LegalBots.in
LegalBots.in
  • Home
  • About
  • Jobs
  • Events
  • Courses
  • Exams
  • Blog
  • Recruiter
  • Pricing
Sign In
Applicant Recruiter/Advertiser

Digital Personal Data Protection Bill 2022

Go back
  • Sumasri Sumasri
  • Mar 17, 2023
Share on Facebook Share on Twitter Share on LinkedIn Share to Whatsapp
Report an Issue   
Digital Personal Data Protection Bill 2022

‘Privacy’ has become a hot topic of discussion in recent times. This is particularly so in light of rapid digitisation and gross breach of privacy of individuals, by organisations collecting and processing personal data to benefit themselves. India as such hasn’t had any data privacy legislation. In the year 2017, there was a need for privacy legislation expressed in the Puttaswamy judgement.[1] For privacy laws, we have so far relied on the IT Act, of 2000 which doesn't meet present-day needs. Initially, the central government introduced the Personal Data Protection Bill in 2018, which was then passed on to the “Justice BN Srikrishna committee” for examination. But owing to a few shortcomings in the Bill, it was shelved. In the year 2019,  the legislature introduced a fresh bill with quite a few changes. The purpose of this 2019 Bill was to provide for the protection of the privacy of individuals relating to their personal data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual.

However, amid the versions of the Personal Data Protection Bill that were proposed in 2018 and 2019, each received extensive scrutiny from experts across the country and alarmed tech giants with requirements such as data localization. After receiving 81 amendments from the Joint Parliamentary Committee, the 2019 bill was withdrawn in August 2022, amid promises of a new bill that fits into India's comprehensive legal framework. 

 

Digital Personal Data Protection Bill 2022

India's Ministry of Electronics and Information Technology proposed new privacy legislation, the Digital Personal Data Protection Act, 2022.[2] The Ministry of Electronics and Information Technology of the Government of India published the draft Digital Personal Data Protection Bill, 2022 on 18 November 2022 for public consultation, which was open until 2 January 2023. The draft bill aims to enable personal data processing while recognizing individuals' rights and "the need to process personal data for lawful purposes." It allows cross-border data transfers with "certain notified countries and territories" and establishes a Data Protection Board to oversee compliance and impose penalties, stated not to exceed 5 billion rupees.

As the name suggests, the scope of the Digital Personal Data Protection Bill 2022 is restricted to processing digital personal data within the territory of India. As such, all offline personal data and anything not digitised will be exempt from the purview of this legislation. Such a scope carves out a large number of processing operations still relying on paper forms as the default mechanism of data collection. Additionally, the bill remains silent on the governance of digitised paper records.

 

Rights and Duties

The data principals may exercise certain rights with respect to their personal data:

  • right to information about personal data including information regarding the status of processing, a summary of processing activities, and identities of all the data fiduciaries with whom the personal data has been shared along with the categories of personal data so shared

  • correction and erasure of personal data;

  • right to grievance redressal; and

  • right to nominate any other individual to exercise the above-mentioned rights under the draft Bill in the event of the data principal's death or incapacity

To protect businesses, the draft Bill imposes certain duties upon data principals, including prohibiting them from registering a false or frivolous grievance or complaint with a data fiduciary and from providing false information or suppressing material information. A penalty of up to Rs 10,000 may be levied on data principals for the failure to comply with their duties.

 

The Data Protection Board

A Data Protection Board of India is proposed to be established under the draft Bill. The Board will function as an independent body and will function digitally, however, the exact composition and other aspects of the Board are to be further elaborated and prescribed by the Central Government. The functions of the Board would include the determination of non-compliance; imposition of penalties; and directing the adoption of urgent remedial measures in cases of personal data breaches. Orders from the Board will be deemed to be decrees made by a civil court and may be appealed to the High Courts. Also, if the Board is of the opinion that any complaint may be appropriately resolved by mediation or other processes of dispute resolution, the Board may direct the concerned parties to attempt resolution of the dispute through mediation.

 

Breach of data

The draft Bill defines 'personal data breach' as 'any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data'.

The draft Bill obligates the data fiduciary or the data processor to notify the Board and the affected data principals in the event of a personal data breach. The obligation to notify data principals does not exist under Indian law currently. The data fiduciary and the processor may contractually determine who is responsible for undertaking the reporting obligation. Further, the draft Bill proposes a penalty that may extend up to Rs 2 billion for non-compliance with this requirement.

 

Transfer of data outside India

Personal data can be transferred to only those countries which are notified by the Central Government in accordance with terms and conditions as may be prescribed. At present, there is no foreseeability on the basis of the factors in which countries may be notified. While the draft Bill does not expressly allow the transfer of personal data outside India, it provides that the Central Government may whitelist certain countries or territories outside India. The draft Bill itself does not throw light on the factors based on which countries or territories will be whitelisted, nor the types of personal data that may be allowed/restricted to be transferred.

Post the Government's receipt of public comments and feedback, it is expected that the draft Bill will be tabled before Parliament in 2023 and is expected to become law in August 2023, as orally remarked by the Minister of Electronics and Information Technology of India.

 

 


[1] K. Puttaswamy v. Union of India (2017) 105 SCC 1

[2]https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf


 

×
  • Home
  • About
  • Jobs
  • Events
  • Courses
  • Exams
  • Blog
  • Recruiter
  • Pricing

  Applicant

  • Login
  • Register
  • Forgot Password

* By proceeding you agree to our Privacy Policy and Terms of Use
*
*
*
*
Password should contain one upper case,one lower case,one number and one special character with 8-30 characters.

* By proceeding you agree to our Privacy Policy and Terms of Use

  Advertiser

  • Login
  • Register
  • Forgot your password

* By proceeding you agree to our Privacy Policy and Terms of Use
*
*
*
*
Password should contain one upper case,one lower case,one number and one special character with 8-30 characters.

* By proceeding you agree to our Privacy Policy and Terms of Use
  • about
  • privacy
  • terms of use
  • careers
  • contact us
  • sitemap

© 2021 Botmatrix Services Private Limited. All Rights Reserved.