Center's Ministry of Electronic and Information Technology recently tabled another version of data protection bill called Digital Personal Data Protection Bill, 2022. This is the fourth instance when center presented the bill on data protection. After the Supreme Court judgment in Justice K.S Puttuswamy (Retd) v. UOI & others, 2017, government set up a parliamentary committee under chairmanship of Justice B.N Srikrishna that advance its report along with a Draft Data protection Bill in 2018. The bill was never enforced and the revised version was introduced as Personal Data Protection Bill (PDP Bill), 2019.

The PDP Bill was consequently referred to the Joint Parliamentary Committee and the committee on PDP Bill submitted a report accompanied by the Draft Data Protection Bill, 2021 which was scrapped by the center and the current bill on data protection came in 2022.

The advent of the General Data Protection Regime ("GDPR") was a watershed moment for the European Union and was also the first formal recognition of data as a vital resource in the digital economy and established a comprehensive data protection and privacy regime. Since then, the global conversation on data protection and privacy has expanded, notable examples being California's Consumer Privacy Act and South Korea's updating of its Personal Information Protection Act.

As per the UN, India is set to be the most populated country in the world in 2023. The growing population implies growing interactions with digital devices and the internet, consequently resulting in a humongous amount of generated digital data by the users or the "data principals."

This data, which is largely available on the internet, can be effectively accessed and used by the mega-companies or organizations which are referred to as "data fiduciaries" sometimes even without intimidating the data privacy and infringing their Right to Privacy which is a fundamental right under Article 21 of the constitution.

These data fiduciaries generally have very strong bargaining power to the extent they can influence the economy of a country. The Digital Data Protection Bill, 2022, provide a provision of right and duties of data principles so that the disproportionate power of data fiduciaries vis-�-vis data principles get addressed.

There is also another sub-category of data fiduciaries called the 'significant data fiduciaries' which, depending upon the extent of volume and sensitivity of the information processed, turnover of the data fiduciary, the risk of harm posed by processing, use of new technologies for processing, the processing of data relating to children or provision of services to them etc. are required to register themselves with the Data Protection Authority (Authority), proposed to be established under the Bill 2022.

Significant Data Fiduciaries are required to meet certain additional compliances including appointment of a data protection officer, undertake data protection impact assessment and maintain accurate and up to date records in the form and manner specified.

Data processors are persons that are involved in the processing of personal data, including activities such as collection, recording, organization, storage, etc. or otherwise making available, restriction, erasure or destruction, who do such processing on behalf of the data fiduciaries.

Applicability of the Bill
The Bill applies to processing of digital personal data within India and processing related to offering goods and services and profiling of Data Principals within India, it does not highlight whether it would apply to any individual whose personal data is processed within the territory of India.

Privacy notice

The Bill requires Data Fiduciaries to provide Data Principals with a notice stating the personal data collected and the purpose of processing. The Bill should also consider inclusion of elements such as details of Data Fiduciary, information about the third parties with whom the personal data has been shared with, and any other such information that would help the Data Principal to make an informed decision.

The provision of providing notice to the data principals have retrospective application where the Data Fiduciary is required to provide the itemised notice to the Data Principal who has given her consent prior to commencement of the Bill within reasonable time. This retrospective application would be challenging for Data Fiduciaries who had processed personal data based on consent of the Data Principal.

Non-automated means

The provisions of the Bill do not apply to non-automated processing of personal data. This could lead to exclusion of number of Data Fiduciaries who do not carry out processing of personal data by automated means.

Breach notification

In the event of data breach, the Bill imposes an obligation on Data Fiduciary and the Processor to notify each affected Data Principal. But the Bill doesn't specify any particular time period in which the Data Fiduciary is required to inform the Data Protection Board and data principal regarding the breach.

Rights of Data Principal

One of the significant aspects of the Bill 2022 is the rights granted to the Data Principal with respect to processing of their personal data. Apart from other basic rights such as obtaining of consent, provision related to notice, etc. data principal will enjoy the following right:

• Right to seek confirmation on whether the data fiduciary is processing or has processed data of personal data principal and further right to access personal data processed and a summary of such data;
   
• Right requiring data fiduciary to correct misleading or inaccurate data and to seek erasure of personal data when purpose of collection is satisfied or when consent is withdrawn;
   
• Right to grievance redressal where the Data Fiduciary is required to respond to the grievance of Data Principal within 7 days or shorter period that may be prescribed. If the data principal is not satisfied with the response, may register a complaint with the board in manner prescribed; and
   
• Right to nominate a representative in case of incapacity or death of the Data Principal to exercise their right.

Duties

The peculiar feature which is special to the current bill is the set of duties imposed on the data principals in clause 16. As specified in Schedule 1 of the bill, non-compliance with any of the sub-clause of clause 16, a penalty of 10000 may be imposed on the data principal.

Cross Boarder data transfer

The Bill has eased the cross-border data transfer requirement where the Data Fiduciaries can transfer the personal data to other countries that are notified by the Central Government. Further, eliminated the requirement to store sensitive personal data within India.

Compliance Requirement

The following fundamental compliant procedure need to be undertaken by organisation for smooth privacy journey:

• Appointment of Data Principal Officer and publishing the business contact
• Privacy notice to inform data principal
• Information to data principal about types of personal data and the purpose of collection
• Designing and implementing privacy policies and procedure
• Enforcing templates for responding to Data Principal Rights Requests
• Implementing a procedure to redress the grievances of Data Principals
• Implementing technical and organisational measure and reasonable security safeguards
• Involving a data processor if required pursuant to valid contract
• Maintaining Personal Data Breach notification templates for Board and Data Principal
• Undertaking Data Impact assessment
• Appointment of Independent Data Auditor
• Penalties on Non-Compliance

The DPDP Bill prescribed upper limits on the financial penalty for non-compliance and the same has been limited to not more than INR 500 cores. Further Schedule I of the Bill lays down different penalties for different categories of non-Compliance.

Impact on Industries
Firstly, large scale, consumer centric organisations, which include telecommunication, healthcare, banking and financial and e-commerce that process personal data in large scale are likely to encounter stringent obligations than others due to parameters such as volume and sensitivity of personal data being explicitly highlighted in the bill, Secondly, this Bill has excluded data localisation requirements which will help in enabling small, medium and large enterprises to store data across geographies resulting in reduction of costs and time spent on localised data storage, and thirdly, this Bill provides greater emphasis to digitise personal data.

Key Difference between GDPR and DPDP

The DPDP Bill shall be implemented in a phased manner, i.e., different dates of enforcement shall be accorded to different sections, unlike the GDPR which was implemented in toto and provided two years for ensuring compliance. Further, the DPDP Bill provides for an implied obligation to address grievances within seven days, unlike the GDPR which provides for a time period of one month, further extendable to two months on grounds of complexities.

The concept of "Significant Data Fiduciary" is novel to the DPDP Bill, and the GDPR finds no mention of such classification.