Digital Personal Data Protection Bill - Organizations need to come up to speed and the time is now

As digitization sweeps every nook and corner of the Indian economy, and as millions of Indians adapt to this digitization by placing their personal data in the hands of various institutions, including corporates, platforms and intermediaries, they also put their trust in these institutions with the assumption that their personal data stays safe, is treated with responsibility, and is not misused in any form. Hence it is imperative that the data, especially personal data, be subject to a framework of rules and regulations, dos and don'ts.

It is with this object that on November 18, 2022, India's Ministry of Electronics and Information Technology ('MeitY') released the draft (Digital Personal Data Protection (DPDP) Bill, 2022 ('DPDP Bill') on November 18, 2022, and solicited all relevant stakeholders to submit their suggestions and comments (no later than December 17, 2022), a deadline which was extended to January 2, 2023. This Bill is certainly not the first to be introduced by the Ministry. It follows the withdrawal of the Personal Data Protection Bill, 2019 ("PDP Bill") in August, 2022, and is the latest in a series of draft Bills released by the Ministry as the Indian Government tries to create a data protection regime in the country. The current draft Bill builds on the understanding that emerged during consultation with stakeholders around the earlier draft PDP Bill, and is shorter and simpler.

The Bill frames out the rights and duties of the digital citizen as well as the obligations of the Data Fiduciary (the person or group of persons who determines the purpose and means of processing of personal data) in line with the basic principles of Data Economy. The Data Fiduciary is obligated to minimize data collection to the extent required, use the collected data lawfully and with accountability, and use it only for the purpose it was collected for. It also needs to ensure accuracy of the personal data besides keeping it up to date, and maintain safeguards to ensure that only authorized data is collected and processed. An important aspect is to also ensure that the data storage is limited to the duration required for the stated purpose. The Data Fiduciary can process the data only with the consent of the Data Principal (the individual to whom the personal data relates), and the Data Principal can withdraw, manage or review this consent any time. The Bill incorporates the concept of 1) a Consent Manager, a Data Fiduciary which enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform and 2) a Data Protection Officer, a person who can respond to the Data Principal’s questions about the processing of their personal data.

The Bill is applicable to processing of data collected online, as well as offline data that is digitized post collection, within the territory of India. It is also applicable to data collected outside the territory of India provided such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India. The Bill, as part of its compliance framework, envisages the setting up of a Data Protection Board of India to determine non-compliance with the provisions of the draft Bill, impose penalty for such non-compliance, and perform such other functions as the Central Government may assign to it under the provisions of the draft Bill or any law. The financial penalties as laid down in the Bill vary from Rupees Ten thousand to Rupees Five hundred crores for each instance, based on the subject matter of non-compliance.

While it is yet to be seen when and in what form this Bill, post the various discussions, will be introduced in the Parliament, it is critical for organizations dealing in various forms of data, especially personal data to gain a deep understanding of the provisions of this Bill, figure out what these provisions entail for them in terms of governance and compliances, and if they require them to make changes in their existing technical infrastructure, systems and policies. Given the Bill is still in its draft stage, this is also the time when organizations should evaluate if any specific issue pertaining to their industry or organization needs to be highlighted and brought forth for discussions with the Ministry before it is too late.