The Ministry of Electronics and IT (MeitY) on Friday, released a new draft of the data protection bill that is being called the Digital Personal Data Protection Bill, 2022. It has provisions on ‘purpose limitations’ around data collection, grounds for collecting and processing personal data, relaxation on cross-border data flows, and imposes a hefty penalty on businesses who would be violating provisions of the Bill. Here are the top things it covers.
The bill is based on seven key principles
According to an explanatory note for the bill, it is based on seven principles. The first one states that “usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.” The second principle states that personal data must only be used for the purposes for which it was collected.
Next, the third one revolves around minimisation of data while the fourth one focuses on data accuracy in terms of collection. Fifth principle makes it clear that the data cannot be “stored perpetually by default,” and storage should be limited to a fixed duration. Sixth principle states that proper precautions should be put in place to ensure there is “no unauthorised collection or processing of personal data.”
Lastly, the seventh one is that the person who decides the purpose and means of the processing of personal data should be accountable for such processing.
Rights to erase data, obtain info about the data collected
The bill also introduces certain rights with regards to their data. Every individual should be able to obtain certain basic information about her personal data. Recognising this, confirmation of processing, summary of personal data, disclosure of identity of Data Fiduciaries with whom personal data has been shared etc have been included within this right to information.
Data Fiduciaries here refers to the entity (an individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data.” The bill further specifies the right to file complaint with Data Fiduciary and right to file grievance with Data Protection Board in case of lack of response or unsatisfactory response which has been specified in the Bill.
Moreover, Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary. Data Principal here refers to the individual whose data is being collected. They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
Significant Data Fiduciaries
The bill further talks of ‘Significant Data Fiduciaries’, who deal with a high volumes of personal data. The Central government will define who will be defined as these type of fiduciaries and will fall under this category based on a number of factors. These would be ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.
The bill says that such type of entities will have to appoint a ‘Data protection officer’ who will represent them and will be the point of contact for grievance redressal.
Permission of flowing of data across borders
It has been provided in the Bill that “personal data may be transferred to certain notified countries and territories”. An assessment of relevant factors by Central Government would precede such a notification, says the explanatory note.
Formation of Data Protection Board
The bill further proposes the formation of a Data Protection Board. It will be the body tasked with enforcement of provisions of this Act. “A digital by design compliance framework is the need of the hour particularly when it comes to digital personal data”, read the note.
Hefty Financial Penalties
The bill further proposes to impose a hefty penalty amount on the Data Fiduciary if it fails to comply with the obligations mentioned in the bill and would undergo data breaches or fails to notify the user in case of a breach.
The draft proposes a penalty of up to Rs 500 crore in case the Data Fiduciary or Data Processor (who would process data for the fiduciary) violate the provisions proposed under the draft of Digital Personal Data Protection Bill 2022.
”If the Board determines at the conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance,” the draft said.
The draft has demanded for a graded penalty system for data fiduciary that will process the personal data of data owners only in accordance with the provisions of the Act.