DIGITAL PERSONAL DATA PROTECTION BILL, 2022 & ITS INTERPLAY WITH GENERAL DATA PROTECTION REGULATION
Author: Palak Jain, III year of B.A.,LL.B(Hons.) from Manipal University Jaipur.
The Personal Data Protection Bill, 2019, was the government of India's first delving into Data Protection Law. This law, however, has been annulled, and the Ministry of Electronics and Information Technology (MeitY) has issued a new Digital Personal Data Protection Bill, 2022. (DPDB). The focus of this new bill is solely on personal digital data, with two main features being balancing the individual's rights in their personal data and the economic necessity of processing the data. The DPDB includes provisions for authorised use of personal data, barriers on personal data collection, and so on.
Industry experts' reactions to the bill have been somewhat mixed. While some have criticised it for loosening the stringent processing and data localization requirements that existed in previous draughts, others have praised it for its simple layout and intuitive data handling. At a time when the Europe’s General Data Protection Regulation (GDPR) is widely regarded as the gold standard for data protection laws worldwide, it would be interesting to compare the DPDP Bill to such standards.
The Article 1 of the GDPR, which makes clear that its goal is to establish regulations for the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data, reflects the legislative objective behind the regulation's introduction. The DPDP Bill, on the other hand, attempts to make provisions for the processing of "digital" personal data in a way that protects individuals' rights to their privacy and permits processing for other authorised purposes.
Categorization of Data
In addition to classifying data as "personal data" under the GDPR, there are further classifications of data under "special categories" that include processing genetic and biometric data as well as data pertaining to racial or ethnic origin, political beliefs, union membership, and more. On the other hand, the DPDP Bill does not recognise other classifications like sensitive or special personal data that were present in earlier forms of the bill. Instead, it recognises some data as personal data that must be regulated. Additionally, only "digital" personal data shall be under control; a justification for this is given in Clause 4 of the DPDP Bill.Both of these laws appear to have similar goals at first glance, but upon closer inspection, we discover significant differences.
Processing of Children’s Data
The GDPR has chosen a graded approach for the consent necessary for the processing of children's personal data. Depending on the Member State, the minimum age for legal consent in such circumstances ranges from 13 to 16 years. Furthermore, it is the obligation of the organisation receiving parental consent to make a reasonable attempt to confirm that the parent actually gave consent. The DPDP Bill, like its predecessors, relies on the absolute age of 18 to provide valid permission and fails to examine the graded approach that is used widely around the world. Another distinction made by the DPDP Bill is that, if an entity receives parental consent to process children's data, that consent must be "verifiable parental consent" in conformity with future regulations.
Fundamental Principles Guiding Processing of Personal Data
The GDPR explicitly states in Article 5 that the basic principles governing the processing of personal data are Lawfulness, Fairness & Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity & Confidentiality, and Accountability. There is no explicit mention of any such concepts in the DPDP Bill. The same GDPR principles are, however, emphasised in an explanatory note that is explicit that it is not a part of the BILL itself. Since these concepts are not contained in the Bill, it is unclear how binding they would be.
Non-automated Processing of Personal Data
The DP Bill's rules apply to processing digital Personal Data, including when offline Personal Data is converted to digital form. In essence, regardless of whether Personal Data is accessible by particular criteria or automated processes (akin to the concept of "file system" under the GDPR), if it is recorded, maintained, or registered in an electronic form, it should be subject to the rules of the DP Bill. The DP Bill specifically states that non-automated processing of Personal Data is not included in its scope, which obviously raises concerns about the compliance burden placed on Data Fiduciaries in the event of "non-automated processing of digital Personal Data."
Data Localization and Cross Border Flow
There was a lot of controversy about the 2021 Bill's stringent data localization rules and the challenging cross-border data transfer procedure. In the 2022 Bill, the government made an effort to address the concerns of the industry. Firstly, since there is no longer any categorization, the requirements would be universal and apply to all forms of digital personal data. Second, the Bill makes no mention of the need for data localisation. It merely states that the Central Government shall notify any nations or territories outside of India to whom a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified, following an evaluation of any circumstances that it may deem necessary.
The Chapter 5 of the GDPR lays out a thorough process for cross-border data movement. Adequacy judgements, established regulations, common contracts, and derogation provisions are used to carry this out. On the other hand, the DPDP Bill open-endedly and indefinitely addressed the concept of cross-border data transmission. Additionally, the notion of data localisation, which was prevalent in the earlier draughts, is not mentioned. Personal data may now be transferred "freely" to "trusted" jurisdictions that will be informed later.
Undoubtedly, the devil is in the details, but for the time being, the government has chosen to outline the requirements through delegated law. The strategy appears to be pretty similar to the GDPR's adequacy criteria. The 'Explanatory Note' to the DPDP Bill also states that the “Government recognizes the importance of cross-border data transfers for a globalised economy” and that no too onerous compliance requirement is envisaged to be established as a result.
Renaming the "legitimate interest" criteria as "deemed consent" and its managers
In terms of privacy law, the phrase "Deemed Consent" has been coined in a way that is inconsistent with the words of common usage used in international jurisdictions. However, upon closer examination, the provision's content resembles that of "legitimate interest" and "reasonable grounds" for data processing. Clause 8(9) of the 2022 Bill gives the government the authority to broaden the application of the provision if it is determined that (a) the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse impact on the rights of the Data Principal; (b) any public interest in processing for that purpose; and (c) The Data Principal's reasonable expectations in light of the processing context.
It is to be noted, Processing personal data is only considered consent-worthy if the Data Principal gives it voluntarily or may be expected to do so, or if it's required for the execution of a legal function, the treatment of a medical condition, or if it serves the public interest (an inclusive list has been provided as to what would public interest mean). When seen from a Data Fiduciary perspective, the provision would undoubtedly make the entire consent-taking process much simpler.
The DPDP Bill introduces the idea of "Significant Data Fiduciary," but the GDPR makes no reference to this designation. Compared to other data fiduciaries, these large ones have more responsibilities, including the need to designate a data protection officer, hire an independent data auditor, and conduct recurring data protection impact assessments.
Furthermore, the consent must be freely given (and should ideally meet the requirements of Section 14 of the Indian Contract Act of 1872), specific, informed, and unambiguous, by which the data principal expresses her acceptance to the processing of her personal data for the intended purpose.
The performance of any contract already reached between a Data Fiduciary and a Data Principal shall not be made contingent upon the consent to the processing of any personal data not necessary for that purpose, according to the 2022 Bill, which adopts the principles of Article 7(4) of GDPR and has been fine-tuned. The worthy addition in this version of the Bill is that whenever the Data Principal retracts her consent to the processing of personal data, the Data Fiduciary shall cease and cause its Data Processors to cease processing of such Data Principal’s personal data within a reasonable time.
Third-party "consent managers," who would act as a conduit between the data principal and the data fiduciary, have been included under the DPDP Bill. The data principle would be able to grant, administer, evaluate, or revoke her consent to the data fiduciary through these interoperable systems. Additionally, every consent manager shall be registered with the Data Protection Board, and delegated law must set additional requirements for them. legislation.The GDPR However, does not appear to engage any third parties in this manner
Data Breach Notification
Only where a personal data breach is likely to have a significant negative impact on the rights and freedoms of the subjects are data breaches required by the GDPR to be reported to data principals. Such a requirement shows that not every data breach needs to be notified. The DPDP Bill, on the other hand, adopts a stricter stance by obliging the reporting of all types of data breaches to data principals, regardless of their consequences. The same must be completed in the manner and format that will be later mandated.
Itemized Notice requirement and Penalties on Non-Compliance
The Data Fiduciary must provide the Data Principal with a "itemised notice" in accordance with Clause 6 of the 2022 Bill (accessible in English and 22 different languages mentioned in the VIIIth Schedule of the Constitution of India) The aforementioned clause will also be retroactively applicable, therefore data fiduciaries must reconsider the entire consent-getting procedure. It must be containing an individual list and description of each personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data.
It cannot be disputed that the 2022 Bill places a high priority on consent-taking processes and notice requirements given the international developments in the privacy arena and the penalties imposed on data fiduciaries. Data fiduciaries must demonstrate that notice was given and consent was obtained for the processing of personal data in line with the law, according to clause 7(9) of the Bill.
The GDPR establishes fines under Article 83, and these are applied in accordance with the organization's size, the seriousness and impact of non-compliance, and other factors. On the other side, the DPDP Bill set a cap on the maximum amount that may be fined for non-compliance, which was set at INR 500 crores. Additionally, Schedule I of the Bill specifies various sanctions for various types of non-compliance.
Roadmap for implementation
The DPDP Bill, unlike its predecessor, does not specify a timeframe for the execution of its different components, should it be passed into law. It just says that: “it shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint. Different dates may be appointed for different provisions of this Act.” Contrary to the GDPR, which was adopted entirely and gave two years to ensure compliance, the DPDP Bill would be implemented in stages, with different dates of enforcement being assigned to different portions. In addition, the DPDP Bill stipulates that complaints must be resolved within seven days, in contrast to the GDPR, which calls for a one-month window that may be extended to two months due to complexity
The comparison between the GDPR and the DPDP Bill outlined above amply demonstrates the strong relationship between the concepts of data protection entrenched in both of these legislative texts. A more business-friendly personal data protection policy for India has been suggested by the DPDP Bill than its forerunners. The comparison investigation also revealed that, even after such simplification, the international criteria for data protection were generally satisfied and, in some cases, improved upon. The DPDP Bill appears to be a commendable effort on the part of the legislators at this time, when India is about to get its first-ever data protection laws. However, the ultimate viability of the data regime would depend on how well the central government applied solid administrative law principles in carrying out its mandated duties.