Digital Personal Data Protection Bill, 2022 – a move in the right direction?
The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) on November 18, 2022 for public consultation. While a lot can be written about the fourth iteration of the Bill aimed at data protection, this article covers an overview of the proposed law and its effect on data collection and other forms of processing that have a direct bearing on Outline India research. Applicability of the DPDP Bill The Bill applies to the processing of personal data within India as well as any such processing done in relation with profiling or offering goods or services to persons within India. As a result, it does not affect any such processing of data regarding individuals outside the jurisdiction of the country by companies conducting business within. Interestingly, the DPDP Bill also exempts its applicability to processing conducted by the government and its instrumentality for research, archival or statistical purposes. Thus, while the projects conducted for or on behalf of the government would be exempt, Outline India would have to continue following the high standard already maintained for projects with its other partners. What is Personal Data? Personal Data is defined as any data about an individual who is identifiable by or in relation to such data. In other words, once the data is non-identifiable (like anonymized), it will fall outside the purview of the Bill. A significant caveat exists, that if the previously anonymized data is combined with other data points and is then capable of identifying people, it is outside the scope of the proposed law. Further, it does not classify personal data as “sensitive” or “critical”. In fact, even the present Information Technology Act, 2000 under its Sensitive Personal Data or Information Rules, 2011, classifies certain types of data as “sensitive”. With such classification done away with, organizations would treat data under two broad heads- personal and non-personal. Basis of Processing Personal Data- Consent Unlike European GDPR, Indian law makers have been keen for “consent” to be the sole basis of processing data. This part has been consistent in all earlier iterations of the bill as well. Consent, as per the DPDP Bill, has to be (i) free (ii) specific (iii) informed (iv) unambiguous However, none of these expressions have been defined. Further, such consent has to be provided through “affirmative action” for a “specified purpose” mentioned in the notice. Simple consent forms and dashboards, interactive videos, audio consents are likely to be the way forward to ensure compliance with this requirement. Alongside this, the DPDP Bill retains the underlying principle of “purpose limitation”. Under this, limited personal data ought to be collected which has a nexus with the underlying contract. An entity cannot make its services conditional upon processing personal data that is not necessary to perform the contract. For instance, a pharmacy can ask your name, address and prescription but it cannot insist on knowing your caste, religion or sexual orientation, since that has no relevance with delivering medicines. Further, for the first time, the DPDP Bill has introduced the concept of “deemed consent”. This means that, as an example, there shall be deemed consent if personal data has to be processed for employment related purposes, medical emergencies or compliance with a judicial order, etc. There shall also be deemed consent in instances where an individual is reasonably expected to provide personal data. For example, where a person gives her name and mobile number to a restaurant for reserving a table, the restaurant can collect this personal data based on deemed consent. Another key ground for deemed consent is where personal data is processed in the public interest, such as prevention of fraud, credit scoring, processing publicly available personal data, recovery of debt, etc. Significant Data Fiduciary The DPDP Bill also retains the concept of a “significant data fiduciary”. Under this, the government may notify any data fiduciary as a significant data fiduciary. All such entities shall have to
Appoint a data protection officer who shall also be the point of contact for grievance redressal as well.
Appoint an independent data auditor.
Undertake measures such as data protection impact assessment and periodic audits.
Some factors on the basis of which classification of a “significant data fiduciary” shall be made are -
Volume and sensitivity of personal data processed
Risk of harm to the data principal
Impact on sovereignty and integrity of India
Public order, etc.
Data Localization The earlier iterations required all “critical personal data” and a mirror copy of all “sensitive personal data” to be stored in India. Given there is only a single category of personal data in this DPDP Bill, it does not impose a rigid localization requirement. It states that personal data may be transferred outside India to countries or territories notified by the Indian government. However, it also clarifies that its provisions are in addition to and not in derogation of existing laws. Therefore, if any sectoral regulator requires data to be stored locally within India, that condition will continue to apply. Conclusion At Outline India, each of our surveys and projects are executed with the utmost importance given to the people helping us with the information on the ground. The grassroot level understanding is paramount along with following a tested framework which includes consent from our stakeholders. Given the important role such research plays with regards to social development interventions, scaling and policy framework, we continue to adhere to the highest standards of the law as well as setting and improving the benchmark for the industry. Our partners include corporates, government bodies as well as educational institutions and thus, we also serve as a critical juncture for the various stakeholders to come together and continuously improve on how sustainable growth is defined as well as implemented on ground. We look forward to continuing this task of providing valuable insights to all concerned.