The Supreme Court of India in August 2017, passed judgment in the famous Puttaswamy case, upholding the right to privacy as the fundamental right protected under the Constitution of India. In the same case, the Supreme Court also expressed the need for the enactment of personal data protection law. After a journey of about 6 years since then, India seems to be at the cusp of having such a law. The journey had witnessed many versions of the draft bills along the way starting with the one proposed by Justice Sri Krishna to various other committees including the Parliamentary Committee.
On August 3, 2023, the Digital Personal Data Protection Bill, 2023 (the Bill) was placed before the Lok Sabha (House of Commons) by the Minister of Electronics & Information Technology. The Bill has today i.e. August 7, 2023, been debated by the Lok Sabha and passed. It will now be placed before the Rajya Sabha (House of States). If both Houses of Parliament pass the Bill in its present form, then it will become law after receiving the assent of the President of India.
Some of the salient features of the proposed Digital Personal Data Protection Bill are:
- The object and reasons of the Bill are to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
- Digital Personal Data as per the Bill means data either in digital form or subsequently converted into that form.
- The Bill defines the individual to whom the personal data relates as “Data Principal” and any person who determines the purpose and means of the processing of personal data is a “Data Fiduciary”. Data Principal and Data Fiduciary under the proposed Bill are equivalent to “Data Subject” and “Data Controller” under the GDPR of Europe.
- The territorial jurisdiction provided under the proposed Bill extends to the whole of India and India and outside the territory of India if the processing of data is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.
- As per the Bill, digital personal data can be processed for any lawful purpose by way of consent or for certain legitimate uses. The expression “lawful purpose” means any purpose which is not expressly forbidden by law.
- The Bill prescribes the contents of the notice to be made for seeking the consent of Data Principal and that notice must be accompanied or preceded by a notice containing; (a) the personal data; (b) the purpose for which the same is proposed to be processed; (c) the manner in which the Data Principal may make a complaint to the Board, etc.
- The consent given by the Data Principal shall be (a) free from all encumbrances; (b) for a specified purpose only that is clearly defined; (c) every Data Principal must know each aspect of what is being collected, (d) without any conditions attached; (e) expressed in a way that makes it completely clear what is meant; (f) with a clear affirmative action (g) and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose;
- Data Fiduciary under the Bill may (a) engage, appoint, use or otherwise involve a Data Processor; (b) ensure its completeness, accuracy and consistency; (c) implement appropriate technical and organizational measures; (d) take reasonable security safeguards to prevent personal data breach; (e) shall give each affected Data Principal, intimation of a breach in such form and manner as may be prescribed, (f) erase and cause to be erased all personal data where the Data Principal has withdrawn consent or specified purpose is no longer being served; (g) publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data and (h) establish an effective mechanism to redress the grievances of Data Principals
- The Bill provides that the Central Government may restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. However, if there is a law providing a higher degree of protection or restriction of transfer, then that law will supersede this provision.
The significance of personal data protection law is far-reaching as it touches every individual, organization or instrument of the State. The present Bill also lays the foundation for various other laws such as the Digital India Act and industry-specific laws around privacy and data protection to augment our country’s march in the adoption of AI and other future technologies. Once enacted, the law will also help Indian businesses to attract enhanced collaboration with businesses internationally under reciprocal arrangements.