SUMMARY
The new draft has narrowed the scope of data protection by considering only personal and digital data in India
The Bill imposes norms for data localisation and storage, cross-border data flow and consent by individuals
Personal data, according to the draft, will only include data collected online, or collected offline but is digitised
After being tabled with the industry stakeholders twice already and being pulled back for reconsideration, the new draft Personal Data Protection Bill is finally out for industry consideration. It has narrowed the scope, by considering only personal and digital data in India (and concerning Indians).
In a preliminary read, the Bill imposes heavy penalties for violations of any provisions of the legislation – as high as INR 500 Cr. It also talks about the use of personal data by companies (digital or not) and limits the scope to ‘use for the purpose it was collected only’.
Further, the draft Bill imposes data localisation and storage norms, restricting geographical storage of data by the collecting companies to ‘trusted’ geographies. According to the draft Personal Data Protection Bill, these geographies will be later updated by the government ‘from time to time’.
Out of the 30 clauses, the Bill also carries a total of 18 ‘as may be prescribed’ clauses and industry bodies such as the Internet Freedom Foundation have touted it as ‘vague and unguided’.
Yet, here are some highlights from the new draft of the Personal Data Protection Bill, which is open for industry comments till December 17, 2022.
Five Key Highlights From The Personal Data Protection Bill
1. Definitions Of Personal Data: The Personal Data Protection Bill also provides updated definitions of key terminologies. According to the Bill, personal data pertains to any data (information, facts, concepts, opinions, instructions) about an individual that helps identify the individual – collected online, or collected offline but is digitised.
Such personal data will not cover offline personal data, or that which is collected for domestic purposes, or data of an individual that has been recorded more than 100 years ago.
Experts are of the opinion that while the present draft of the Personal Data Protection Bill gives a simpler framework, it also curtails the definition of personal data.
Abhishek Malhotra, managing partner at TMT Law Practice, said, “The qualified title adding ‘digital’ to the Bill, does not add any value to the nature of the legislation but just seems to be one shot amongst a slew of ‘Digital India’ policies and legislations that the government intends to roll out.”
2. Consent Removal By Individuals: In the past, it has been observed that applications and platforms do not allow individuals to access them unless the individual accepts terms and conditions, which also include clauses of personal data usage.
In the current draft, the IT Ministry has asked applications to explain the terms of data collection to the user in simple and clear terms. It has also provided a clause that allows users to withdraw their consent whenever they want to.
“Where consent given by the [individual] is the basis of the processing of personal data, the [individual] shall have the right to withdraw her consent at any time. The consequences of such withdrawal shall be borne by such [individual]. The withdrawal of consent shall not affect the lawfulness of processing the personal data based on consent before its withdrawal,” the Bill states.
They can also seek for erasure or correction of personal data. Individuals will also have the right to nominate another person who can exercise these consent rights in the event of death or incapacity of the first person.
3. Free Cross Border Flow of Data: The Bill has also suggested that it will allow for cross-border storage and transfer of data to “certain notified countries and territories.”
However, the Centre will issue a notification after an ‘assessment of such factors, as it may consider necessary’ to notify such countries or territories outside India to which a [company] may transfer personal data. The terms and conditions will also be specified in such notification, the Bill has hinted.
The Personal Data Protection Bill has also provided some exemptions to cross-border data transfer, including arbitrations, government interests, research purposes and more.
4. Ease Compliance In Compliance Burden: The government has proposed establishing an online redressal forum, the Data Protection Board of India.
This Board will be allowed to hear the pleas of individuals, carry out regulatory checks in companies collecting data, conduct court-like proceedings and set up inquiries, issue penalties and more.
The previous drafts of the Personal Data Protection Bill was also argued over the fact that it would increase the compliance burden on startups. Since the current draft limits the scope of the Bill to personal data only, the clauses of the Bill have been reduced to 30 from the previous 99.
Besides, IT Minister of State Rajeev Chandrashekar had pointed out that the previous versions (now pulled down) had several compliance burdens including data management, data governance and even cybersecurity. Since the current draft only limits the scope to data protection, transfer, storage and minimisation, it reduces the compliance burden on startups and Big Tech alike
5. Changes To The IT Act, 2000: The new draft of the Personal Data Protection Bill has also made certain amendments to the existing Information Technology Act, 2000.
According to the IT Ministry, the current draft, when made into an Act, will help omit section 43A and section 87(2) of the IT Act, 2000. The former section in the IT Act pertains to penalties for negligence by a company when handling ‘sensitive’ personal data of its customers. The latter pertains to the government’s right in making any rules in accordance with the personal data protection of Indians.
In section 81 of the IT Act, ‘Digital Personal Data Protection Act, 2022’ will be added after the words ‘Patents Act, 1970. That is, the IT Act will not be able to override the provision of the Digital Personal Data Protection Act, similar to the Patents Act and the Copyright Act.
