In early August, the Ministry of Electronics and Information Technology (MeitY) had withdrawn the Personal Data Protection Bill 2019, indicating that another comprehensive Bill would be subsequently released. On November 18, MeitY released the draft Digital Personal Data Protection Bill 2022 for public consultation.
At first glance, the 2022 Bill appears to be a more pruned down version of its predecessors. While the earlier drafts of the data protection Bill released in 2018 and 2019 were more extensive, this Bill primarily identifies broad governing principles, and leaves several granular and procedural aspects to be legislated by way of subsequent rules. Further, illustrations have been used to elucidate certain key provisions of the Bill.
In a major digression from the earlier drafts of the data protection Bills, the 2022 Bill does not make a distinction between personal data and sensitive/critical personal data, and focuses on the broader set of personal data. The recommendation of the Joint Parliamentary Committee to include non-personal data within the ambit of this legislation has also not been accepted. This can be considered a better approach as regulating personal data and non-personal data under one legislation, may not be effective, and is also not an approach adopted internationally.
Several features of the Bill, especially eased data localisation norm, appear to be business-friendly. Transfer related processes have been somewhat simplified under the Bill allowing personal data to be transferred to select pre-approved cross-border jurisdictions. As expected, constitution of a dedicated data protection authority namely, the Data Protection Board of India, has been envisioned for the first time.
The Bill has introduced provisions to curtail targeted advertisements directed at children, and their profiling. Further, it also intends to enhance compliance obligations on entities (to be classified as significant data fiduciaries based on certain parameters). Such obligations include appointment of a data protection officer, based in India, as the point of contact for grievance redress.
All entities are required to furnish a notice to individuals prior to obtaining their consent, describing the nature of personal data being collected from them, and its purpose. Such notice will have to be made available in English or any local Indian language specified under the Eighth Schedule to the Constitution. Individuals also have the right to readily available means to register their grievances with entities. In case individuals are not satisfied with the response received from the entity, or if they receive no response within seven days or such other shorter prescribed period, they may register a complaint with the board. As a unique feature, this Bill provides for duties of individuals, along with their rights. Personal data breaches would also be required to be notified to the affected individuals.
The Bill provides for high financial penalties for failing to protect personal data of individuals, which can go up to Rs 500 crore for significant contraventions. Keeping in mind the Government of India’s objective of enabling a safe online environment for individuals, it appears that these penalties have been prescribed as a deterrent. That being said, certain provisions of the Bill could be made more robust.
Considering the legislative journey thus far, the proposal of this Bill is certainly a progressive step for a country that continues to have a nascent set of data protection laws. Although the Bill may, in its current form lack detailing and certain gold standard clauses, public deliberations on the same and consultation processes may yield a more comprehensive data protection framework that meets global standards. A lucid, balanced and forward-looking law will certainly aid India’s digital journey, while protecting privacy rights of individuals.
Haigreve Khaitan is Senior Partner, and Supratim Chakraborty is Partner, Khaitan & Co. Views are personal, and do not represent the stand of this publication.
Checkout Budget Highlights 2023
