New Data Protection Bill Is Here: Up To Rs 500 Crore Penalty For Non-Compliance And Other Highlights

Non-personal anonymised data is proposed to be out of the purview of the Bill.

<div class="paragraphs"><p>Source:&nbsp;<a href=";utm_medium=referral&amp;utm_content=creditCopyText">Shahadat Rahman</a> on <a href=";utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></p></div>
Source: Shahadat Rahman on Unsplash

The Digital Personal Data Protection Bill, 2022, has been made public by the government. As the name suggests, the bill will govern personal data, and not non-personal anonymised data. This is in line with the Justice BN Srikrishna committee's recommendations and a deviation from what the Joint Parliamentary Committee had proposed.

The bill uses the term 'Data Fiduciary' for any person who determines the purpose and means of processing personal data. Users are referred to as 'Data Principal' i.e. the individual to whom the personal data relates.

Here are the top five proposals in the newest version of the Bill released on Friday-

What Data Is Covered?

The law is supposed to be applied to the processing of digital personal data within India where:

  • Personal data is collected from Data Principals online; and

  • Personal data collected offline is digitised.

The provisions will apply outside India if processing — profiling for instance — of data concerning data principals in India is done. Profiling means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal

Persona data will include any data about an individual who is identifiable by or in relation to such data.

What Is Not Covered

The proposed law excludes from its scope:

  • Non-automated processing of personal data.

  • Offline personal data.

  • Personal data processed by an individual for any personal or domestic purpose.

  • Personal data about an individual that is contained in a record that has been in existence for at least 100 years.

Dealing With Children's Personal Data

Before processing any personal data of a child, the Data Fiduciary will have to obtain verifiable parental consent. Processing personal data that is likely to cause harm to a child, as may be prescribed, is barred. Tracking or behavioral monitoring of children or targeted advertising directed at children is proposed to be disallowed.

Significant Data Fiduciary: Obligations

As per the bill, any Data Fiduciary can be categorised as SDF based on-

  • Volume and sensitivity of personal data processed.

  • Risk of harm to the Data Principal.

  • Potential impact on the sovereignty and integrity of India.

  • Risk to electoral democracy.

  • Security of the State.

  • Public order.

  • Other necessary factors.

SDFs will be required to appoint a Data Protection Officer based in India. The DPO should report to the Board of Directors or similar governing body of the Significant Data Fiduciary. This individual shall be the point of contact for the grievance redressal mechanism

The SDF will also be required to appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary with provisions of the data protection law. They'll also be required to undertake measures such as Data Protection Impact Assessment and periodic audit to ensure the objectives of the law are met.

Such an assessment will include a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed

Data Localisation 

The bill proposes that Data Fiduciary may transfer personal data to countries notified by the central government.

To recap, the JPC had recommended the central government take steps to ensure that a mirror copy of the sensitive and critical personal data must be mandatorily stored in India. This was along the lines of the Justice Srikrishna committee's report. The JPC has also suggested the formulation of a policy on data localisation. On government surveillance over the data stored, it must strictly be based on necessity, the JPC had said.

State Exemption

The bill has proposed several obligations that data fiduciaries will need to fulfill. For instance- seek consent via prior notice for collecting and processing personal data, cease to retain personal data once the purpose is fulfilled or it's no longer necessary for legal or business purposes.

The bill also gives data principals several rights- right to information about personal data, right to correction and erasure of personal data, right of grievance redressal etc.

The government has proposed several exemptions from all these obligations in certain situations, where-

  • The processing of personal data is necessary for enforcing any legal right or claim

  • Processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function

  • Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence

  • Personal data of Data Principals not in India is processed as a result of a contract entered into with any person outside India by any person based in India

More importantly, the bill gives the central government the power to exempt any state agency from the purview of the law.

Exemption will apply to processing of personal data "by any instrumentality of the state in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these".

Data Protection Board

The Data Protection Board of India is proposed to be established under the bill. Curiously, the strength and composition of the board under the bill has been left to delegated legislation.

"The process of selection, terms and conditions of appointment and service, and removal of its chairperson and other members shall be such as may be prescribed", the bill says.

The DPA will be allowed to levy a penalty of up to Rs 500 crore for non-compliance.