INTRODUCTION
After the withdrawal of the Personal Data Protection Bill, 2019, which was subject to widespread debate, dissent and criticism, the Union Government recently came up with a revamped and revised data protection bill aimed at personal data, named the ‘Digital Personal Data Protection Bill, 2022’. The revamped bill was introduced three months post the withdrawal of the preceding bill of 2019. The Bill has various features that distinguishes it from previous enactments
In this article, Team YLCC covers some of the major features of the Digital Personal Data Protection Bill, 2022. Read on!
OBLIGATIONS OF DATA FIDUCIARY
The Bill states under Section 5 that a Data Fiduciary may validly process the personal data, only for a lawful purpose and in compliance with the provisions of the bill. However, the Data Fiduciary is obligated to provide the Data Principal (the person whose data is subjected to processing) with an itemized notice, meeting the requirements of clarity in language, notifying the purpose of processing, and timeline with respect to processing as laid down under Section 6 of the Bill. Section 9 stipulates that the Data Fiduciary is obligated to comply with the provisions of the act.
CONSENT
The Bill states under Section 7 that the unambiguous, informed and free consent of the Data Principal must be obtained before the processing of data. Further, Clause 4 of Section 7, states that in cases wherein the consent forms the basis for processing of data, consent may be withdrawn at any time, by the Data Principal. Section 8 of the act makes provision for receipt of ‘deemed consent’, which can be given in case of sudden contingencies, where following due processes is not possible due to exigencies.
OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARY
Clause 2 of Section 11, states that the responsibility of a Significant Data Fiduciary includes appointment of a Data Protection Officer, for representing the Significant Data Fiduciary under the act. Further, the Significant Data Fiduciary is also responsible for appointment of an Independent Data Auditor, and must also monitor the impact of Data Protection Impact Assessments that are conducted under the provisions of the bill.
RIGHTS OF DATA PRINCIPAL
The Data Principal, around whom the entire genesis of the bill revolves, has been accorded varied protections under the bill, such as the right to be informed and the right to information about the processing of his/her personal data (Section 12), the right to erasure, updating and corrections with respect to personal data, in compliance with applicable laws (Section 13), the right of speedy redress of grievance within the timeline mentioned under Section 14 by the competent board, on filing of complaint, and the right to nominate another individual to act/perform on his/her behalf, functions pertaining to the processing and removal of data of the data principal, in case of death/incapacity of the data principal to do so himself (Section 15).
OBLIGATIONS OF DATA PRINCIPAL
The Data Principal, has also been accorded with several duties and compliance requirements under Section 16 of the bill, such as the need to comply with the provisions of both the bill as well as applicable laws, the duty not to file any complaint of a frivolous or false nature, restriction on sharing false material particulars, or false information pertaining to himself, or ant other person, and restriction against impersonation of identity, as well as the obligation to furnish information wherein the veracity and authenticity of the same is verifiable.
TRANSFER OF DATA OUTSIDE INDIA
Under Chapter 4, Special Provisions, Section 17 states that after considering all relevant criteria, the Central Government may specify the nations or territories outside of India to which a Data Fiduciary may transmit personal data under the terms and conditions it deems appropriate.
TRANSFER OF DATA RELATED TO CHILDREN
Section 17 of the Bill states that before processing any child’s personal information, the Data Fiduciary must first get verified parental agreement in the manner that may be required.
For the purposes of the bill, “parental permission” includes, the consent of the legal guardian, in cases wherein required, or else the consent of the parent itself.
Further, it has been stated under Clause 2 of Section 17 that a Data Fiduciary is not permitted to process personal information in a manner that could endanger a child. Also, a Data Fiduciary is not allowed to follow or monitor children’s behavior or use them as targets for advertising. Thus, this Section lays down additional responsibilities with respect to data processing of personal data of children.
COMPLIANCE FRAMEWORK
Under the Bill, Section 19 states that the Government at the Central Level may constitute a board, the “Data Protection Board of India”, which shall consist of a chairman, chief executive, and such other employees and officers as required under the provisions of the bill. Section 20 of the bill states that the functions of the abovementioned board include duly performing functions assigned to it by the Government at the Central Level, issuing directions to other stakeholders, directing the data fiduciaries to comply with the provisions of the bill, and imposition of conditions and restrictions as deemed fit by the board.
PROCESS OF RESOLUTION OF GRIEVANCES
Under Section 21 of the Bill, it is stated that the Board may act in line with the provisions of the bill, and upon receipt of a complaint from an affected person, a referral made to it by the Central Government or a State Government, in compliance with any court’s orders, or in the event that a Data Principal violates provisions of the act. Further, the Board may permit particular members or teams of members to handle complaint-related proceedings. In cases wherein the board decides there are inadequate grounds, it may adjourn the matter for reasons that are documented in writing. However, if the Board finds that there are adequate grounds to continue the investigation, it may do so for reasons that are documented in writing.
PROVISION FOR ALTERNATE DISPUTE RESOLUTION
Keeping in line with the popularity of modes of Alternate Dispute Resolution under the contemporary scenario, the bill makes provision under Section 23 that states that the board is vested with discretionary power to decide the suitability of the complaint resolution, and if the board feels that the complaint may be better resolved by way of mediation/other mode of resolution, the board may direct the parties towards alternate dispute resolution mechanisms to solve their dispute.
GRIEVANCE REDRESS MECHANISM: PROVISION FOR APPEAL
Section 22 of the bill, entitled, “Review and Appeal” states that the Board may review its order, acting through a group for hearing larger than the group that held proceedings, on a representation made to it, or on its own, and for reasons to be documented in writing, modify/suspend/withdraw, or cancel any order issued. Additionally, it may impose any conditions it deems appropriate, subject to which the modification, suspension, withdrawal, or cancellation shall have effect.
Further, Clause 2 of Section 22 states that the High Court is the proper forum for an appeal against any Board order. Every appeal filed in accordance with this section must be prioritized within sixty days of the order being appealed.
PENALTIES UNDER THE BILL
Section 25 of the bill provides for Financial penalties which can be imposed with respect to the bill, stating that a penalty not exceeding Rs. 500 Crores, can be imposed for every instance of violation, thus providing a deterrent effect towards potential violations. Further, Clause 2 of Section 25 stated that various factors must be taken into consideration for determining the amount of financial penalty payable, such as number of violations, nature, loss, damages, etc.
CONCLUSION
The Digital Personal Data Protection Bill, 2022, which aimed to revamp and redress the lacunae under the Personal Data Protection Bill, 2019 has largely succeeded in covering the loopholes and gray areas left under previous enactments. However, there is a need for strict compliance and implementation of the bill in order to ensure that the personal data related rights of individuals, which are of paramount importance, are protected at all costs.
YLCC would like to thank its Content Team for their valuable insights in this article.