The government on Friday re-introduced the draft Personal Data Protection Bill 2022 (PDPD 2022) for public consultation. The bill, which was withdrawn from parliament during the Monsoon session in 2022, comes up with various changes including heavy penalties in case of data breach and easing cross-border data flows. It also exempts government agencies from the law in case of national security.
The bill not only penalises the entities for data breach, it proposes to impose fine of Rs 10,000 on individuals too for providing false information, impersonating and filing frivolous complaints against social-media. For the first time, the government has used ‘her’ and ‘she’ to refer to individuals irrespective of gender in the bill instead of using ‘he’ and ‘him’. The bill is in the public domain for consultation until December 17, 2022, and likely to be tabled next year in the budget session.
Why was it withdrawn?
The Personal Data Protection Bill, 2019, which seeks to protect personal data of individuals was first introduced in Lok Sabha by then Minister of Electronics and Information Technology, Ravi Shankar Prasad on December 11, 2019. The bill was referred to the standing committee and on August 3 ,2022, MeitY withdrew the bill stating that a more comprehensive legal framework will be presented soon. At that time, the bill took heat from tech companies like Facebook and Google as well as civil society activists. The tech giants were against storing a copy of certain sensitive personal data within India. However, in the Draft Personal Data Protection Bill 2022, the government has junked the idea. Activists criticised the provision of the bill, which exempts government’s agencies from adhering to the law or penalties. As per the draft bill, the Centre has been empowered to exempt its agencies from adhering to provisions of the bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence.
About the bill
As per the explanatory note of the bill, it is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the puts obligations to use collected data lawfully of the data fiduciary on the other hand. It said the bill is based on the principles around the Data Economy: the first principle is that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals. The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected. The purpose to introduce the bill, the government said, is currently there are over 76 crore (760 million) active internet users (Digital Nagriks) and over the next coming years this is expected to touch 120 crore (1.2 billion).
“It has become clear over the last few years while this data is used by platforms and intermediaries, the data and personal data must be subject to a framework of rules and dos and don’ts,” reads the note. The consent given Data Principal is the basis of processing of personal data, the Data Principal will have the right to withdraw her consent at any time. Every Data Fiduciary and Data Processor should protect personal data in its possession or under its control by taking security safeguards to prevent data breach. The bill proposes to set up a Data Protection Board of India.
In the event of a personal data breach, the Data Fiduciary or Data Processor will have to notify the Board and each affected Data Principal. The Data Fiduciary may store personal data only under a valid contract. In this bill, the government hiked the fine on entities manifold, as much as Rs 500 crore, in certain cases. Penalties on entities could be as much as Rs 250 crore in case of data breach. For instance, the failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach will invite fines of up to Rs 250 crore. The 2019 bill had proposed a penalty of Rs 15 crore or 4% of the global turnover of an entity. In case entities fail to notify the Board and affected Data Principals in the event of a personal data breach or non-fulfillment of additional obligations in relation to children, the proposed fine is up to Rs 200 crore. Non-fulfilment of additional obligations of Significant Data Fiduciary will invite a fine of Rs 150 crore. For children’s data, entities will have to obtain parental consent. A data fiduciary will not track or undertake behavioural monitoring of children or target advertising directed at children.
The bill has not pleased everyone. Non-profit Internet Freedom Foundation (IFF), which conducts advocacy on digital rights and liberties, said the proposed Data Protection Board lacks autonomy and independence. The data fiduciaries no longer have to mention how long they will store user data or if they will share it with third parties. “Consent of a Data Principal will be deemed in certain situations, including for the maintenance of public order, purposes related to employment and in public interest, opening the door to wide and vague interpretation… Like previous versions of the DPDPB grants vast exemptions to governmental agencies.”
Abhishek Tripathi, managing partner of Sarthak Advocates & Solicitors, said the bill appears to be an over-simplified version of the PDP Bill 2019.”Deemed consent provisions arising out of public interest may raise eyebrows, besides the extent of exemptions allowed. An important change relates to the substitution of earlier suggested Data Protection Authority of India with Data Protection Board of India. The functions, and composition of the Board are to be determined via delegated legislation. This may face constitutional challenge as it is a case of excessive delegation,” said Tripathi.
BILL PROPOSES FINE OF Rs 10,000 ON INDIVIDUALS
Bill not only penalises entities for data breach, it proposes to impose fine of Rs 10,000 on individuals for providing false information, impersonating and filing frivolous complaints against social media. For the first time, the government has used ‘her’ and ‘she’ to refer to individuals