The personal data protection Bill gets it right on most counts. A transitory period of 24 months to align infrastructure, processes, etc, with the law and de-linking non-compliance by data processors from data fiduciaries, though, can be considered
Data is a mutually beneficial asset, and accountability should be the currency. (IE)
By Dev Bajpai
The stated purpose of the Digital Personal Data Protection Bill, 2022 (the Bill) is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. It establishes primacy of the right of the individual to protect her personal data and privacy, a fundamental right. This primacy sets the tone, and many provisions flow from this thought and reflect a sense of fairness to the data principal (the person whose data is being processed). The Bill is a simple yet comprehensive piece of legislation, fairly well-drafted, and in sync with the digital economy that we are fast becoming. India has close to 700 million Internet users, and this number is likely to cross the 900 million mark by 2025. It is the largest connected democracy in the world and will, in the near future, become one of the leading per capita data-producing and consuming economies. With the government’s ambitious $1 trillion digital economy goal, this Bill could not have come at a better time and, more importantly, a better shape and form than it is in. The Bill has referred to the individual (data principal) as “she”/“her” irrespective of gender. This is for the first time in the legislative history of our country that “his” stands replaced by “her”. It might look symbolic, but it is a giant step forward to establishing equity, diversity, and inclusion in our policy and rule-making. Hopefully, this Bill is the start, and other legislations will follow suit. The Bill is also refreshing in using illustrations to bring home certain concepts; this is important in our country because of the low awareness of personal data processing and rights associated therewith.
Data is a mutually beneficial asset, and accountability should be the currency. When it comes to personal data, it has to be processed responsibly and sensitively in an ecosystem that is increasingly becoming digital—which the Bill ensures. Keeping the purpose in mind, the Bill adequately safeguards the interest of data principals. It simplifies the subject at this nascent stage by defining only “personal data” and not segregating the same into sensitive personal data and critical personal data. The Bill’s scope is only to cover digital processing and offline personal data that is digitised.
This brings about simplicity. Personal data can be processed only for lawful purposes and with consent or “deemed” consent of the data principal. The concept of deemed consent is a new introduction and helps in removing consent fatigue. The data fiduciary (person who controls the processing of such data) may transfer personal data outside India to those countries that the government may notify. Obviously, this would be based on the adequate protection of such data, equity, simplicity, and reciprocity between countries, all features that any modern law should have.
The right to be forgotten contained in the Bill reinforces the primacy of the data principal’s right to privacy. The enforcement is through the Data Protection Board, and appeals would lie with the High Court. This would be a relatively simpler process to enforce rights. The inclusion of mediation as a means to resolve disputes and voluntary undertakings are welcome steps.
No law or regulation is drafted ‘first time right’ from the perspective of all stakeholders. This Bill comes close to the ideal. A few areas can be considered for inclusion in the proposed law.
First, data privacy and personal data are matters that require a change in behaviour. There should be a transitory period of 24 months for the industry, governments, Data Protection Board, etc, to ensure infrastructure, process, and compliance readiness, as well as, most importantly, awareness, to build a robust privacy culture in the country.
Second, the performance of contracts and legitimate interest should be included as additional grounds for processing, as in other jurisdictions like the EU, Singapore, etc.
Third, the liability for non-compliance by data processor should not be fastened on data fiduciaries where the data processor has acted outside of or contrary to the instructions of the data fiduciary or has acted negligently. If the data fiduciary has taken adequate steps towards diligence, it would only be correct not to hold the data fiduciary responsible for the acts of the data processor. Holding data processors responsible will bring about shared responsibility towards a stronger data protection regime. The data fiduciary and processor also have a relationship based on mutual trust.
Fourth, in addition to the notified countries for the transfer of data, the law should provide for transfer overseas basis contracts, intra-group schemes, as transfer mechanisms to third parties, affiliates, and subsidiaries in non-notified countries, to enable ease of global operations for Indian organisations. The Data Protection Board should act as a sector “facilitator” in addition to being a regulator, given that the adoption and compliance with this law requires a behaviour change journey.
The Bill has rightfully left several aspects of guidance to be prescribed by way of rules, which will have to be made with the same consultative spirit as this Bill to give India its first modern and contemporary Digital Personal Data law, which will help achieve the purpose with which it is enshrined.
The writer is executive director, legal & corporate affairs, Hindustan Unilever Limited
Views are personal