On November 30, 2022, I attended the DSCI conference in the bustling city of Mumbai, India. The conference was held to gather input from leading industry representatives on the recently released Digital Personal Data Protection Bill 2022 [DPDPB 2022]. The group consisted of several individuals from different industrial sectors like Fintech, Cybersecurity Consulting, Auditing, Marketing etc. The conference helped me gather insight into the bill as we discussed each chapter, both the positives & negatives, from different industry perspective. This article is written to provide a breakdown of the bill.
The Digital Personal Data Protection Bill 2022 [DPDPB 2022], also known as the “Data Protection Bill,” is a piece of legislation that was released on 18th November 2022 by Ministry of Electronics and Information Technology (MeitY). It aims to regulate the collection, processing, and storage of personal data in the digital sphere. The bill has been a topic of discussion and debate in recent years, as it seeks to address the increasing concerns surrounding data privacy and security in the digital age. The 2022 Bill was released after a series of tempestuous turns in the legislative process starting from the first draft of the Personal Data Protection Bill, 2018 to the Personal Data Protection Bill, 2019, which underwent a comprehensive review by the Joint Parliamentary Committee (JPC). The 2019 Bill was withdrawn in August 2022.
Before I began writing the article, I wanted to understand the impact of a data breach, mainly the financial impact and I came across the recent report from IBM [2022]. As per this report, the cost of a data breach has reached an all-time high, averaging globally to USD 4.35 million, and the cost in India is estimated to an average of USD 2.32 million. The global average cost of a data breach for critical infrastructure organizations studied was USD 4.82 million. This helped me understand the gravity of incidents like the most recent Ransomware attack on All India Institute of Medical Sciences (AIIMS).
Here’s my analysis on the Data Protection Bill:
- The Data Protection Bill is applicable to automated processing of digital personal data, which is either collected from Data Principals online or personal data which is collected offline but later digitized. The law is also applicable to processing of digital personal outside the territory of India, for profiling of Indian residents or for providing goods or services to Indian residents. The law is not applicable to Non-automated processing, Processing of offline personal data, Processing for personal or domestic use and Personal data in existence for at least 100 years.
- Since the applicability is restricted by the term “automated”, which is defined in the terms as the digital process operating automatically in response to instructions, this raises the question of whether the definition is in line with globally applied and understood definition of automated processing.
- a. There is no explicit definition of the term “digital” as digital personal data is under the scope of the law. It is also unclear if the bill will apply to mechanical and semi-automated data processing.
- a. There is no explicit definition of the term “digital” as digital personal data is under the scope of the law. It is also unclear if the bill will apply to mechanical and semi-automated data processing.
- The Data Fiduciary obligations include providing clear notice in a plain and simple language and an itemized manner, for collection, processing, and use of personal data of Data Principal. The notice/request for consent should be available in English and any language specified in the Eighth Schedule to the Constitution of India, along with the contact details of a Data Protection Officer or any other authorized personnel for Data Principal to contact and exercise their rights.
- The Data Principal have the right to withdraw their consent at any time, and if done so, the Data Fiduciary is responsible to cease processing the personal data of the Data Principal. However, there is no time limit defined in the bill for the Data Fiduciary to cease processing.
- a. The 2022 Bill includes the usage of Consent Manager – who are a Data Fiduciary as well, enabling Data Principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. Every consent manager is required to be registered with the Data Protection Board of India [Board].
- b. Concept of Deemed Consent has been included in the 2022 Bill – Data Principal is deemed to have given consent to the processing of their personal data, if such processing is necessary in requirements like public interest, issuance of certificate under law, compliance with any judgement or order by law, medical treatment during epidemic or other disasters, employment, credit scoring, recovery of debt, operation of search engines of publicly available personal data etc. There is a wide area of ambiguity here as any number of data processing scenarios could fall under the deemed consent sphere of the law. The Bill also does not clarify whether deemed consent can be withdrawn by the Data Principal, and what would be the procedure for such withdrawal.
- c. Data Fiduciary mandates Parental consent (lawful guardian) before processing any personal data of a child.
- d. Data Fiduciary is responsible for implementing appropriate technical & organizational controls to protect personal data collected. Reasonable security safeguards are to be implemented to prevent data breach. Data Fiduciary is required to notify the Data Protection Board of India and each affected Data Principal in the event of a data breach. However, there is no time duration specified for notification.
- e. There are some additional obligations imposed on Significant Data Fiduciaries such as the appointment of a Data Protection Officer based in India, an independent Data Auditor, and the responsibility to undertake measures such as Data Protection Impact Assessment.
- Right of Data Principal includes Right to Information about their personal data, Right to correction & erasure of their personal data, Right to grievance redressal – where if no response is received within 7 days, Data Principal may register a complaint to the Board and finally Right to nominate – in the event of Death or Incapacity of the Data Principal.
- a. Duties of Data Principal enforces that false personal data shall not be published, false or frivolous grievance shall not be registered with the Board and a financial penalty up to Rs. 10,000 is applicable in case of violation of the duties.
- a. Duties of Data Principal enforces that false personal data shall not be published, false or frivolous grievance shall not be registered with the Board and a financial penalty up to Rs. 10,000 is applicable in case of violation of the duties.
- In the Special Provisions chapter of the Bill, cross-border transfers, its applicability & exemptions are detailed. Transfers of personal data outside the country will be permitted to notified countries and territories. This is determined based on assessment of certain factors by the Central Government. The exemptions for this clause include processing of personal data for judicial functions, for prevention of offences, for actions by State instrumentalities, and for enforcement of legal rights.
- a. The Central Government may exempt provisions of this clause if, there is an interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States are affected. makes the provisions relating to obligations of data fiduciaries and rights of data principals non-applicable when personal data is processed for enforcing legal rights, for judicial functions, for prevention, detection, investigation, or prosecution of offences, and in case of processing of personal data of non-residents pursuant to a contract.
- b. It can also be exempted is case the personal data is necessary for research, archiving or statistical purposes where such data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards specified by the Board.
- Another key positive change in the Data Protection Bill 2022, is the establishment of Data Protection Board of India [Board] instead of an authority. The framework, composition and structure of the Board has been broadly defined. The chapter also focuses on the methods of grievance redressal, review and appeal, dispute resolution and penalties. In terms of the enforcement mechanism, new provisions have been introduced on alternate dispute resolution such as mediation and voluntary undertakings by entities.
- The final chapter of the Bill outlines the Powers that Central Government holds with respect to making rules, which allows it to amend the financial penalties (increasing a penalty) that have been imposed under the law. The Central Government has been authorized to make provisions, by an order, within five years of the date of commencement of the Act. I t has also been added that in case of inconsistency with other laws, the DPDPB 2022 will prevail to the extent of such inconsistency.
Post understanding the 2022 Bill, I wanted to compare it with the previous versions – Joint Parliamentary Committee (JPC) report on Personal Data Protection Bill, 2018 and the Personal Data Protection Bill, 2019.
Here are some of the key differences from 2018 JPC Report & 2019 Bill:
- The 2022 bill has omitted non-personal data and anonymized data from the scope.
- The classification of personal data into sensitive personal data or critical personal data has also been omitted in the recent bill.
- There is no obligations defined for social media platforms in the scope of the 2022 bill.
- Transparency and Accountability measures such as privacy by design has been omitted from the 2022 Bill.
- The statutory time period of 72 hours for reporting of data breaches is not mentioned in the current Bill.
- Security safeguards such as encryption and access control have not been unambiguously mentioned in the current Bill.
- The right to data portability and the right to be forgotten are not added in the Data Principal Rights in 2022 Bill.
- Along with the omission of classification of data into sensitive & critical personal data, the mandate on type of data localization has also been omitted from 2022 Bill.
- Financial penalties have been increased and other specifications like penalty for data principals have been added. The summary of applicable penalties are:
Sl. No. | Type of Non-Compliance | Penalty |
1 | Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach. | up to Rs 250 crore |
2 | Failure to notify the Board and affected Data Principals in the event of a personal data breach. | up to Rs 200 crore |
3 | Non-fulfilment of additional obligations in relation to Children. | |
4 | Non-fulfilment of additional obligations of Significant Data Fiduciary | up to Rs 150 crore |
5 | Non-compliance with Data Principal Duties | up to Rs 10 thousand |
6 | Non-compliance with provisions of this Act other than those listed above, and any Rule made thereunder | up to Rs 50 crore |
Now that I understood the Data Protection Bill in detail, the obvious next question that triggered in me was – How is the DPDP Bill 2022 different/similar to other Data Protection/Privacy standards in the world? Now that the world is slowly understanding the gravity of having inadequate controls for protecting our data, many countries have established different data protections laws/regulations. Once such regulation that we all turn to for guidance is General Data Protection Regulation [GDPR].
So, here is my comparison between GDPR & DPDPB 2022:
SL. No. | GDPR | DPDPB 2022 |
1 | This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. | The Data Protection Bill is applicable to automated processing of digital personal data, which is either collected from Data Principals online or personal data which is collected offline but later digitized. |
2 | This Regulation applies to the processing of personal data by an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. It also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union. | As per the Data Protection Bill, transfers of personal data outside the country will be permitted to notified countries and territories with certain exemptions detailed in the law. |
3 | As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites collect to be either anonymized (rendered anonymous) or pseudonymized | The Data Protection Bill has omitted non-personal data and anonymized data from the scope. |
4 | As per GDPR, The controllers must notify the DPA of a breach within 72 hours. The same applies for Data Processors as well. | Data Fiduciary is required to notify the Data Protection Board of India and each affected Data Principal in the event of a data breach. However, there is no time duration specified for notification. |
Overall, the Digital Personal Data Protection Bill 2022 is a significant step forward in terms of regulating the collection and processing of personal data in the digital sphere. It is intended to give individuals greater control over their personal data and to hold companies accountable for the way they handle and use that data. While the implementation of the bill may require some adjustments from companies, it is ultimately aimed at creating a safer and more secure digital environment for all.
However, what should organizations do to ensure they are prepared to meet the requirements of DPDPB 2022?
First things first, organizations need to proactively start working towards achieving compliance to the regulation, and not wait for the implementation time limit from the government!
We, at Network Intelligence, understand the difficulties and challenges when it comes to complying to a government regulation. Our approach of helping organizations achieve compliance on any regulation is always customized for the specific organization based on their nature of business and most importantly, their values and culture. When we look at the Digital Personal Data Protection Bill 2022, the following are the areas where Network Intelligence can assist an organization achieve compliance.
- Develop methodologies, standards and policies for data collection & processing – based on the nature of the responsibility – Data Fiduciaries / Data Processors etc.
- Classification of Data collected – into Personally Identifiable Information (PII) and Sensitive Personal Information (SPI).
- Create Data Flow for each type of Data that is collected & processed by the organization.
- Conduct Data Privacy Impact Assessments [DPIA].
- Assist in documenting & implementing roles and responsibilities for a Data Protection Officer [DPO]
- Provide Awareness training for the organization on Data protection and privacy concepts & requirements.
- Assist in providing inputs to automation in managing data wherever possible – like DLP implementation.