On November 18, 2022, the Ministry of Electronics and Information Technology proposed a new law, namely the Digital Personal Data Protection Bill 2022. Once passed by Parliament, it would replace the 2011 rules and some portions of the existing law.
Partner, Lakshmikumaran and Sridharan Attorneys
In 2017, the Supreme Court of India recognized the Right to Privacy as a fundamental right under the Constitution and laid down certain privacy principles relevant to informational privacy (i.e., data privacy). The court also acknowledged the absence of a comprehensive privacy law and noted the gaps present in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules or SPDI Rules, notified in 2011, limiting its utility for protecting personal data.
On November 18, 2022, the Ministry of Electronics and Information Technology proposed a new law, namely the Digital Personal Data Protection Bill 2022. Once passed by Parliament, it would replace the 2011 rules and some portions of the existing law. The Bill proposes to introduce obligations for companies (defined as “Data Fiduciaries”) which determine purposes and means of processing. For example, companies that collect personal data from users for sale and delivery of groceries determine that the purpose of collection is to facilitate sale and delivery of groceries.
It also aims to regulate entities which process such data (known as “Data Processors”) as decided by such companies. For example, an application which uses services of a cloud storage provider for storing personal data, such cloud storage service provider would only act on instructions of the company. Apart from that, the bill contains the rights of individuals to whom the personal data relates (known as “Data Principals”).
What data constitutes personal data under the proposed bill?
Personal data is defined as “data about an individual who is identifiable by or in relation to such data”. It includes directly identifiable information such as name, and contact information, as well as indirectly identifiable information such as vehicle numbers, location data, employee codes, or similar information. All these data amount to personal data that helps in identifying an individual.
Any other data which does not help in personally identifying an individual does not constitute personal data. An example of non-personal data may also include usage data, such as time spent on an application, pages visited on a website etc., in an aggregated form without specific reference to an individual.
What rights does an individual have under the proposed bill?
The proposed bill does not seek to prevent the usage of personal data. It recognises the importance of data in the growth of the digital economy and aims to strike a balance between the rights of the individual and the interests of businesses which may use and process the personal data of individuals.
This is done through a series of obligations that companies have to comply with. Moreover, data can be processed only after seeking consent or where consent is assumed from the individuals, or in cases where any law makes it necessary to process the data. The proposed bill gives an individual various rights to ask apps and websites in relation to their personal data.
The rights of individuals available under the proposed bill are as follows:
(A) Right to information about processing and summary of their personal data
Individuals have a right to know whether personal data about them is being processed or has been processed by a company and how it is being processed. This is one of the most important pre-requisites for the understanding of the company’s role in processing and exercising further individual rights.
(B) Right to withdraw consent
Based on the above right, an individual may seek a summary of their data being processed or that has been processed and processing activities being (or that have been) undertaken by the company. In addition, an individual may also seek details of third-party companies with whom the individual’s data and categories of data were shared. Once aware, the individuals may withdraw their consent if they do not wish their data to be processed. This is one of the most important rights that are available to individuals.
(C) Right to correction and erasure
Individuals have a right to correct or erase their data. This right allows individuals to:
1. Correct their inaccurate or misleading personal data, such as rectifying the spelling of their name or other personal details.
2. Complete incomplete personal data, such as missing PIN code as part of postal address information;
3. Update personal data, such as updating their mobile phone numbers, email addresses or other communication details;
4. Erase personal data, which is no longer required for purpose of processing, unless retention is required for a legal purpose. For example, personal data collected for order fulfilment by an e-commerce application may be deleted after order delivery, unless retention is required by law for a specified period.
On comparison, it is evident that the rights pertaining to erasure are not expressly provided under the existing law, and instead, withdrawal of consent is enabled. In contrast, the proposed law enables individuals to request erasure of personal data apart from a right to withdraw consent.
(D) Right of grievance redressal
Individuals have a right to approach an office or authority appointed by a company for registering and handling grievances if they have any concerns or questions concerning the processing of personal data. Such companies must have a procedure in place and an effective mechanism to address the grievances of individuals. Companies must publish the business contact information of a Data Protection Officer or an authority who would be able to answer queries of individuals on the processing of personal data.
Individuals who are not satisfied with the outcome of their concern filed with the Grievance Officer have the option to file, within 7 days, a complaint with a Data Protection Board (or “DPB”) established under the proposed bill.
(E) Right to nominate
The proposed bill proposes to give individuals the right to nominate another individual to exercise their rights in the event of death or incapacity (due to unsoundness of the mind or body). This facility to nominate another individual is not present under the provisions of the existing law.
(E) Right to withdraw consent
The proposed law enables an individual to withdraw consent for the processing of personal data by a company when personal data is processed based on consent only. For example, when personal data relating to contact information is collected through an application after obtaining consent, such consent can be withdrawn by an individual. It may be noteworthy that the bill allows processing of data on many grounds such as public interest (e.g., for debt recovery), legal compliance (for example, EPFO KYC), and emergencies (such as medical emergencies). In these cases, the consent of an individual is assumed to be received. However, where express consent is obtained, it may be withdrawn by the individual.
It is specified in the bill that the consequences of such withdrawal would have to be borne by an individual. For example, where a bank processes personal data based on her consent and the customer withdraws her consent, the customer is responsible for the consequences for such withdrawal i.e., the termination of banking services as per the agreement between the customer and banker.
Duties of the Individual
The bill, empower individuals but also tries to ensure that the rights guaranteed under the Bill are not misused. The bill also mentions certain duties for an individual which include:
(a) Ensuring that individuals claim their rights in the way and manner prescribed by the Bill;
(b) Individuals must not register false or frivolous grievances/complaints either with the Fiduciary or with the DPB;
(c) Individuals must not furnish any false particulars, suppress any material information or impersonate another while applying for documents, services etc.; and
(d) Individuals should only correct/erase personal data to the extent that this correction/erasure is authentic.
In comparison with existing law, the bill extends substantial rights to individuals and provides them with better visibility, awareness, decisional autonomy and control over their data, while obligating companies to comply with the rights of the individuals and provide effective redressal mechanisms linked with significant penalties of up to Rs 50 crore for contraventions relating to individual rights.
The proposed law makes huge strides in securing the rights of digital users by extending actionable rights to users, obligating companies and proposing the constitution of the Data Protection Board as an adjudicatory body for the resolution of user grievances. While the public consultation is ongoing, it is to be seen if the bill is introduced in the Budget Session.
(The author is Partner, Lakshmikumaran and Sridharan Attorneys.)