A dawn of India’s Data Protection Law Synopsis
1. Applicability:It applies to processing of digital personal data (DPD) collected within the territory of India or outside the territory of India if the profiling (processing, analyze, predicts, assess) is related to data principals in India. It covers data collected in both online as well as offline, which is, digitized.
2. Key Terms:
a. Data Fiduciary: any person who determines the means and purpose of personal data.
b. Data Processor: any person who processes personal data on behalf of data fiduciary.
c. Personal Data: means any data about an individual who is identifiable by or in relation to such data.
d. Board: means Data Protection Board of India established under this bill.
e. Data Protection Officer: an individual appointed by a significant data fiduciary
3. Principles of Data Protection:
a) Consent: The consent given by data principles must be free, specific, informed, clear.
b) Storage: The data fiduciary must stop retaining the personal data of a data principal once the purpose for which the personal data was collected is achieved/satisfied and no longer need retention.
c) General Obligation of Data Fiduciary for accuracy, transparency, accountability of personal data, its collection, processing, retention, deletion or removal are also covered in the bill.
3A. Deemed consent:
The bill has introduced the concept of deemed consent when the data principal voluntarily provides personal data to the data fiduciary and there is a reasonable expectation of giving the data, for the performance of any function under any law or for receiving any benefit or service, medical, law etc.
4. Rights of Data Principal:The bill provides different types of rights to data principal with respect to right to confirmation & access of personal data, right to nominate any other person in case of certain events like death or incapacity; right to correction and erasure of personal data, right of grievance redressal.
5. Duties of Data Principal:The bill also cast a duty on Data Principal to comply with applicable laws while exercising the right under the bill, not to register any false grievance under the bill, not to suppress any false material information, only furnish such information which is verifiably authentic, on enforcing their right to correction or erasure under this bill.
6. Compliance Framework:The current Bill institutes a Data Protection Board of India (‘DPBI’, ‘the Board’). Primarily, the function of the Board shall be to give effect to the provisions of the 2022 Bill. It shall also be the public-facing authority, which can provide remedies to the aggrieved.
7. Penalties:The limit of the financial/civil penalties imposed have been increased significantly under the current Bill to strengthen the enforcement of its provisions. The current Bill is the first to introduce penalties on data principles. If the data principals register false or frivolous grievance, furnish any false particulars or supress any material fact, then such data principals will be fined upto INR 10,000/-. The penalty to be imposed on data fiduciary in the failure of adopting reasonable security practices in preventing or mitigating a breach of personal data are upto INR 500 Crores.
8. Data Localisation:The Current bill entirely removes the concept of data localisation by which now the centre will release the list of geographical territories, counties where such personal data may be shared after an assessment of certain factors and on specified terms and conditions.
9. Key Challenges:The Digital Data Protection Bill 2022 is the first of its kind statue which will be governing the personal data protection laws in India. The bill has its own pros and cons in terms of provisions like deemed consent, exemptions to statutory and governmental authorities, concept of key data profiling, data localization exclusion of sensitive personal data and the most critical the implementation of the entire bill in true spirit are the key challenge which one can see in the future as these laws are highly stringent in the European, US counterparts.
10. Comparison between GDPR-EU and The Digital Data Protection Bill 2022
|Sr.No||Particulars||GDPR (EU)||The Digital Data Protection Bill 2022|
|1||Scope||Its applicable to organisations having establishment in EU or is processing the personal data in relation to offering of goods, service or monitoring the behaviour in EU.||The scope of (DDTB), Bill 2022 is wider and covers as an organization may fall within scope simply by processing personal data in India|
|2||Terminologies||Data Controller, Data Subject, Data Processor||Data Principal, Data Fiduciary, Data Processor.|
|3.||Children’s Data||age of differentiation of whether an individual is a child or not – 16 years||age of differentiation of whether an individual is a child or not – 18 years|
|4.||Significant Data Fiduciaries||Not applicable||The classification for Significant Data Fiduciaries on the basis of certain factors such as the volume, sensitivity of personal data processed, risk of harm, potential impact on the sovereignty and integrity of India, and other factors|
|5.||Implementation||GDPR- EU one of the toughest privacy laws.||This is a unique framework and expecting it to be implemented in stringent manner.|