India’s Foray in Personal Data Protection Law

        Digital India regulatory framework and laws that is not only are just but at same time fuels growth expectations, protect rights and interest of its citizens at the same time be Business friendly. Any regulation/law is restrictive in nature. India’s digital growth has been exponential which has led to the concern about Personal Data misuse and exploitation has also in tune. Union cabinet has approved Digital Personal Data Protection (DPDP) Bill 2022(revised bill) to be tabled in the upcoming monsoon season of parliament. Though, the consultation process for the bill is over by the Ministry of Electronics and Information Technology (MeitY), the final form will be available after rectification by Parliament. Privacy being fundamental right (as recognized in Aug 2017) is constitutional guarantee. In tune DPDP bill recognizes its need to protect Personal Data, at the same time be not restrictive for Businesses to use personal data lawfully. It lays out obligations and duties on part of Data Fiduciaries (Businesses), Processors (processing data on behalf of fiduciary) and Principals (whose personal data the business wishes to process, including children).

Legality

         The act is applicable on processing Digital personal Data within territorial boundaries of India. It is also applicable for processing of digital data outside territory of India, if done in connection to profiling or to that of any economic activity being done on Indian Territory. Exception being it is not applicable to non automated processing of personal data, offline data, data processed for domestic purposes and records that are over 100 years.

Impact on Business 

        It would be obligatory on fiduciary to give Principals an itemized notice in clear and plain language containing description of personal data sought purpose of obtaining it and obtain consent from principal. The consent needs to be obtained for pre dated data also.

        The Principals Rights to withdraw consent, manage/review consent, rectification, erasure and restricted processing are inherent. This is in tune with EU’s GDPR data subject’s privacy rights would require changes at operational level as well.

        Businesses would have to create Consent Managers (which would enable principals manage their consent) through interoperable platforms which would be registered to the Data Protection Board (DPB) [Section 7(7)]. MeitY has already released a specification for electronic consent ver 1.1 and so has the financial sector with its own Consent Managers for data sharing .The technical solution can vary from sector to sector and business to business.

        Significant fiduciary classified as such will appoint a DPO (Data Protection Officer) based in India and also appoint independent Data auditors for compliance.

        DPDP will lead to revision of Internal Data Policies and review/updating of IT, Data Protection, Data Retention and cyber security policies of companies. It will be reasonable that companies build adequate safeguard through policies, procedures and technologies to handle and process data.

People’s Privacy and Rights 

    User centricity, compliance with extant provisions of laws and granular control lead to right that principal can obtain from fiduciary confirmation/summary/identities of processors processing the data, rights to amendment (rectification), erasure, updation and grievance reprisal mechanism.

Transfer of Data 

        The Data Fiduciary may, where consent of the Data Principal has been obtained, may share, transfer or transmit the personal data to any Data Fiduciary/Processor to process personal data on its behalf under a valid contract. Central Govt may notify countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.The Bill has shedded the rigidity of cross border data transfer which plays a crucial role in easing data flows (helps corporations). The Bill has excluded data localisation requirements which will help in enabling small, medium and large enterprises to store data across geographies resulting in reduction of costs and time spent on localised data storage.

Children’s Age 

        For the purpose of act the age of child has been pegged at 18 years which will lead fiduciaries to obtain consent of parent/guardian of the principal. This age can be debated as it may seem to be on higher side. Post obtaining this parental consent, the Businesses will be required to ensure that such processing does not cause harm to children [Section 10(2)]. Businesses are also prohibited from undertaking tracking and behavioral monitoring of children or targeted advertisements towards them [Section 10(3)].

Conclusion 

        It remains to be seen in what form the bill becomes the law. Whatever be the changes the bill is going to be milestone in way our personal data is handled. Further, it remains to be seen how the DPB and government with its notifications and amendments give final shape to the law. It will lead to cost increase in business at the same time create job opportunities in the field. What GDPR enactment brought to Europe and the business there same can be expected in India.