The new legislation passed in the Parliament which promises ‘to guard the personal data of citizens in the digital age’ has been making the headlines since the past few days. With the assurance of ensuring safety of personal data of each and every Indian citizen, The Digital Personal Data Protection Bill, 2023 is a landmark parliamentary legislation which provides optimum security for Indians in cyberspace.
It is an act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. The Bill provides detailed provisions on its applicability, viability, exemptions, processing of data, functions of the Data Protection Board, provisions for children and several other implications.
To understand data protection we need to know what personal data means. Personal data is information regarding an identified or identifiable individual. Businesses and several government entities process personal data for the efficient delivery of goods and services. The processing of personal data facilitates a clearer understanding of preferences of individuals, which may be useful for various purposes such as customisation, targeted advertising, and developing recommendations.
Processing of personal data may also aid law enforcement. But unchecked processing would be a threat to the privacy of individuals. Right to Privacy has been recognised as a fundamental right. Thus individuals may be subjected to harm such as financial loss, loss of reputation, and profiling.
There have been several attempts on the part of the government to ensure the protection of data. Thus, the usage of personal data is regulated under the Information Technology (IT) Act of 2000. In 2017, the Centre constituted a Committee of Experts on Data Protection. The committee was chaired by Justice B.N.Srikrishna, to examine issues relating to data protection in India. The Report of the Committee was submitted in July, 2018.
On the basis of the recommendations of the Committee, the Personal Data Protection Bill was introduced in the Lok Sabha in December 2019. The Bill was then referred to a Joint Parliamentary Committee which submitted its report in December 2021. But the Bill was withdrawn from Parliament in August 2022. However, in November 2022, a Draft Bill was released for public consultation. Finally, in August 2023, the Digital Personal Data Protection Bill 2023 was introduced in Parliament.
Provisions of the Bill
The Digital Personal Data Protection Bill, 2023 was introduced in Lok Sabha on August 3, 2023 and passed on August 7, 2023. The Rajya Sabha passed it on August 9, 2023. The Bill aims at providing for the protection of personal data and the privacy of individuals. It has provisions to restrict the misapplication of individuals’ data by online platforms. According to the Union IT Minister Ashwini Vaishnaw, the bill lays down obligations on private and government entities around collection and processing of citizen’s data.
The Bill applies to the processing of digital personal data within India where such data is collected online, or offline and is digitised. Similarly, it is also applicable to the processing of personal data outside India if it is for offering any goods or services in India. The consent of an individual is essential before processing their personal data for any lawful purpose. Also, a notice must be given beforehand for seeking consent.
The said notice would comprise of the details about the personal data to be collected as well as the purpose of processing the data. Consent may be withdrawn at any point in time. However, there are certain exceptions. Consent will not be required for ‘legitimate uses’ including a specified purpose for which data has been provided by an individual voluntarily, a provision of benefit or service by the government, any medical emergency, and for employment. For individuals below 18 years of age, consent has to be provided by the parent or the legal guardian.
An individual, whose data is being processed (data principal), will have the right to: obtain information about the processing, seek correction and erasure of personal data which they are unwilling to share,they can nominate another person to exercise rights in the event of death or incapacity, and grievance redressal. Data principals entail certain duties. They must not register any false complaint, and furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to Rs 10,000.
There are certain obligations of the data fiduciaries as well. A data fiduciary is the entity determining the purpose and means of processing. A data fiduciary must make reasonable efforts to ensure the accuracy and completeness of data, build reasonable security safeguards to prevent a breach of data, inform the Data Protection Board of India and affected persons in the event of a breach, and erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes due to storage limitation.
In the case of government entities, the provision of storage limitation and the right of the data principal to be erased is not applicable. Certain data fiduciaries may be considered as significant data fiduciaries. They take the following factors into consideration: the volume and sensitivity of personal data processed, risks to the rights of data principals,the security of the state, and public order.
There are exemptions to this as well. Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include the prevention and investigation of offences, and enforcement of legal rights or claims. The central government may also, by notification, exempt certain activities from the application of the Bill. These include: data processing by government entities in the interest of the state’s security and public order, and research, archiving, or statistical purposes.
With regard to children, certain things have to be taken into consideration. While processing the personal data of a child, the data fiduciary must not undertake processing that is likely to cause any detrimental effect on the well-being of the child, and tracking, behavioural monitoring, or targeted advertising. The Bill also allows the transfer of personal data outside India, except to the countries which have been restricted by the government through notification.
With regard to this bill, the central government will also establish a Data Protection Board. Key functions of the Board would comprise of:
- monitoring compliance and imposition of penalties,
- directing data fiduciaries to take necessary steps in the case of a data breach, and
- hearing grievances made by affected persons.
The tenure of the Board members will be two years and they will be eligible for re-appointment.
The schedule to the Bill also specifies certain penalties for various types of offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations related to children, and (ii) Rs 250 crore for failure to undertake security measures to prevent data breaches.
The Bill empowers the government at the centre to exempt processing of personal data by its agencies from any or all provisions, in the interest of concerns such as the security of the state and maintenance of public order. With regard to this, the rights of data principles and obligations of data fiduciaries (except data security) will not be applicable with respect to cases such as processing for prevention, investigation, and the prosecution of offences.
The Bill does not require government agencies to delete personal data, after the fulfilment of their purpose. Thus, by using the exemptions mentioned above, a government agency may collect data about citizens to create a 360-degree profile for surveillance. It can also utilise data retained by various government agencies for this purpose. This raises a further question whether these exemptions will meet the proportionality test.
Functions of the Data Protection Board
The Bill states that the Data Protection Board of India will function as an independent body. Members will be appointed for two years and will be eligible for re-appointment. A short term with the scope for re-appointment may affect independent functioning of the Board.
Some of the key functions of the Board include monitoring compliance, carrying out investigations, and adjudging penalties. In case of Tribunals, the Supreme Court (2019) had observed that short-term along with the provisions of re-appointment increases influence and control of the Executive.
Regulatory authorities with adjudicatory roles such as the Central Electricity Regulatory Commission and the Competition Commission of India have a term of five years under respective Acts. In the case of TRAI (Telecom Regulatory Authority of India), the term of appointment is three years. The term of appointment to SEBI (Securities and Exchange Board of India) is five years, specified through rules.
Provisions for Children
The Bill has defined a child as a person below 18 years of age. Earlier, a committee was established for determining the perfect age of a child for consent. The committee is named Sri Krishna Committee (2018) and it has recommended several factors that need to be taken into consideration. These include the following: minimum age of 13 and maximum age of 18, and a single threshold for ensuring practical implementation.
It also observed that 18 years may seem to be too high from the perspective of the full autonomous development of a child. But, in order to be consistent with the existing legal framework, the age of consent should be 18 years only. Similarly, under the Indian Contract Act, 1872, the minimum age to sign a contract is 18.
The Personal Data Protection Bill also requires all data fiduciaries to obtain valid consent from the legal guardian of a child before processing their personal data. To comply with this provision, every data fiduciary will first have to verify the age of everyone signing up for its services.
It is important to determine whether the person is a child, and thereby obtain consent from their legal guardian. This would avoid instances of children giving false declarations. It would also reduce anonymity in the digital sphere.
There is a lack of clarity on what constitutes detrimental to the well-being of a child. The Bill clearly states that a data fiduciary will not undertake any processing which has a detrimental effect on the well-being of the child. The Bill however has not defined detrimental effects. It has also not provided any guidance for determining such an effect.
The Bill has its limitations too. It provides that the government may restrict the transfer of personal data to certain countries through a notification. On the other hand, this implies the transfer of personal data to all other countries without any explicit restrictions. But the question is whether this mechanism will provide adequate protection. The Bill does not regulate harm arriving from the processing of personal data.
The aim of the regulation of transfer of personal data outside India is to safeguard the privacy of Indian citizens.The law will allow companies to transfer some users’ data abroad. The government will have the power to seek information from firms and issue directions to block content on the advice of the Data Protection Board which will be employed by the Central government.
There has been a positive acceptance of the bill by the citizens of India in a larger scenario because the bill seeks to strengthen India’s cybersecurity posture. It provides a comprehensive framework for regulating the use of data by private businesses. It will protect the privacy and dignity of millions of Indians who use digital platforms. It provides a much needed clarity and certainty for businesses and individuals alike.
Aishwarya Dutta is Research intern, IMPRI.
Acknowledgement: The author would like to thank Aasthaba, Nandu, Tripta and Krishti for their kind comments and suggestions to improve the article.
Disclaimer: All views expressed in the article belong solely to the author and not necessarily to the organisation.
Read More at IMPRI: