The central government drafted a bill in 2018 to ensure digital privacy for individuals and businesses relating to their data and cement trust between people and entities processing data. The Data Protection Bill, as it was called, was initially proposed in 2018 and tabled by the Ministry of Electronics and Information Technology. The Bill introduced several guidelines for protecting personal data and proposed the establishment of the Data Protection Authority of India.
The initial draft of the PDP Bill provided a robust set of provisions for both domestic and international organizations involved in data processing and other factors related to anonymized data. However, the drafters still welcomed recommendations to make the bill more practical. After considering all recommendations suggested by the cabinet, the revised Personal Data Protection Bill came out in 2019.
Some key provisions that the revised Bill aimed to provide:
- Specification of the flow and usage of personal data.
- Ensuring fundamental rights of those whose personal data are processed.
- Creation of a framework for organizational measures in the processing of data.
- Laying down norms for social media intermediaries.
- Remedies for unauthorized and harmful processing.
The Bill faced criticism from Justice B. N. Srikrishna, who drafted the 2018 Bill. He said the revisions could turn India into an “Orwellian State.” The term describes a societal condition driven by propaganda and disinformation and is destructive to welfare. He said, “the government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.” Further, Jaiveer Shergill, a renowned Supreme Court Lawyer, also expressed his concerns about the gaps in this version of the Personal Data Protection Bill.
Following the previous draft’s criticism and the need for a more comprehensive version, the Bill was withdrawn on August 3, 2022.
The government unveiled the first draft of the revised Digital Personal Data Protection (PDP) Bill 2022 on November 18. The 2022 bill will focus on predefined principles that form the foundation of personal data protection and will inculcate a better understanding of data protection among the public and businesses. Fundamentally, the bill bifurcates the two sides involved in any situation related to processing digital personal data as a data fiduciary and a data principal.
The obligations of a Data Fiduciary
The Personal Data Protection Bill describes a “Data Fiduciary” as a person (or group of people) who determine the purpose and the means of processing data. There are several general obligations that a data fiduciary must follow while processing any personal data. First and foremost, a data fiduciary is responsible for complying with this Bill’s provisions while processing data or hiring a data processor on its behalf.
Secondly, a data fiduciary shall ensure that the processed information is “accurate and complete,’ if it is to be utilized for decision-making or passed on to someone else. He/she/they shall protect the data under possession and notify the regulatory Board in case of a data breach. Lastly, the fiduciary can only process data if the data principal has given consent.
Read More: NITI Aayog’s Notion of Responsible AI
The rights and duties of a Data Principal
The Personal Data Protection Bill describes a “Data Principal” as an individual whose personal data is to be processed. In the case of a child, the parents become the principal. The Bill provisions several rights and responsibilities that a data principal must have. Some of these rights include:
Right to Information about Personal data: As per this provision, the data principal shall have the right to obtain confirmation whether the fiduciary is processing or has processed the data. They can also request a summary of the processed data.
Right to correction and erasure of personal data: Under this provision, a principal shall request correction and erasure of their personal data while complying with the applicable laws. In such a request, the fiduciary is obliged to correct/complete/update/erase the requested data. Moreover, the data principal also has the right to grievance redressal if unsatisfied with the fiduciary’s responses.
While data principals have many protective rights, they must also abide by some duties. A data principal shall comply with all the Personal Data Protection Bill provisions and under no circumstances furnish any false or misleading information or impersonate another person. All the necessary information should also be verifiably authentic; only then can the data principal exercise their rights to correction or erasure under this Bill.
The 2022 draft will comply with a Board called the Data Protection Board of India to be established by the Central Government. The Board shall allocate work, receive grievances, and pronounce decisions digitally. It is the Board’s responsibility to ensure compliance with all provisions of this Act, act on valid principal grievances, and manage fiduciaries.
The latest Personal Data Protection Bill has successfully reworked some prior legislation gaps by incorporating hefty penalties for non-compliance and has relaxed specific rules on cross-border data flows that could be significant for large-scale enterprises. However, there are a few potential red flags. The Bill provides a near-exemption blanket for government-owned agencies from complying with some of the requirements. Additionally, the Bill suggests a dilution of the proposed Data Protection Board.
MeitY is optimistic that the latest Personal Data Protection Bill strikes a balance between fiduciaries and principals while staying aligned with the Supreme Court’s ruling on privacy and related fundamental human rights. The Ministry also invites public feedback on the draft until December 17, 2022.