In the digital age, personal data has become an integral aspect of our lives, shaping how we interact, consume, and even perceive the world around us. This transformation has led to an increased focus on safeguarding individuals’ rights and privacy in the realm of data usage and processing. The concept of personal data, its uses, and the regulatory frameworks that govern it have gained paramount significance in this context.
The Digital Personal Data Protection Bill, 2023
What is Personal Data?
- Personal data is information that relates to an identified or identifiable individual.
Why is Personal Data Used/Processed?
- Businesses as well as government entities process personal data for delivery of goods and services.
- Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations.
- Processing of personal data may also aid law enforcement. Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right.
It may subject individuals to harm such as financial loss, loss of reputation, and profiling.
Currently, India does not have a standalone law on data protection. Use of personal data is regulated under the Information Technology (IT) Act, 2000.
Key Features of the Bill
- Personal data is defined as any data about an individual who is identifiable by or in relation to such data.
- Processing has been defined as wholly or partially automated operation or set of operations performed on digital personal data. It includes collection, storage, use, and sharing.
- The Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised. It will also apply to the processing of personal data outside India if it is for offering goods or services in India.
- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent.
- The notice should contain details about the personal data to be collected and the purpose of processing.
- Consent may be withdrawn at any point in time.
- Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment. For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
- Rights and duties of data principal:
- An individual whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.
- Obligations of data fiduciaries:
- The entity determining the purpose and means of processing, (data fiduciary), must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach, (iii) inform the Data Protection Board of India and affected persons in the event of a breach, and (iv) erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation). In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
- Transfer of personal data outside India:
- The Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.
- Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include: (i) prevention and investigation of offences, and (ii) enforcement of legal rights or claims. The central government may, by notification, exempt certain activities from the application of the Bill. These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.
- Data Protection Board of India:
- The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons. Board members will be appointed for two years and will be eligible for re-appointment. The central government will prescribe details such as the number of members of the Board and the selection process. Appeals against the decisions of the Board will lie with TDSAT.
- The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.
Some issues in the legislative proposal:
- Undermining the Right to Information
- The DPDP Bill 2023 suggests replacing Section 8(1)(j) with just “information which relates to personal information”.
- This will undermine the RTI 2005. To give just one example, the current requirement for public servants (including judges, and Indian Administrative Service officers) to disclose their immovable assets will likely be off limits. This is indeed “information related to personal information”, but it serves a larger public interest (for example, to identify public servants with disproportionate assets).
- Exemptions to the State may have adverse implications for privacy
- The Bill may enable unchecked data processing by the State, which may violate the right to privacy
- Whether overriding consent for purposes such as benefit, subsidy, license, and certificates is appropriate
- The Bill does not regulate harm arising from processing of personal data
- Right to data portability and the right to be forgotten not provided
- The right to data portability allows data principals to obtain and transfer their data from data fiduciary for their own use, in a structured, commonly used, and machine-readable format. It gives the data principal greater control over their data.
- The right to be forgotten refers to the right of individuals to limit the disclosure of their personal data on the internet.
- The Bill provides that the central government may restrict the transfer of personal data to certain countries through a notification.
- The Bill provides that members of the Data Protection Board of India will function as an independent body.
- Provisions related to children
- Definition of child different from other jurisdictions
- Taking verifiable parental consent may require verification of everyone’s age on digital platforms
- Lack of clarity on what constitutes detrimental to well-being of a child
As the landscape of data usage and digital interaction continues to evolve, it is imperative for India to establish a forward-looking and adaptable data protection framework that safeguards individual privacy, promotes innovation, and supports responsible data practices. Building upon the proposed Data Protection Bill, there are several crucial steps and considerations that can pave the way for a comprehensive and effective legislative approach:
- Comprehensive Definitions and Scope: Further refine and clarify the definitions of key terms such as “personal data,” “processing,” and “legitimate uses” to prevent ambiguity and provide a solid foundation for the law’s implementation. Consider international best practices to ensure alignment with global data protection standards.
- Strengthen Consent Mechanisms: Enhance the provisions related to obtaining and managing consent. Ensure that individuals have clear and informed choices about the use of their data. Develop user-friendly methods for obtaining and managing consent, particularly in the context of online interactions.
- Balancing Exemptions: While exemptions are necessary for specific situations, carefully delineate the scope and conditions under which they apply. Strike a balance between safeguarding individual rights and enabling the State and other entities to perform necessary functions for public welfare and security.
- Addressing Data-Related Harms: Introduce provisions that explicitly address the potential harms arising from the processing of personal data. Establish mechanisms for individuals to seek redressal and compensation in case of data breaches, unauthorized sharing, or misuse of personal information.
- International Data Transfers: Refine provisions related to the transfer of personal data outside India. Ensure that any transfer of data is subject to robust safeguards and conditions, especially when dealing with countries lacking adequate data protection regulations.
By embracing these steps and considerations, India can lay the foundation for a comprehensive and adaptive data protection legislation that safeguards individual rights while enabling the responsible and innovative use of data for the benefit of society and the digital economy.