The new digital personal data protection bill

The centre has released its long-awaited draft of a new Digital Personal Data Protection Bill 2022. The information technology minister Ashwini Vaishnaw announced this on Twitter and sought views from stakeholders by December 17.

The new proposed Digital Personal Data Protection Bill 2022 is that it continues to give the government a free pass to ride roughshod on an individual’s right to data privacy even as it cranks up the maximum penalty on data fiduciaries violating its provisions to as high as Rs 500 crore.

With this the scope is narrowed too, and the bill’s provisions will not apply for “offline” personal data. The new measure, now up for public consultation, is expected to be presented in the next session of parliament, the measure, aimed at protecting digital personal data, seeks to allow transfer of data outside India, and provides for penalties regarding data breaches.

Cyber law experts slammed the bill for the manner in which it gave the government unbridled power to retain personal data of an individual for an indefinite period.

The bill requires collection of personal data to be based on “freely given, specific, informed and unambiguous indication” of user consent. Requests for consent will be required to be provided in English or any official language of India specified in the constitution. Consent should be withdrawable at any time.

A “Consent Manager” should be made available to review provided consent, and this entity should register with a Data Protection Board that will be set up by the government. Fiduciaries should obtain “verifiable parental consent” for collecting data from minors.

A data fiduciary should no longer retain information about a user (a “data principal”) if the purpose of keeping that data is no longer served.

Users should have the right to review and correct data they have provided, as well as to remove such data. They should be able to nominate someone else in case of death or incapacitation. They should have the right to have their grievances processed by the data fiduciary.

The bill says that the government will notify a list of countries to which Indians’ data may be stored.

The bill’s provisions give the government wide exemptions, as “any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these” will not be subject to its provisions.

The government will set up a Data Protection Board of India that will be “digital by design” to handle data breaches and impose fines on erring data fiduciaries. The board will be able to hold hearings and hear complaints from users. Fines of Rs 50 crore to Rs 250 crores are provided for.

The government has also published an explanatory memorandum. Submissions will be accepted through the MyGov platform, but these will not be made public, the IT Ministry said in a notice. Going forward, the New Personal Data Protection Bill includes child protection, fines but needs clarity.

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA