The Union Government has released a revised personal data protection bill, now called the Digital Personal Data Protection Bill, 2022. The Bill was introduced after 3 months of withdrawing the Personal Data Protection Bill, 2019. The Digital Personal Data Protection Bill is a well-addressed bill that predominantly focuses on the seven principles. Firstly, the usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals. Secondly, personal data must only be used for the purposes for which it was collected. The third principle talks about data minimization. The fourth principle puts an emphasis on data accuracy when it comes to collection. The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default” and storage should be limited to a fixed duration. The sixth principle says there should be reasonable safeguards to ensure “no unauthorized collection or processing of personal data”. And finally, the seventh principle states that “the person who decides the purpose and means of the processing of personal data should be accountable for such processing”.
The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill.
In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board, which perfectly adds to the watchdog and the authoritativeness in cases of breach. The bill even addresses the core issue of non-limitation of data which is Cross-border Data Transfer. The bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there. As rightly said, legislation without penalties is like a toothless tiger, thus the bill is well-equipped with Financial Penalties which range from Data Fiduciary to Data Principals. The bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen. The penalties will be imposed ranging from Rs. 50 crores to Rs. 500 crores and for Data Principal, if a user submits false documents while signing up for an online service, or files frivolous grievance complaints, the user could be fined up to Rs 10,000.
No right is an absolute right, similarly, this bill adds to some exceptions as well. The government can exempt certain businesses from adhering to provisions of the bill on the basis of the number of users and the volume of personal data processed by the entity. This has been done keeping in mind startups of the country who had complained that the Personal Data Protection Bill, 2019 was too “compliance intensive”.
National security-related exemptions, similar to the previous 2019 version, have been kept intact. The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognizable offense.
The new Bill offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. It offers a relatively soft stand on data localization requirements and permits data transfer to select global destinations which are likely to foster country-to-country trade agreements.
The bill recognizes the data principal’s right to postmortem privacy (Withdraw Consent) which was missing from the PDP Bill, 2019 but had been recommended by the Joint Parliamentary Committee (JPC).
The author is Associate Professor at Jagran Lakecity University, Bhopal.