The Digital Personal Data Protection Bill (DPDPB) 2022 is a crucial piece of legislation for the protection of personal data in India. This bill applies to the automated processing of personal data within India and covers any organization, whether a government agency or private business, that processes personal data in India.
Scope and Applicability
The scope of the DPDPB is limited to the automated processing of personal data and to personal data that is collected offline and later digitized, which means that it does not apply to non-automated processing. It also does not apply to the processing of data belonging to foreign nationals outside of India, as this may lead to the duplicity of liabilities due to conflicting local laws. Additionally, the DPDPB is not applicable to processing for personal or domestic use, or to records over 1000 years old. The processing of physical data is currently not within the scope and applicability of the DPDPB.
Grounds of Processing & Obligations of Data Fiduciaries
The DPDPB establishes grounds for the processing of personal data and sets out the obligations of data fiduciaries. The primary ground for processing is consent, and organizations must obtain explicit and informed consent from individuals before processing their personal data.
A privacy notice must be provided in English and in any scheduled languages, and must clearly explain the purposes for which the personal data will be processed. In certain cases, such as in the event of a medical emergency or disaster, processing may be allowed on the grounds of deemed consent.
In the event of a personal data breach, data fiduciaries are required to report the breach to the Data Protection Board and to each affected data principal. More details on this requirement will be provided later. Significant data fiduciaries are subject to additional obligations, such as the appointment of a Data Protection Officer (DPO) and the conduct of a Data Protection Impact Assessment (DPIA).
However, the requirement to report to the Data Protection Board is overridden in cases where sectorial obligations, such as those imposed by the Reserve Bank of India (RBI) or the Insurance Regulatory and Development Authority (IRDA), apply.
Rights and Duties of Data Principal
The DPDPB also sets out the rights and duties of data principals. Data principals have the right to receive information about the processing of their personal data, the right to have their personal data corrected or erased, and the right to seek grievance redressal.
They also have the right to nominate another individual to exercise their rights on their behalf. Their duties include complying with applicable laws while exercising their rights, not making false complaints, not furnishing false information while obtaining services, and furnishing verifiably authentic information. However, there is currently no clarity around the term “applicable laws” in the context of these duties.
Cross -Border Transfer & Exemptions
The DPDPB also contains provisions for the cross-border transfer of personal data and exemptions to these provisions. The transfer of personal data outside of India is permitted to certain jurisdictions based on an assessment of factors to be notified.
These provisions set out the obligations, rights of data principals, and exemptions in the context of such transfers. For example, the provisions on the transfer outside of India do not apply when the processing is in the context of judicial functions, enforcing legal rights, or the preservation and detection of an offense.
In addition, state instrumentalities may be exempted by notification in the context of sovereignty, integrity, and security of the state, friendly relations with foreign states, maintenance of public order, and preventing incitement to an offense. Exemptions may also be notified for processing for research, archiving, or statistical purposes.
The DPDPB also establishes a compliance framework, including the establishment of the Data Protection Board by the Government of India. The functions of the Board include determining non-compliance, issuing directions for mitigating harm in the case of a data breach, establishing an inquiry procedure, and revising and appealing decisions.
The right of appeal of the Board’s decisions lies with the High Court. Additionally, organizations may submit a voluntary undertaking to comply with the provisions of the DPDPB. This is intended to encourage organizations to proactively comply with the law and to demonstrate their commitment to protecting personal data.
Overall, the DPDPB is an important step forward for the protection of personal data in India. It provides individuals with greater control over their personal data and helps to ensure that organizations handle this data responsibly and in compliance with the law. By providing a clear framework for the processing of personal data, the DPDPB will help to build trust and confidence in the digital economy. It is crucial that organizations understand their obligations under the DPDPB and take steps to comply with the law.
In the comments box below, share what you know about the latest Data Protection Bill 2022.