The foreseeable flabbergasting over the new “Digital Personal Data Protection Bill, 2022’1s” introduction by MeitY brings outthe question of scuffle between ‘Simplified’ or ‘Diluted’ Bill.
MeitY in overwrought state on 18th November’s afternoon releases the “Digital Personal Data Protection Bill, 2022” with the penchant towards removal of anachronistic Data Protection Bill. But, the issue of ‘Why there is removal of Old Data Protection Bill 2022?” recognized as “Propelling the spurt’s”issue.
Backlash of Section 35 and Section 12 of 2019’s data protection bill, stating the authority of central government to exclude any government’s law agency from the framed law’s obligation and, the grant of permission to state authorities to process/regulate the subject’s personal data without prior approval from thesubjects is the critical reasoning behind the recall ofanachronistic Data Protection Bill 2019.
Reminiscing the Background before divulging the NewChapter
Undoubtedly, before the revealing of this 2022 new chapter (Digital Data Protection Bill), the complex and comprehensive background captivate the reader’s attention towards it. Focusing on the very first instance of the submission of report by the Joint Parliamentary Committee in consonance of KS Puttuswamy’sJudgment providing broad data protection relatedrecommendations to the 2019 data protection bill. Basically, the 2019 Bill on which the JPC made some strong recommendations was prepared by Justice BN Srikrishna, with the prime focus upon the protection of subject’s personal data and setting up data protection authority for the regulation of same. Following that, the government tried to incorporate the suggestions put forth by JPC (Joint Parliamentary Committee) and decided to come with a fresh bill. The prime recommendation is concerned with the regulation of ‘Non-Personal Data’ within the 2019 Bill and for increasing theambit/extent over the ‘non-personal data’ the fresh bill presentedby
MeitY.
Digital Data Protection Bill, 2022: Contemplation of “What’sNew”?
This 2022 Bill reveals out on prime issues which somewhere been neglected by the government over the period. The 2022’s Digital Data Protection Bill aligns with the vision of Open, Safe & Trusted and Accountable Internet for India and its ‘DigitalNagriks’ on which the recently
notified CERT-In Directions on April, 2022, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022.2
MeitY sets out to receive the proposal/comment from the public in order to incorporate the valuable suggestions for the PI’s protection till 17th December, 2022. Fundamentally, the 2022’schapter of “Digital Data Protection Bill” emphasizes over substantial issues that being escaped from the government’ssight. The applicability segment under new bill widens the horizon by covering ‘within and outside India’. The Personal Information (PI) within India is collected via online mode and on the otherhalf, the PI’s outside India processed/ collected through the mechanism of offer’s providing to the subjects in India.
Explicit Notice and Consent
The prime reason of criticism faced with the introduction of 2019’s bill is processing the subject’s data without their consent been tackled in 2022’s chapter. The PI’s processing entities must send notice to subjects/data principals in explicit, clear and plain wordings seeking consent for processing PI.
Notice must contain details of the representative of the Data Fiduciary who can respond to communications from the Data Principal.3 The Consent of the subject drawn can be withdrewanytime and with regard to the subject’s consent, the government has suggested to appoint ‘Consent Manager’responsible with the task of review, manage and controlsubject’s consent.
Data Fiduciary and Performing Obligations
Determining the purpose and means of extracting/processing thesubject’s PI is the prime responsibility being vested to ‘Data Fiduciary’. The 2022’s bill lays down certain responsibilitieswith regard to the ensuring the correctness of PI, security andsafeguards of subject’s PI.
Not only the power being restricted to maintain safeguards and ensuring correctness of data but also to destroy the expired or unused principal’s data. With regard to the minor’s PI, the datafiduciary must not indulge into behavioral monitoring, or child – targeted advertising and the entities found to be breaching the said compliance would be levied with penalties of up to Rs 200crores.
2 Mr. Rishi Anand and Mr. Nakul Batra, MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY RELEASES THE DIGITALPERSONAL DATA PROTECTION BILL, 2022, DSK Legal (Newsletter).
3 Notice must contain details of the representative of the Data Fiduciary who can respond to communications fromthe Data Principal, Live Mint, 18th November 2022, https://www.livemint.com/news/india/government-releases- draft-of-new-data-protection-bill-11668757758325.html.
Data Principals and Assigned Rights & Duties
As ‘Data Fiduciary’ being loaded with different obligations, the ‘Data Principals’ also being vested with certain rights and duties to which one need to be complied of. ‘Data Principals’ should bewell informed about the nature of data being processed, list ofidentified data fiduciaries who is indulged in processingsubject’s PI. The 2022’s bill considering the circumstances of death and incapacity of data principals, laid out the right tonominate an individual to exercise the rights vested to DataPrincipals.
‘Data Principals’ must refrain from providing falsified PI while identification process and not indulge into filing of any frivolouscomplaints against data fiduciary.
Cross-Border Data Transfer
The 2022’s draft for widening the horizon permits the cross-border data transfer with respect to certain countries. This interaction of data with cross-border countries been seen as a cheering up moment for tech-based companies.
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries orterritories outside India to which a Data Fiduciary may transferpersonal data, in accordance with such terms and conditions as may be specified,” the draft says, without naming the countries.4
Asia Internet Coalition, a group representing some big names like- Meta, Google, Amazon and big giants through a letter toministry requested for allowance over the Cross-Border DataTransfer and removal of impediments that resulted in slow growth, expensive product offerings from the existing players/business cartel. The “Digital Data Protection Bill, 2022” with the allowance of cross-border data transfers imposes obligations over companies with respect to destroying ofprincipal’s data after expiry or use, providing of safeguards tothe subject’s PI.
The draft proposes a penalty of up to $30.6 million in the event afirm fails to provide “reasonable security safeguards to prevent personal data breach.” There’s another $24.5 million fine if the firm fails to notify the local authority and users for failure to disclose personal data breach.5
4 Jagmeet Singh, Manish Singh, India proposes permitting cross-border data transfers with certain countries in newprivacy bill, TechCrunch, November 18, 2022, https://techcrunch.com/2022/11/18/india-digital-data-protection-bill- 2022-draft/.
5https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%2 02022.pdf.
Use of ‘She’ and ‘Her’ referring all Individuals
The Legislative History of India has seen a remarkable change in consonance of “government’s philosophy of empowering women.”6 For the very first time, the legislature has used pronouns ‘She’ and ‘Her’ replacing the pronouns ‘He’, ‘Him’,and ‘His’.
Imposition of Financial Penalty over Data Fiduciary andProcessor
The Bill proposes to provide for graded financial penalty up to Rs. 500 crores. The grading will be determined on the basis of variables provided under the Bill. Failure to comply by a DataFiduciary or Processor can result in a penalty of up to Rs. 250crores, while failure to comply by a Data Principal can result in a penalty of up to Rs. 10,000.7
2022’s New Data Protection Chapter: Way Ahead
Well! This is the beginning of this new chapter of data privacyand protection. The contemplation of Simplified or Diluted dataprotection bill been at the rudimentary stage predicting the outreach of the bill within and Cross-border PI’s protection in consonance to the framework.
As the 2022’s bill framework been seen in accordance to theEU’s GDPR or Californian CCPA & CPRA for the protection of subject’s data, the prime contention is seen highlighting thatwhether the 2022’s bill will proved to be strengthenedframework alike EU’s GDPR or Californian CCPA & CPRA. The removal of anachronistic regulations and framing of provisions keeping the giant entities growth and impediment’s they faces seems to be expedient/Advantageous over the period of time.
6 YUTHIKA BHARGAVA, Draft data protection Bill uses ‘she’ and ‘her’ to refer to all individuals, The Hindu,November 19, 2022, https://www.thehindu.com/news/national/draft-data-protection-bill-uses-she-and-her-to-refer- to-all-individuals/article66154970.ece.
7 Supra note 2.