A second version of the draft Digital Personal Data Protection Bill was issued in 2022, as India moves towards adopting a comprehensive framework for data privacy. With the consultation on the latest iteration of the legislation recently ending, this article looks at the main provisions of the bill and how it could impact individuals and organisations.
Background
The first draft Personal Data Protection Bill was introduced in 2019 and then withdrawn in 2021. It was replaced by a streamlined draft bill, published in 2022. A public consultation on the second version of the legislation was due to run until 17 December. The Ministry of Electronics and Information Technology later extended the deadline to 2 January 2023.
Main provisions of the latest bill
Overall, the bill sets out a framework clarifying the rights and responsibilities of India’s approximately 760 million active internet users. It also defines the obligations of organisations which collect, store and use data. There are several key principles underpinning the draft legislation. These include:
- Use of personal data by organisations must be lawful, fair and transparent.
- Personal data must be used only for the purposes for which it was collected.
- Reasonable efforts should be made to ensure personal data is accurate and kept up to date.
- The duration of storing personal data should be limited to what is necessary for the stated purpose.
- Reasonable safeguards should be in place to ensure no unauthorised collection or processing of personal data.
Certain types of data are excluded from the scope of the legislation, including (but not limited to) non-automated processing of personal data and offline personal data. The main body responsible for enforcement is the Data Protection Board of India.
How would the legislation impact individuals and firms?
The bill essentially requires data processors to seek consent from an individual before they collect, store and use their data. Exceptions include when the information is requested by the State or other public bodies, when it relates to employment, or when it is deemed in the public interest (such as to prevent fraud). The request for consent must be clear and in simple language. Individuals may withdraw their consent at any time.
Organisations should be aware that the bill provides for financial penalties for non-compliance, up to INR5bn. The text also confirms that organisations in India may transfer personal data to certain “notified” countries and territories. Organisations which process digital personal data outside India are caught by the legislation if they use that data for profiling or offering goods and services to individuals within India.
This all means that while the draft legislation puts the onus on data collectors to secure permission, individuals should ensure they read any consent requests and ensure they understand how their data will be used.
What are the next steps?
The government will consider the responses to the consultation. The bill will be tabled at a later date, potentially during the forthcoming parliament budget session.
What can individuals do to protect their data privacy?
Outside of any legislative actions, individuals can remain alert to what personal data they share online and how organisations use that data. They can also limit the spread of their personal information by using a data removal tool to request that the many data brokers remove any such information from their databases.