Data Protection gaining importance as India goes Digital

POSTED ON APRIL 29, 2023 BY DATA SECURE

Latest Blogs


Introduction

The Digital Personal Data Protection Bill, 2022 is a proposed legislation in India that aims to provide protection to personal data of individuals collected and processed by various entities. This bill is currently under consideration by the Indian Parliament and has been drafted based on the recommendations made by the Justice B.N. Srikrishna Committee, which was constituted by the Indian government to examine issues related to data protection.

india-goes-digital.png

Kindly read the Justice B.N.Srikrishna Committee Report that was released in the year 2018 by the Ministry of Electronics and Information Technology, Government of India:

Data_Protection_Committee_Report.pdf (meity.gov.in)


Definition of Personal Data

The bill defines personal data as any data that relates to a natural person, which either directly or indirectly identifies that person. This includes data such as name, address, date of birth, biometric information, email ID, telephone number, and any other data that can be used to identify an individual.

One of the main objectives of the bill is to ensure that personal data is collected and processed in a fair and transparent manner. The bill requires entities that collect personal data to provide individuals with information regarding the purpose of collecting the data, the manner in which it will be processed, and the categories of entities that will have access to the data. Additionally, individuals have the right to withdraw their consent for the collection and processing of their personal data at any time.

Some of the other key definitions as per the DPDPB 2022, Chapter 1, Section 2:

  • 1. “Data Fiduciary” refers to any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
  • 2. “Data Processor” refers to any person who alone or in conjunction with other persons processes personal data on behalf of a data fiduciary.
  • 3. “Data Principal” means the individual to whom the personal data relates. If the individual is a child, then the parents or lawful guardian of such a child, are considered as a Data Principal
  • 4. “Data Protection Board of India” is a body that is responsible for receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions as described within the bill.
  • 5. “Data Protection Officer” means an individual appointed as such by a Significant Data Fiduciary as per the provision of the bill for undertaking activities assigned within the bill.

Definition of “Harm”

For the first time, such an excellent definition of “Harm” has been included in the DPDPB 2022, which many of the global privacy regulations lack in their definition.

As per the Chapter 1, Section 2(10), Harm in relation to Data Principal means:

  • 1. Any bodily harm or
  • 2. Distortion or theft of identity or
  • 3. Harassment or
  • 4. Prevention of lawful gains or causation of significant loss

Obligations of Entities(Data Fiduciaries/Data Processors/Significant Data Fiduciaries/Data Principal)

The bill also imposes certain obligations on entities that collect and process personal data. These entities can be data fiduciaries or significant data fiduciaries or the data processors. Entities are required to implement appropriate security safeguards to protect personal data from unauthorized access, use, disclosure, modification, or destruction. In case of any data breach, entities are required to notify the individuals affected and the Data Protection Authority (DPA) within a specified time period.

The obligation of Data Principals as per Chapter 3, Section 16 is as follows:

  • 1. Do not register false complaints with Data Fiduciary or the Board.
  • 2. Do not provide false or misleading information.
  • 3. To furnish authentic and verified information for correction and erasure requests.

Establishment of Data Protection Board of India(DPBI)

The bill proposes the establishment of a Data Protection Board of India (DPBI to oversee and regulate the implementation of the provisions of the bill. The DPBI will be an independent body, with members appointed by the central government. The DPBI will have the power to investigate any violations of the provisions of the bill, impose penalties, and issue orders to entities to comply with the provisions of the bill.


Data Localization Not Mandatory

One of the controversial provisions of the previous billthe PDPB 2019 was requirement for data localization. This provision required that personal data of individuals be stored and processed within the boundaries of India. This provision has been criticized by some experts who argue that it will increase compliance costs for entities and may affect the ease of doing business in India. However, proponents of this provision argue that it is necessary to ensure that the personal data of Indians is not accessed by foreign entities without the consent of the individual.

However, the current DPDPB 2022 does not have nay provision for data localization.


Exemptions to the Bill

Another contentious provision of the bill is the exemption granted to the government from the provisions of the bill in certain circumstances. The bill allows the government to exempt itself from the provisions of the bill for reasons of national security, public order, or for the purposes of prevention, investigation, or prosecution of any offense. This provision has been criticized by civil society organizations who argue that it undermines the purpose of the bill, which is to protect personal data of individuals from unauthorized access and misuse.


Cross-border Data Transfer

The bill also contains provisions for cross-border transfer of personal data. Entities that wish to transfer personal data outside the boundaries of India must comply with certain conditions, including obtaining the consent of the individual, implementing appropriate security safeguards, and complying with any other conditions specified by the DPA.

As per Section 17 of the DPDPB 2022, the Government of India may, after an assessment as it considers necessary, may notify such countries outside India to which a Data Fiduciary may transfer personal data in accordance with the provisions of the Bill.

However, the Government of India is working on the concept of Whitelisting the countries with whom the Data Fiduciaries can go ahead and do the cross-border data transfer for the purpose of processing the personal data of the Data Princial.

Kindly read about it at 'Negative List' For Cross-Border Data Transfer In Works: MoS IT (inc42.com)


Introduction of Data Processing Agreement

The DPDPB 2022 has introduced the concept and definition of Data Processing Agreement. As per Chapter 2, Section 9(9):

“The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, useor involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processing may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use or involve another Data Processor in processing personal data under a valid contract.”

It is a significant development in the field of Data Privacy in India and will ensure that the processing of personal data of the Data Principals is done in a responsible manner while being accountable to the misuse of the personal data. It will be applicable to both the Data Fiduciary and the Data Processor.


DPDPB 2022 has introduced the concept of “Deemed Consent” as per Chapter 2, Section 8. The deemed consent is based on the premise that the Data Principal in certain situations as deemed by law hasgiven consent without giving actual consent.

The provision of “Deemed Consent” under the DPDPB 2022 provides for wide ranging situations for collection, storage, and processing of personal data of the individual data without actual consent for the purpose. This can potentially lead to the violation of privacy of the individual.

However, the concept of Deemed Consent is being implemented by Canada in their Personal Information Protection and Electronics Document Act. However, the sensitive information cannot be collected under the Deemed Consent.

Kindly read about the Canada PIPEDAchrome-extension: https://dpo-india.com/Resources/Privacy_Regulations_in_North_America/canada_privacy_law.pdf

Similarly, the Australia Privacy Principles provides for “Implied Consent” as defined in the Australia Privacy Act, 1988.

Kindly read about the Australia Privacy Act, 1988 at https://dpo-india.com/Resources/Privacy_Regulations_in_Australia/


Imposition of Financial Penalties

The bill proposes stiff penalties for the Data Fiduciaries that violate the provisions of the bill. The Data Fiduciaries that collect, process, or disclose personal data in violation of the provisions of the bill can be fined up to INR.200 Crores as a minimum. The maximum amount of penalty can be INR 500 Crores per instance in case of violation of the DPDPB 2022.

As per Section 25(1), the non-compliance to the Bill while processing the children’s data will invite a penalty of INR.200 Crores.


Privacy Laws and Human Rights

Privacy or Data Protection laws are essential for protecting individual rights and preventing abuses of power. They help to ensure that individuals have control over their personal information and how it is used. Privacy laws also establish standards for organizations that collect and handle personal data and provide a framework for addressing privacy breaches and abuses.


Modern day Privacy Laws & Its Importance

The importance of privacy laws can be seen in the increasing reliance on technology in modern life. With the growth of the internet and digital communication, personal data is more easily accessible and vulnerable to abuse. Privacy laws provide safeguards against the misuse of personal information, and can help prevent identity theft, fraud, and other forms of harm.

Privacy laws also play a critical role in protecting human dignity and promoting freedom of expression. Without privacy protections, individuals may feel inhibited in expressing their views or engaging in activities that are important to them. Privacy laws help to ensure that people can live their lives free from unwanted scrutiny and judgment.

In addition, these are important for businesses and governments. Companies that handle personal data must comply with privacy regulations, which can help to build trust with customers and protect against reputational damage. Governments that enact and enforce privacy laws can demonstrate a commitment to protecting individual rights and fostering a healthy and democratic society.

However, these laws can limit the ability of law enforcement agencies to prevent and investigate crimes, as they may not have access to certain information that could be crucial to solving cases. Additionally, privacy laws can make it difficult for companies to collect and analyze data, which can hinder their ability to provide personalized services and improve their products. Moreover, privacy laws can lead to increased costs for businesses that must comply with complex regulations, which can ultimately be passed on to consumers. Finally, privacy laws can be difficult to enforce and may not effectively deter malicious actors from engaging in illegal activities.


Conclusion

In conclusion, the Digital Personal Data Protection Bill, 2022 is a significant step towards protecting the personal data of individuals in India. The bill seeks to ensure that personal data is collected and processed in a fair and transparent manner, with appropriate safeguards in place to protect the data from unauthorized access and misuse. Data protection is essential in today's digital age where vast amounts of personal and sensitive information are stored and transmitted online. Protecting data helps to ensure the privacy, security, and integrity of information, which is crucial for maintaining trust between individuals and organizations.

A lot has to be seen as the Digital Personal Data Protection Bill, 2022 gets tabled in Parliament. There are lot of inputs and suggestions that are being reviewed by the Ministry (MIETY) and the Cyber Law division.

Kindly read the complete India DPDP 2022 at chrome-extension: https://dpo-india.com/Resources/privacy_laws_in_India/the_digital_personal_data_protection_bill_2022_india.pdf

We at Data Secure (DATA SECURE - Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India Digital Personal Data Protection Bill 2021. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.

For downloading various Global Privacy Laws kindly visit the Resources page in Resources (dpo-india.com)