Key Features and Issues in The Digital Personal Data Protection Bill, 2022

The Ministry of Electronics and Information Technology (“MeIT”) recently introduced a revised Bill for the protection of digital personal data titled as “The Digital Personal Data Protection Bill, 2022” (hereinafter referred as “2022 Bill”). The 2022 Bill has been introduced by replacing the Personal Data Protection Bill, 2019 (hereinafter referred as “2019 Bill”). The government displayed the Bill on its website for seeking chapter-wise feedback till December 17, 2022. It has been a constant endeavor of the Indian government to setup a regulatory mechanism which strikes a balance between “protection of personal data” and “establishment of a regulatory mechanism” which allows the processing and storing of personal data by fiduciaries. In the recent past, European Union’s Regulation, General Data Protection Regulations have often been referred to as Model law for incorporating a domestic legislation.

The 2022 Bill covers a very narrow spectrum of personal data protection unlike the previous Bills. The 2022 Bill specifically focuses on the digital data which is of personal nature. The Bill succinctly provides for 30 Sections which cover the rights of a data fiduciary, rights and duties of a data principal, establishment of Data Protection Board of India, etc. While the enactment of a legislation on protection on personal data is the need of hour, however, the present 2022 Bill still poses few challenges and issues.

The revised 2022 Bill provides for various salient features which were not covered in the previous Bills. A comparative analysis of the 2022 Bill along with 2019 Bill and General Data Protection Regulation has provided herein below:

1. Extent and Liability

2. Reference to an individual

3. Introduction of ‘Consent Managers’ and their accountability

4. Grounds for processing Personal Data without consent

5. Obligations of Data Fiduciary

6. Liability in case of Breach

Narrow applicability of the Bill: As the name of the Bill suggests, the Bill focuses specifically on the digital data of a personal nature. The Bill defines the expression “personal data” under S. 2(13), however, it does not define what constitute a “digital data”. Since, the Bill specifically focuses on digital personal data, it appears that the legislature intended to exclude the applicability of this Bill on personal data stored in a form other than digital. The implication of such exclusion would be that if a breach of personal data which was not stored in a digital form, takes place then no protection could be sought under the 2022 Bill. The title of the Bill and its provisions also leave no scope of interpretation for the Courts to extend the protection to personal data stored in physical form. Further, a cursory perusal of General Data Protection Guidelines (hereinafter referred to as “GDPR”) would entail that GDPR extends to all forms of “personal data”, be it digital or otherwise.

No obligation on data fiduciary for preparing a privacy policy design: Chapter 2 of the 2022 Bill provides for Obligations of a Data Fiduciary. Unlike the 2019 Bill, the new 2022 Bill does not require a data fiduciary to prepare a privacy policy throughout the processing from the point of collection of data to deletion of data. An obligation on data fiduciary for the protection of privacy by design policy has been omitted in the 2022 Bill. This obligation is enshrined under Article 25 of GDPR.

No offence, only penalty provided: Section 25 of the 2022 Bill provides for a hefty financial penalty which may extend to Rupees five hundred crores. First Schedule of the Bill provides for penalty. However, the 2022 Bill does not provide for any offence unlike the previous Bill. The 2019 Bill, under Section 82 provided for a punishment with imprisonment for a term not exceeding three years or fine which may extend to Rupees Two Lakhs. The legislature has tried to create a deterrence by imposing hefty penalties in crores. However, in case a data fiduciary commits a grave breach but does not hold enough assets which could match the penalty imposed in a given case, then the proceedings would become futile. On the other hand, if imprisonment remains as a primary mode of punishment, then it is likely to create more deterrence in addition to a civil liability.

Hefty penalties likely to deter startups in India: India is now witnessing huge number of startups, and the government policies are also aligned to support startup culture. The revised Bill requires the Data Fiduciary to acquire proper means and process and secure the digital personal data of the Data Principal. However, it is not possible for every startups to put in place all the mechanisms and tools for complying the provisions of the Bill. Further, if any data fiduciary fails to comply with the provisions of the Bill, they shall be subjected to hefty liability extending in crores. This will ultimately impede the growth of startups in India. The penalties should be just, reasonable and proportionate to the quantum of injury caused to the aggrieved. Both civil and criminal liability should be included in the Bill and discretion can be given to the Board or the concerned authority to decide whether fine has to be imposed or criminal liability has to be imputed. The same can be done by including the word “or” in the penal provisions of the Bill and include both civil and criminal liability in a proportionate manner. This will ultimately allow the concerned authority to decide each case on its merits in just, fair and reasonable manner.

Regulatory approval for cross-border flow of digital personal data: In a globalized world, where data collection has become an inalienable part of daily transaction, there is a likelihood of cross-border flow of data outside India. The 2022 Bill is entirely silent on a comprehensive regulatory mechanism for the cross-border flow of digital personal data.

In the 2019 Bill, the Data Protection Authority was empowered to monitor the cross-border transfer of data [Personal Data Protection Bill, 2019, Section 49(2)(g)] and an obligation was also cast on the data fiduciary to disclose the same [Personal Data Protection Bill, 2019, Section 23(1)(g)]. However, the 2022 Bill does not provide for the same and also takes away the powers of Data Protection Board to issue directions for such compliance. In this case, in order to allow proper flow of data outside India, then the same may be regulated with proper guidelines in the Bill itself. Thereafter, if the Bill is passed with these changes, then India’s international obligations would also be fulfilled.

Application of the right to information for a confidential data: Section 12(3) states that the Data Principal shall have the right to obtain from Data Fiduciary about the identities of all Data Fiduciaries with whom the personal data has been shared. However, there may be various cases where the Data Principal may have entered into a non-disclosure agreement with the Data Fiduciary preventing the disclosure of any digital personal data under the right to information. This anomaly should be removed by making the provision more comprehensive and clear.

The right to be forgotten: The Right to be forgotten is an offshoot of the right to privacy which means erasure or deletion of data once the data has become redundant or detrimental to the data principal. Justice Kaul’s opinion in the landmark KS Puttaswamy and Anr. v. Union of India and Ors. reflects a small discussion on the right to be forgotten in the 2019 Bill and GDPR. In a landmark case of Google v. Spain, the right to be forgotten is considered as a part and parcel of right to privacy. In India, the right to be forgotten is yet to get a status of fundamental right under Article 21 by the Supreme Court.

The right to be forgotten shall have a significant application in cases where the name of the victims of sexual offences are disclosed. The Supreme Court in Birbal Kumar Nishad v. The State of Chattisgarh, ordered that the name of the victims of sexual offences should not be mentioned in proceedings before courts. Further, in Bhupinder Sharma v. State of Himachal Pradesh, the Supreme Court held that disclosing the names of victims of sexual offences amounts to an offence under Section 228A of the Indian Penal Code, 1860. Therefore, in view of these decisions, a victim of sexual offence can seek the erasure or removal of her name, if the same has been disclosed in public domain. The 2022 Bill enshrines the right to be forgotten under Section 13 which shall be subject to reasonable restrictions, and such cases can be properly dealt if the Bill is enacted to this effect.

The problem with Section 13 is that it uses the expression “in accordance with the applicable laws and in such manner as may be prescribed” which is too wide to be considered as a reasonable restriction on a legal right. The latter part of the expression makes the restriction vague and superfluous. In contrast to the Article 17 of GDPR, the 2022 Bill does not cover specific grounds of erasure of data. As per the 2022 Bill, cases where the data principal withdraws the consent cannot be taken as a ground for exercising the right to be forgotten, rather the implication would be that it shall not affect the lawfulness of processing of personal data and the fiduciary shall cease the processing of the personal data. However, the GDPR provides for withdrawal of consent as a ground for invoking the right to be forgotten where there is no other legal ground for processing the data.

Apart from the right of correction or erasure, a duty should be caste upon the Data Principal to intimate or update the Data Fiduciary if there has been a change in personal data. The purpose behind this is that a Data Fiduciary would not have any notice of the change in personal data on its own unless the same is intimated by the Data Fiduciary.

While the enactment of a legislation for data protection still remains to be a pending affair, the 2022 Bill is a welcome step. However, government’s obligations towards protection of personal data would still remain partially unfulfilled. The above-mentioned lapses may be incorporated in the Bill. The GDPR guidelines would still act as a model law to cover various other crevices in the existing 2022 Bill. The High Courts in various states have shown sensitivity towards the protection of personal data of individuals and as such have even applied the right to be forgotten in few cases. As a way forward, the penalties of civil nature should be balanced with criminal liability in order to balance “the protection of personal data” and “processing of personal data”. If the penalties are made proportionate, it will instill confidence in the new startups.

Nihit Nagpal is an Associate Partner and Apalka Bareja is an Associate at S.S. Rana & Co. The authors would like to thank Mohd. Yasin for his research assistance.