Highlights on Data Protection Bill, 2022

With the world going digital and geographical boundaries getting blurred day by day, data plays a very important role.  The digital world contains  `personal, professional and business-related data. These data which are stored in the digital platform is subjected to fraudulent activities like hacking, phishing and identity theft. As the amount of data and storage increases, so is the requirement for the protection of these data. Many countries have identified the requirement of data protection.

An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively, according to data from the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.

The Indian Government has identified the need for the data protection and introduced "The Digital Personal Data Protection Bill 2022".

The main principles of the Data Protection Bill are

1. The usage of personal data by the organizations must be done in a manner that is lawful, fair to the individual concerned and transparent to the individuals.
2. The personal data should be used only for the purpose for which it is collected
3. Collection of minimal data which is required for the purpose
4. Accuracy of the data when it comes to the data collection
5. The personal data cannot be stored perpetually by default and they should be limited for a fixed duration.
6. Reasonable safeguard to ensure that there is no unauthorized collection or processing of personal data.
7. The person who decides the purpose and means of processing of personal data should be accountable for such processing.

To understand the bill, it is imperative to understand few definitions mentioned in the bill.

• Personal data: "Any data about an individual who is identifiable by or in relation to such data."
• Data Fiduciary: "Any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data."
• Processing: "An automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction."
• Data Principal: "The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child."
• Data Processor: "Any person who processes personal data on behalf of a Data Fiduciary."
• Person:
  • an individual
  • a Hindu Undivided Family
  • a company
  • a firm
  • an association of persons or a body of individuals, whether incorporated or not
  • the State
  • every artificial juristic person, not falling within any of the preceding sub-clauses

Applicability of the Bill

• Processing of personal data collected within the territory of India – The data may be collected online or may be collected offline and then digitized.
• Processing of digitized data outside India – If the data is collected for the purpose of profiling and is used for selling of goods or services. The term profiling refers to collection of data to understand the interest, behavior or attributes of the Data principal.

Requirement of the Bill

1. The personal data can be processed only by consent or deemed consent
2. Notice must be issued while seeking consent

CONDITIONS FOR CONSENT

• Consent must be freely given, specific, informed and must be a clear affirmative action for the purpose specified in the notice.
• The consent must be obtained in accordance with the Act.
• While seeking consent, contact details of Data Protection Officer must be obtained
• Right to withdraw the consent
• Role of consent manager to be defined and communicated
• Cannot make services conditional on consent when not required
• If challenged in the court, the proof of burden lies with Data Fiduciary.

CONDITIONS FOR DEEMED CONSENT

• The user voluntarily provides their personal data.
• When the State or its agencies needs to perform any function under any law
• For compliance with any court orders or with respect to any judgement under any law
• Providing data for medical emergency
• Providing data to the State to provide medical treatment or health services or to contain outbreak of disease
• For taking measures to ensure safety or to provide assistance or services to individual during disaster
• For sake of public interest defined in the bill

3. Maintaining of accuracy of data: Reasonable efforts should be taken to ensure that the personal data processed is accurate and complete.
4. Prevention and notification of data breaches: Protection of personal data in its possession or under its control by taking reasonable security safeguard to prevent personal data breach.
5. Retention of personal data: Stop retaining personal data or remove the means by which the personal data can be associated.
6. Appointment of Data Protection Officer: Publish the business contact information of a Data Protection officer
7. Grievance redressal mechanism: A procedure and effective mechanism to redress the grievances of Data Principles.

The Data Protection Bill 2022 puts India in a position where the entire digital economy can be viewed through the prism of "trust and protection" and the bill would help the stakeholder to move towards Data-led government and transform India into Digital India. It would help to create analytical models and identify the gaps and then unplug them.