their death or incapacity.
Data Protection Board:
The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board.
Cross-border Data Transfer:
The bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there.
For Data Fiduciary: The bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen. The penalties will be imposed ranging from Rs. 50 crores to Rs. 500 crores.
For Data Principal: If a user submits false documents while signing up for an online service, or files frivolous grievance complaints, the user could be fined up to Rs 10,000.
The government can exempt certain businesses from adhering to provisions of the bill on the basis of the number of users and the volume of personal data processed by the entity. This has been done keeping in mind startups of the country who had complained that the Personal Data Protection Bill, 2019 was too “compliance intensive”. National security-related exemptions, similar to the previous 2019 version, have been kept intact.
The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence.
Concerns related to the bill
A feature of the digital personal data protection bill 2022 states that the bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there. It can be said that the bill appears to have completely ignored the supreme court ruling in the Puttaswamy judgement. Not only the bill has outlined conditions under which it may intervene upon an individual’s privacy but also prescribed certain limitations on the State, which ultimately advanced protection of data and informational privacy. However, the bill replicates the wide and vague exemptions provided to the State in its previous iterations, without meeting the standards of suitability, necessity, and proportionality established in the judgment.
Clauses 8(6), (7), & (8) state that consent of a Data Principal will be “deemed” in certain situations including for the maintenance of public order, purposes related to employment & in public interest, opening the door to wide & vague interpretation. Deemed consent has been criticised because the criteria for what constitutes deemed consent is broad and vague, allowing the processing of personal data without consent for a variety of reasons.
The 2022 Bill replaces the Data Protection Authority with a body called the Data Protection Board of India, which will be appointed by the central government. The rules the Board and its members must follow will largely be dictated by the central government, thus leading to questions about its independence and effectiveness.
Like previous versions, the 2022 Bill also allows the government to exempt any of its entities from certain or all provisions of the Bill on grounds such as national security, public order, etc. Additionally, the government is allowed to retain personal data for an unlimited amount of time.
The earlier Bill had sensitive and critical personal data as subsets of personal data that were subject to more safeguards. This Bill does away with such classifications.
Follow LexTalk World for more news and updates from International Legal Industry.