On November 18, 2022, the Ministry
of Electronics and Information Technology (MeitY) released the draft
of the Digital Personal Data Protection Bill, 2022 (DPDP Bill 2022),
inviting suggestions and comments from relevant stakeholders. In its fourth
iteration since 2017, the DPDP Bill 2022 attempts a better ‘comprehensive
legal framework’. Previous versions of the proposed general data
protection legislation drew heavily upon European Union’s General
Data Protection Regulation (GDPR) and were dense, voluminous
documents, etc. The Bill draws inspiration from Singapore’s Personal
Data Protection Act, 2012, and is a condensed and concise document.
The new bill is a lot simpler than the previous one as it is having only 24
pages as compared to 70 pages as well as 30 guidelines as compared to 90 in the
previous draft bill.
Let’s first understand the status
of privacy in the Indian context. As per Part III of the Indian
Constitution, we have many fundamental rights like Right to Life &
Personal Liberty, Right to Equality, Freedom of Speech & Expression,
etc. Fundamental rights provide a high degree of protection from encroachment
but the fundamental right to privacy was not guaranteed under the Constitution
of India till 2017. Before 2017 in many cases e.g. M. P. Sharma vs. Satish
Chandra and Kharak Singh v. State of Uttar Pradesh, the status of Privacy was
not recognized as a Fundamental right. In Justice K. S. Puttaswamy v
Union of India, the nine Judge Bench unanimously reaffirmed the right
to privacy as a fundamental right under the Constitution of India. As per
instruction of the Supreme Court of India an expert committee headed by Justice
B. N. Srikrishna was created to examine various issues related to data
protection in India. The Committee submitted its report and a draft Personal
Data Protection Bill, 2018 to the Ministry of Electronics and Information
Technology.
Provisions related to Protected Health Information (PHI) are governed by the Information Technology Act, 2000, together with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Patient data, including health information, is treated as sensitive personal data or information and under the IT Act offers some degree of protection to the collection, disclosure, and transfer of sensitive personal data. Also long before DPDP Bill 2022, the Government introduced the Digital Information Security in Healthcare Act (DISHA), India’s counterpart of the Health Insurance Portability and Accountability Act (HIPAA), aimed at providing healthcare data privacy, security, confidentiality, and standardization and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges. While the purpose of this act is to encourage the pan-India adoption of e-health standards, DISHA has not yet come into force.
Digital Personal Data Protection 2022 Bill operates on a triad - Data Principal, Data Fiduciary, and Grievance Resolver. Unlike the GDPR, the bill boldly defines “harm”, “loss”, and “public interest” in small lists. A first in India’s legislative history, the bill uses “her” and “she” for an individual, irrespective of gender—a welcome populist and inclusive move. The Bill mandates obtaining consent for processing after providing notice in clear and plain language, “describing” the type of personal data sought to be collected and an ‘itemized’ list of the purposes of the processing. PDDP Bill 2022 allows the transfer of personal data outside India to countries notified by the Indian government.
The provisions for penalties in
DPDP Bill 2022 Bill fall far short of other data protection legislation around
the world, such as GDPR or similar laws in China. In the proposed bill,
Healthcare Organizations are subject to penalties of up to ₹500
crores for non-compliance. Other than that, the bill includes a laundry list
of penalties: up to ₹250 crores for failing to take
adequate precautions against data breaches; ₹200 crores for failing
to notify of a breach or complying with provisions related to children; ₹10
crores for violating data localization norms; ₹150 crores when a
significant Healthcare Organization fails to carry out their additional
obligations under the proposed law. A key ingredient in laws in other countries
is the power to impose penalties up to a particular amount as prescribed for
offenses or as a percentage of total worldwide turnover, whichever is higher.
A data principal is under an
obligation to not register a false or frivolous complaint with a data fiduciary
or the Board, not to furnish any false particulars or suppress any material
information. DPDP Bill 2022 has introduced a penalty of up to ₹10,000/-
(Rupees Ten Thousand) on the data principal for failure to comply with its
proposed obligations.
The proposed DPDP Bill 2022
introduces the concept of ‘Deemed Consent’ where the data
principal is deemed to have given consent for processing their personal data.
Consensual processing of Personal Data may be done in case of medical
emergencies involving a threat to life or an immediate threat to the health of
the Data Principal. In the context of such processing, a parallel may be drawn
with India’s draft Health Data Management Policy by NDHM
released in April 2022 which also envisages provisions relating to the
processing of Personal Data in case of medical emergencies. Notably, the NDHM
contemplates the appointment of a nominee to provide valid consent on behalf of
the Data Principal in case such Data Principal becomes seriously ill, or
mentally incapacitated, or where the data principal is facing a threat to life
or a severe threat to health and is unable to give valid consent. Unlike the
DPDP Bill 2022, the NDHM does not propose Deemed Consent in
absence of a nominee but rather shifts the right to give valid consent on
behalf of the Data Principal to an adult member of the family of the Data
Principal.
Despite the recommendation under
the JPC Report, the DPDP Bill 2022 has kept the 'Non-Personal
Data' of the individuals such as information collected by the
Government, NGOs, and other private sector entities, outside its ambit. The
usage of phrases 'as it may consider necessary' and 'as
may be prescribed' can lead to administrative ambiguities. The
autonomy of the Data Protection Board which is entrusted with
overseeing the protection of individual's personal data and ensuring compliance
with the provisions of the law is not reassuring. Further, the Government and
its instrumentalities can retain personal data for an indefinite period
irrespective of whether the purpose for which data was processed has been
fulfilled.
By 2030 India is projected to be
the world’s third-largest economy and will have one of the
world’s largest digital personal data footprints in motion and at rest. The
DPDP 2022 Bill’s essentiality shines in our strengthening role in the global
order. With the G20 Presidency and multiple Free Trade and
Regional Trade Agreements in place, we will have to find solutions for Data
Free Flow with Trust and cross-border data flows.
