Digital Personal Data Protection Bill 2022

• The Union Government has released a new version of the Personal Data Protection Bill, now known as the Digital Personal Data Protection Bill, 2022.
• The bill was introduced three months after the Personal Data Protection Bill of 2019.

What is the Bill's Seven Principles for 2022?

• Organisations must use personal data in a way that is legal, fair to the individuals involved, and transparent to individuals.
• Second, personal information must be used only for the purposes for which it was collected.
• The third principle emphasises data minimization.
• When it comes to data collection, the fourth principle emphasises data accuracy.
• The fifth principle states that personal data should not be "stored perpetually by default" and that storage should be limited to a set period of time.
• According to the sixth principle, there should be reasonable safeguards in place to ensure "no unauthorised collection or processing of personal data."
• According to the seventh principle, "the person who decides the purpose and means of processing personal data should be accountable for such processing."

What are the Key Elements of the Digital Personal Data Protection Bill?

Principal and Fiduciary Data:

• The individual whose data is being collected is referred to as the Data Principal.
• In the case of children under the age of 18, their parents or legal guardians will be considered their "Data Principals."
• The entity (individual, company, firm, state, etc.) that determines the "purpose and means of processing an individual's personal data" is known as a data fiduciary.
• Personal data is defined as "any data that can be used to identify an individual."
• Processing is defined as "the entire cycle of operations that can be performed on personal data."

Important Data Fiduciary:

• Significant Data Fiduciaries handle a large volume of personal data. The Central Government will decide who falls into this category based on a variety of factors.
• Such organisations will be required to appoint a "Data protection officer" as well as an independent Data Auditor.

Individual Rights: Information Access:

• Individuals should be able to "access basic information" in languages specified in the Indian Constitution's eighth schedule, according to the bill.
• Individuals must provide consent before their data is processed, and "every individual should know what items of personal data a Data Fiduciary wishes to collect and the purpose of such collection and subsequent processing."
• Individuals may also withdraw consent from a Data Fiduciary.
• Data principals will have the right to demand that data collected by the data fiduciary be erased and corrected.
• Right to Nominate: Data principals will also have the option of naming someone to exercise these rights in the event of their death or incapacity.
• Data Protection Board: The Bill also proposes establishing a Data Protection Board to ensure that the Bill is followed.
• Consumers can file a complaint with the Data Protection Board if they receive an unsatisfactory response from the Data Fiduciary.
• Cross-border Data Transfer: The bill allows for the storage and transfer of data across borders to "certain notified countries and territories," as long as they have a suitable data security landscape, and the government can access data belonging to Indians from there.

Financial Sanctions:

• For Data Fiduciary: The bill proposes severe penalties for businesses that suffer data breaches or fail to notify users when breaches occur.
• Penalties will range between Rs. 50 crores and Rs. 500 crores.
• For Data Principal: A user who submits false documents when signing up for an online service or files frivolous grievance complaints may be fined up to Rs 10,000.
• Exemptions: The government may exempt certain businesses from complying with the bill's provisions based on the number of users and volume of personal data processed by the entity.
• This was done with startups in mind, who had complained that the Personal Data Protection Bill, 2019, was too "compliance intensive."
• National security exemptions have been preserved, as in the previous 2019 version.
• The Centre has been given the authority to exempt its agencies from the Bill's provisions in the interests of India's sovereignty and integrity, state security, friendly relations with foreign states, public order maintenance, or preventing incitement to any cognizable offence.

What is the significance of the Digital Personal Data Protection Bill?

• In contrast to the previous Bill's contentious requirement of local storage of data within India's geography, the new Bill makes significant concessions on cross-border data flows.
• It takes a softer stance on data localisation requirements and allows data transfer to specific global destinations, which is likely to encourage country-to-country trade agreements.
• The bill recognises the data principal's right to postmortem privacy (Withdraw Consent), which was not recognised in the PDP Bill, 2019, but was recommended by the Joint Parliamentary Committee (JPC).

How has India improved its data protection regime?

Union of India vs. Justice K. S. Puttaswamy (Retd) 2017:

• In Justice K. S. Puttaswamy (Retd) vs Union of India, a nine-judge bench of the Supreme Court unanimously held in August 2017 that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.

2017 B.N. Srikrishna Committee:

• In August 2017, the government appointed a committee of experts for data protection, chaired by Justice B N Srikrishna, which submitted its report in July 2018 along with a draft Data Protection Bill.
• The Report includes numerous recommendations to strengthen Indian privacy law, such as restrictions on data processing and collection, a Data Protection Authority, the right to be forgotten, data localization, and so on.

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021:

• IT Rules (2021) require social media platforms to be more cautious about the content on their platforms.