The Ministry of Electronics and Information Technology (MeitY) has published the Digital Personal Data Protection Bill, 2022 on November 18, 2022 (“PDPB”) for seeking public comments (until December 17, 2022). The PDPB, 2022 seems to be a big step forward from the existing data protection laws in India (viz. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (which are popularly referred as the “SPDI Rules”).
The PDPB, 2022 defines ‘personal data’ to include and mean ‘any data about an individual who is identifiable by or in relation to such data’. The intent of the Government here seems to do away with any bifurcation of extent of liability depending upon the nature of personal data. Further, some new terminologies have been introduced including (but not limited to) ‘Data Fiduciary’ (which is defined as ‘any person who alone or in conjunction with other persons determines the purpose and means of processing personal data’) and ‘Data Principal’ (which is defined as ‘the individual to whim the personal data related and where such individual is a child includes the parents or lawful guardian of such a child’).
Furthermore, the PDPB, 2022 expands its scope of applicability to include personal data which is collected offline (but in digitized form) as well.
Another interesting concept introduced under the DPBP, 2022 is that of ‘deemed consent’ where the requirement of express consent is not required in certain scenarios mentioned in the Bill (such as where it is expected that the data principal will provide his/her consent, for compliance with any judgment/order, etc.). The PDB, 2022 has also recommended the appointment of a ‘consent manager’ (viz. a data fiduciary) who shall be registered with the Data Protection Board of India (which is the regulatory body envisaged to be formed under this Bill). The Data Protection Board of India shall include (a) determination of non- compliance with the provisions of the Draft Bill, 2022 and subsequent imposition of a penalty; and (b) to perform any such function as may be assigned by the Central Government.
Further, each Significant Data Fiduciary (which shall be identified on the basis of several factors such as the volume and sensitivity of personal data processed, risk of harm to the Data Principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, public order, etc.) is required to appoint a Data Protection Officer, who would further take on the role of a representative (of the Significant Data Fiduciary) before the Data Protection Board of India. The Data Protection officer shall also be the point of contact for the grievance redressal mechanism.
The PDPB, 2022 also permits transferring of data outside India to select countries (which would be published by the Government at a later stage) on the basis of assessment of some factors at the Central Government’s discretion.
Lastly (and importantly), the PDPB, 2022 has introduced hefty penalties to the tune of 250 crores in case of breach of provisions of the intended legislation. The cumulative penalties which could be imposed under the provisions of this bill could go up to 500 crores (in case of breach of multiple provisions of the bill).