Introduction
The Ministry of Electronics and IT ("MeitY") has introduced a draft of the Digital Personal Data Protection Bill, 2022 ('DPDP Bill') and has invited the public to submit feedback on the DPDP Bill by 17th December 2022. This move comes a few months after MeitY withdrew the DPDP Bill's predecessor, the Personal Data Protection Bill, 2019 ('PDP Bill') in August 2022.
The DPDP Bill seeks to regulate personal data alone and leaves out non-personal data from its ambit. For the first time in India, the DPDP Bill has introduced pronouns 'she/her' to refer to individuals, irrespective of gender.
The DPDP Bill has, amongst other definitions, introduced new terms such as Data Principal (i.e. individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child) ("DP") and Data Fiduciary (i.e. person who alone or in conjunction with other persons determines the purpose and means of processing of personal data) ("DF"). DF now includes HUFs, artificial judicial persons, individuals, State as compared to the existing Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ('IT Rules 2011') which are only applicable to body corporates.
While the DPDP Bill proposes the protection of (a) personal data collected from the Data Principal online and (b) personal data collected offline and then digitized; the DPDP Bill excludes (a) non-automated processing of personal data, (b) offline personal data, (c) personal data processed by an individual for any personal or domestic purpose and (d) personal data about an individual that is contained in a record that has been in existence for at least 100 years.
The DPDP Bill proposes three grounds according to which personal data can be processed by a DF. Firstly, the processing of the digital personal data must comply with the provisions of the DPDP Bill. Secondly, as long as the processing is not expressly forbidden by law, such processing is allowed. Thirdly, the DP should have given consent (express or deemed) before such personal data is processed.
Some of the key features of the DPDP Bill are set out below:
- Territorial Applicability
The DPDP Bill proposes that the Bill shall be applicable to personal digital data that is processed in India and to such personal data which though processed by the DF outside India but processed in connection with any profiling of, or activity of offering goods or services to the DP within India.
- Notice and Consent
On or prior to seeking consent of the DP; the DF must send a notice to the DP setting out the description of personal data sought to be collected and the purpose of its collection. The DPDP Bill states the consent may be express or deemed. This consent is not permanent; the DP may withdraw consent at any time. If the DP withdraws consent, it is the DF's responsibility to cease the processing of the DP's personal data within a reasonable time unless such processing without the DP's consent is required or authorised under the provisions of law. The latter form of consent, referred to as 'deemed consent' can be inferred by DFs during medical emergencies, compliance with a judgment or order or when the DP voluntarily provides personal data to the DF etc.
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
