~Authored by Satya Rai with guidance from TB
After a long wait, the Digital Personal Data Protection Bill, 2023 (“DPDP”) has finally seen the light of day.
Before we look into DPDP, I think its fair to first compare it with the Personal Data Protection Bill, 2019 (“PDP”). While both pieces of legislation aim to protect the personal data of individuals in India, however, there are some key differences between the two bills. Here is a table that summarizes the differences
| Feature | DPDP | PDP |
| Scope of Application | All personal data collected, processed, or stored in India | Personal data collected from Indian residents |
| Grounds for processing personal data | Consent, contract, legal obligation, vital interests, and legitimate interests | Consent, contract, legal obligation, and vital interests |
| Rights of data subjects | Access, correction, erasure, objection, and portability | Access, correction, erasure, objection |
| Data protection authorities | Data Protection Authority of India (DPAI) | Data Protection Authority (DPA) |
| Cross-border data transfers | Allowed to countries with adequate data protection laws | Not allowed unless data subject consents |
| Enforcement | Criminal penalties for non-compliance | No criminal penalties for non-compliance |
If you have reached this far, we have delved deeper into the DPDP Bill, to better understand the law:
Scope and Coverage on Digital Personal Data
This Act shall be applicable for processing of digital personal data within the territory of India where such data is collected in digital form or non-digital data which was later transferred into digital form.
This act shall also process data outside the territory of India if it is related to offering goods and services to people inside the territory of India.
The act provides that it would not be applicable to data that is made public by the individual. For e.g., if I share my personal data publicly on social media.
Consent and Disclosure Requirements for Data Fiduciaries Under the Act
Data fiduciary is any entity that decides on its own or with a data provider what personal data will be used for and how it will be used. Data Principal is the individual whose personal data is sought to be processed.
The data of the Data Principal can be processed, when consent is provided by the Data Principal, for lawful purposes and legitimate use in accordance to this Act. Before accessing the Data Principal’s data, the consent of the Data Principal is required and it should be accompanied by a notice informing the Data Principal the purpose for which the data will be processed and the manner in which she can exercise her rights or make complaints to the board.
If the situation is that data is being processed before the commence of the Act, the Fiduciary shall give a notice containing all of the above requirements.
Requirements and Scope of Data Principal’s Consent Under the Act
Data Principal’s consent should be informed, unconditional and unambiguous and this consent shall be limited to the personal data for that specified purpose. If part of this consents infringes provisions of this Act or rule made or any act for the time being in force then that consent shall be invalid to the extent of infringement. So, we are allowing for severability to the extent of infringement.
The Data Principal can withdraw this consent anytime. But the withdrawal shall not affect the legality of processing of the data when the consent was there before the withdrawal.
The consent can be given, managed, reviewed or withdrawn by Data Principle through a consent manager who shall be accountable to the Data Principal and would act in her behalf in manners and obligations as prescribed.
Permitted Processing of Personal Data Without Explicit Consent Under the Act
This is the controversial section, earlier known as “deemed consent” which now has been renamed as “Certain legitimate uses”. While the Data Fiduciaries can only use this data on certain specific ground, the grounds for usage of data by the government remains very wide. However, the bill has gotten away with the previous notorious “public interest” and “fair and reasonable use” as a criterion to process data.
The Data Fiduciary can process data which the Data Principal has voluntarily provided and has done nothing to indicate that she does not consent to the use of her data.
Grounds for State to process the data:
They may use this data for State or any of its instrumentalities if she has previously consented to the processing of her data by the state and its instrumentalities for any subsidy, benefit, service, certificate, license or permit etc. This previous consent to state applies to consent given digitally as well as in non-digital form that subsequently was digitalised.
This data can be processed in interest of sovereignty and integrity of India or security of the state. It can also be processed for compliance with any decree or order issued relating to contractual or civil nature claims, medical emergency that is threat to Data Principal or any other individual, for providing health services during epidemic or threat to public health, for assisting during disaster or any public outbreak.
Key Duties and Responsibilities of Data Fiduciaries Under the Act
The Data Fiduciary shall be responsible for complying with the provisions of this Act. The Data Fiduciary can appoint a Data Processor to process data on its behalf related to goods and services provided to Data Principal under a valid contract. The Data Fiduciary should ensure the completeness, accuracy and consistency of data where it affects the Data Principal. The Data Fiduciary to ensure that it has enough security to prevent data breach. If breach happens then the Data Fiduciary should inform the Board as well as all the Data Principals who are affected.
Data fiduciary should erase the personal data when the Data Principal withdraws its consent or when the specified purpose is no longer being served, whichever is earlier.
The Data Fiduciary should provide contact information of the Data Protection Officer who is able to answer on behalf of the Data Fiduciary, any questions raised by the Data Principle about the processing of her personal data.
Effective redressal mechanism has to be provided by the Data Fiduciary to address the grievances of the Data Principal.
Data fiduciary before processing data of a child or a person with disability who has lawful guardian should obtain the consent of the parent or the guardian. Any data that might cause detrimental harm to the well-being of the child should not be processed. They should not track or monitor the behaviours of the child or provide targeted advertising for the children.
Certain Data Fiduciaries may be designated as significant data fiduciaries based on the factors like, volume and sensitivity of personal data processed, risks to the rights of Data Principals, security of the state, and public order. These Fiduciaries will have the additional obligation to appoint a Data Protection Officer, Independent Data Auditor and shall carry out periodic Data Protection Impact Assessment.
Rights and Duties of Data Principals Under the Data Protection Framework
Rights:
The Data Principal has the right to obtain data from the Data Fiduciary, whom she gave consent, a summary of the data that is being processed, the identity of all Data Fiduciaries with whom the data has been shared or any other information related to the data. They have the right to correct, complete, update or erase the existing data for process of which earlier consent was given.
They have the right of readily available means of grievance redressal and the Data Fiduciary should respond to such grievances within the time period mentioned on the receipt. The Data Principal should exhaust this remedy before approaching the board.
Duties:
The Data Principle should comply with the provisions of all applicable laws. They should not impersonate any other person while giving information, should not suppress any material information while providing personal data, to not register a false or frivolous grievance or complaint with the Data Fiduciary.
Cross-Border Transfer of Personal Data: Restrictions and Permitted Destinations
The Bill allows cross-border data flow by stipulating that data can be processed outside India, unless it has been restricted by the Central government through a notification.
So, the procedure to be followed will be that there will be a list of countries that would be backlisted and the data of Indian Citizens will not be transferred to those countries. Countries who will not be blacklisted will be allowed to have access to the data. This is done to promote ease of doing business and achieve the economic target of becoming a trillion-dollar economy.
Exemptions and Exclusions from Data Protection Obligations Under the Act
There will be exceptions to the rules governing the rights of the Data Principal and the duties of the Data Fiduciaries (other than those relating to data security). Two examples are (i) enforcing legal rights or claims and (ii) preventing and investigating criminal activity. It may also be exempted if processing of data is required for merger or amalgamation of companies or to ascertain the financial information in case of default of payment.
The central government may exclude specific operations from the scope of the Bill using a notification. In the interest of state security and public order, (i) processing by government bodies is permitted; and (ii) processing for research, archival, or statistical purposes is permitted.
Establishing the Data Protection Authority and Dispute Resolution Machinery
This bill removed the previously proposed mechanism for the board and brought in new direction related to the board.
There should be a Data Protection Board of India under this Act which shall be a body corporate and fulfil the requirements for a body corporate. Chairperson and other members shall be appointed by the Central Government and should have knowledge and experience in the fields that may be useful for the board. The office of chairman will have the tenure of two years and they can be re-appointed.
The Act also introduced the grounds on which Chairperson or Members of the Board can be disqualified from appointment or continuation of their term. It also introduced provisions for resignation by members and filling of vacancy, proceedings of the board, officers and employees of the board, powers of chairperson and stated.
The Act also introduced provisions for Power, Function and procedure to be followed by the board. Provisions on Appeal and Alternate Dispute resolution were also added in the Act which stated that Appeal can be made to the appellate tribunal and orders passed by the appellate tribunal shall be executed as a decree. If the board thinks that the dispute can be solved by the way of Mediation then it can direct the concerned parties for alternate dispute resolution.
Chapter VIII of the Act provides for Penalties and adjudication, the Schedule of the Act contains the monetary penalties imposed for the breach of responsibilities.
Merits of the Bill
The bill now applies outside India to products and services sold to Indians. The measure gives individuals data rights by assuring consent openness and choice. Data minimisation, purpose limitation, data breach notification, and sanctions strive to make organizations more accountable for user data. This will improve data security.
The bill also lets consumers access, modify, or delete their data, giving them more control over its collection and usage. This empowers individuals with personal data and builds user trust in digital services. This will increase digital uptake and use.
The bill also protects minors by prohibiting tracking their behavior and requiring fiduciaries not to display them child-targeted ads. This will somewhat safeguard youngsters from internet hazards.
The bill removed “Public interest” and “fair and reasonable use” from which the government may obtain data, which is good because the previous bill raised concerns about government misuse. The Bill now seeks precise justifications for State data access.
The bill authorizes cross-border transactions unless the Central Government blacklists a country through notifications. This will boost digital trade and the economy.
Thus, in addition to providing a framework, the bill strengthens individual rights and data protection, mandates openness, holds firms and intermediaries accountable, and provides grievance relief. A balanced implementation of these good aspects could assist build a safe, secure, and privacy-respecting digital ecosystem in India.
Demerits of the Bill
The broad exemptions offered to government for collecting user data threaten privacy. Provisions on data processing grounds, processor requirements, data breach reporting, etc. may make implementation difficult. These provisions are ambiguous.
Because the receipt stipulates a timeframe, the Data Protection Board may not be able to resolve citizen grievances quickly. The government does not limit the meaning of this timely address.
The laws may restrict data flows and increase compliance costs, hindering data-driven innovation and digital economy growth. The bill’s requirements don’t fit with global best practices and systems like the EU’s GDPR, which may hinder cross-border data flows and hurt the digital sector.
Its vast reach, lack of clarity in some provisions, possible impact on enterprises and economic growth, regulatory monitoring effectiveness, and implementation issues are concerns. The government must handle these challenges wisely to make the measure workable and helpful.
Conclusion
Despite laying the groundwork, the Digital Personal Data Protection Bill has many flaws. The wide exemptions, onerous compliance requirements, and uncertainties cast doubt on its efficacy. Data privacy laws should boost user confidence and innovation.
The measure may be solid with the correct changes and fair execution. The government must clarify regulations, lower compliance costs, and minimize unnecessary data use. Responding to stakeholder opinions and making improvements based on experience is optimal. New restrictions require flexibility, but initial trade-offs are inevitable.
The law can boost India’s digital economy and society if it prioritizes data protection and user empowerment over control. Much will depend on how carefully and equitably it is administered to balance all parties’ needs.
