By Sahil Agrawal
The long wait is over. The draft of the Digital Personal Data Protection Bill, 2022, was opened for public discussion on November 19, 2022. It is a much needed step from the government’s side as India has some 290 million social media users, 40 million messaging application users and about 400 million users across various search engines like Google.
The intention of the government in putting the Bill in the public domain is to perpetuate the idea that the right to privacy, as was enunciated in the KS Puttaswamy case, is an important fundamental right. The Bill tries to resolve the issues which were discussed in the Data Protection Bill, 2019. And to some extent, it has been able to resolve them.
The issues raised in the previous Data Protection Bill are:
- Rights of a deceased person: In the Personal Data Protection Bill, 2019, there was no mention of the rights of a deceased or about the exercise of rights of a person in case of death. Hence, a parliamentary committee recommended that clauses regarding the rights of a deceased person be added. DPDP 2022 has a clause which says a data principal must have the right to designate, in the way permitted by law, any other person who, in case of his death or incapacity, shall exercise his rights in accordance with the provisions of this Act.
- Artificial juridical person: The 2019 Bill did not have any clause about an artificial juridical person as a data fiduciary. As a result of that, NGOs were left out of the ambit of the Bill. They could process the data in any form they wanted. This has been sorted out by the Personal Data Protection Bill, 2022, as it talks about the artificial juridical person as a data fiduciary, thereby widening the scope and ambit of the Bill. As a result, NGOs will not be able to misuse the personal data of an individual.
- Data breach: There was no clause in the 2019 Bill regarding the reporting of a breach of personal data to the data principal. As a result, the data fiduciary was not held responsible for informing the data principal of a data breach. In contrast, the Personal Data Protection Bill of 2022 mandates that data fiduciaries should notify the data principal of any data breaches.
- Easy transfer of data: The 2019 Bill lacks an appropriate framework for data sharing with other nations. But the 2022 Bill allows for the cross-border transfer of data to specific nations that have been informed. After considering a number of variables, the government will notify the countries. For large IT giants, this is a win-win situation.
In addition to addressing the flaws in the 2019 Data Protection Bill, this Bill has some unique features such as:
- Women’s empowerment: One of the most striking features of the 2022 Bill is the usage of she/her for all genders. By doing this, it has become the first law in India to use she/her for all the genders. According to Union Minister of Electronics and Information Technology Ashwini Vaishnaw, the reason behind this usage is to propagate the idea of women’s empowerment. He reportedly said: “We have attempted in the philosophy of women’s empowerment that Prime Minister Narendra Modi’s government works to use the words she and her in the entire Bill, instead of he and him and his. So, this is an innovative thing which has been attempted in the Bill.”
- Easy to understand: Another unique feature of the Bill is the usage of plain and simple language. This makes it easy for the data principal to understand the directions given by the data fiduciary. The Bill provides the data principal the ability to revoke her consent at any moment. Data fiduciaries who collect personal data from people must give “itemised notice” in simple and understandable language that includes information about the personal data being sought and why it is being processed. In essence, this Bill makes information more accessible.
- Right to be forgotten: The Right to be Forgotten has been consistently emphasised as a crucial fundamental right and a component of privacy. This concept has already been adopted by the US, Argentina and Germany as part of the right to privacy. The 2022 Personal Data Protection Bill also incorporates the idea of Right to Forgotten. From time to time, courts in India have emphasised the idea of Right to Forgotten.
There is a deluge of false information about consumers of digital platforms in the internet age. When users change their email addresses, phone numbers, or any other information online, there have been occasions when the information has been altered. The Bill has given the user sufficient latitude to request that a digital platform correct any inaccurate information about them in order to address the aforementioned issue. Additionally, the measure mandates that the data fiduciary destroy user data when it is no longer necessary to retain it.
- Hefty fines: The Bill states that if a data fiduciary fails to take adequate security measures to protect users from possible data breach under sub section(4) of Section 9 of this Act, he will have to pay an amount up to Rs 250 crore as penalty. It also says that if the board fails to notify the data principal about the data breach then under sub section (5) of Section 9 of this Bill, it will have to pay an amount up to Rs 200 crore as penalty. The Bill also talks about a penalty of Rs 150 crore when a big data fiduciary breaches their additional legal responsibility under the provisions of the Act. These measures indicate that data fiduciaries must follow the law or risk paying large fines.
- Data protection officer: We occasionally see important rules for large digital intermediaries, such as those in the Information Technology Act of 2021. The Personal Data Protection Bill of 2022, which states that a major data fiduciary must fulfil additional obligations owing to data principal, carries the same tradition. These important data fiduciaries are required to establish the position of data protection officer, who will be answerable to the board of directors. The officer will be a point of contact for any complaints.
The Personal Data Protection Bill, 2022, would be complete after the flaws of the 2019 Bill are fixed and new additions made. Legislation has been long overdue, and now is the time to truly recognise the right to privacy. The Personal Data Protection Bill, 2022 is a step in the right direction towards recognition of the right to privacy as an important fundamental right.
—The writer is a student of Dharmashastra National Law University, Jabalpur