{"id":2999,"date":"2022-07-25T10:08:00","date_gmt":"2022-07-25T10:08:00","guid":{"rendered":"https:\/\/zeus.firm.in\/the-data-protection-bill-2021-key-takeaways-for-stakeholders\/"},"modified":"2023-04-24T13:38:53","modified_gmt":"2023-04-24T13:38:53","slug":"the-data-protection-bill-2021-key-takeaways-for-stakeholders","status":"publish","type":"post","link":"https:\/\/zeus.firm.in\/the-data-protection-bill-2021-key-takeaways-for-stakeholders\/","title":{"rendered":"The Data Protection Bill 2021: Key Takeaways for Stakeholders"},"content":{"rendered":"

The Data Protection Bill 2021: Key Takeaways for Stakeholders<\/strong><\/span><\/p>\n

Source:https:\/\/www.livelaw.in\/lawschool\/articles\/the-data-protection-bill-stakeholders-general-data-protection-regime-personal-data-204692<\/a><\/p>\n

Author: Ms. Jayshree Navin Chandra, Senior Partner at ZE<\/span>US Law<\/em><\/p>\n

Published in Livelaw on 25th July 2022<\/p>\n

In our vastly interconnected and globalized world, information technology is flourishing at an unprecedented rate. The world we live in today is immensely digitalized and data-driven. The spread of data driven technologies around the world has led to several citizen and consumer centric innovations including means of communication, access to goods and services through e-governance and online commerce and transactions. This has made data a vital resource for the internet economy, supporting innovation and for building new age businesses.<\/p>\n

The advent of the General Data Protection Regime (\u201cGDPR<\/strong>\u201d) was a watershed moment for the European Union and was also the first formal recognition of data as a vital resource in the digital economy and established a comprehensive data protection and privacy regime. Since then, the global conversation on data protection and privacy has expanded, notable examples being California\u2019s Consumer Privacy Act and South Korea\u2019s updating of its Personal Information Protection Act.<\/p>\n

With the world\u2019s second largest population, having over 700 million internet users, India generates enormous data and the requirement to formulate robust data management policies, standards and best practices with accurate up-to-date data, appropriate data access, strong data security, privacy and ownership rights as well as a comprehensive legislation to regulate personal data collection, storage, processing, usage, sharing and misuse of personal information, has become the need of the hour.<\/p>\n

In 2017, a nine Judge Constitutional Bench of the Supreme Court, in the matter of Justice K.S. Puttaswamy and another vs. <\/em>Union of India, declared \u201cprivacy\u201d as a fundamental right under Article 21 while noting that right to privacy lies at the core of the fundamental rights guaranteed under Article 14, 15 and 21 of the Constitution. The Supreme Court while delivering its final judgment in this case impressed upon the Government to bring out a robust data protection regime.<\/p>\n

On the basis of the recommendations made in the report of the Committee of Experts on Data Protection constituted by the Government of India and chaired by Justice B. N. Srikrishna and the suggestions received from various stakeholders, the Government proposed to enact a legislation, namely the Personal Data Protection Bill, 2019 (\u201cPDPB<\/strong>\u201d), which was introduced in Lok Sabha on 11.12.2019.<\/p>\n

With several controversies surrounding the PDPB, particularly on the proposed power of the Central Government to exempt any agency of the Government from application of the provisions of the PDPB, the draft was referred to a Joint Parliamentary Committee comprising of members of both Houses of the Parliament (\u201cJPC<\/strong>\u201d) for detailed study.\u00a0The Report of the JPC on the PDPB was presented to the Lok Sabha on 16.12.2021 consisting of the several recommendations on the PDPB and the revised draft of PDPB, now recoined as Data Protection Bill 2021 (\u201cBill 2021<\/strong>\u201d).<\/p>\n

The Bill 2021 proposes to provide for, among other things, the protection of the digital privacy of individuals relating to their personal data, to specify the flow and usage of data, to protect the rights of individuals whose data is processed, norms for cross-border data transfer, accountability of data fiduciaries, remedies for unauthorized and harmful data processing and the framework for regulation and enforcement.<\/p>\n

Key Actors and Stakeholders <\/strong><\/p>\n

In order to understand the provisions of the new Bill 2021, it is imperative to understand the various stakeholders covered in the Bill. The Bill 2021 regulates data fiduciaries as well as data processors and specifies certain duties and responsibilities of these actors.<\/p>\n

Data fiduciary is any person including a state, a company, an NGO, juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing personal data vis a vis the natural persons to whom the personal data relates (i.e. data principals).<\/p>\n

There is also another sub-category of data fiduciaries called the \u2018significant data fiduciaries\u2019 which, depending upon the extent of volume and sensitivity of the information processed, turnover of the data fiduciary, the risk of harm posed by processing, use of new technologies for processing, the processing of data relating to children or provision of services to them etc. are required to register themselves with the Data Protection Authority (\u201cAuthority<\/strong>\u201d), proposed to be established under the Bill 2021. Significant Data Fiduciaries are required to meet certain additional compliances including appointment of a data protection officer, undertake data protection impact assessment, maintain accurate and up to date records in the form and manner specified, have its policies and the conduct of its processing of personal data audited annually. Social media platforms may also be categorized as significant data fiduciaries.<\/p>\n

Data processors are persons that are involved in the processing of personal data, including activities such as collection, recording, organization, storage, etc. or otherwise making available, restriction, erasure or destruction, who do such processing on behalf of the data fiduciaries.<\/p>\n

Different Data Sets and Applicability<\/strong><\/p>\n

The right to privacy is a fundamental right and since the growth of the digital economy has expanded the use of data as a critical means of communication between persons, it has become all the more necessary to protect personal data which is an essential facet of informational privacy.<\/p>\n

The Bill applies to (i) processing of personal data within India, where such data has been collected, stored, disclosed, shared, or otherwise processed in India, (ii) processing of personal data by any person under Indian Law, (iii) processing of personal data by data fiduciaries or data processors not present within India, if the processing is in connection with any business carried out in India, or any systematic activity of offering goods and services to data principals within India or activity that involves the profiling of data principals in India and (iv) processing of non-personal data including anonymized personal data.<\/p>\n

The Bill 2021 expands the scope of applicability to cover both personal data, sensitive personal data, critical personal data as well as non-personal data. Personal data is any data that is about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. Non-personal is defined as data other than personal data. Though the regulations on non-personal data will be separately notified, non-personal data and its breach will be also governed by the provisions of the Bill 2021. The Authority\u2019s scope of powers now extends to non-personal data as well. With this the businesses will need to factor the non-personal data compliance obligations within their overall compliance processes and data management policies.<\/p>\n

There is an additional layer of protections for \u2018sensitive personal data\u2019 which is defined to mean such personal data which may reveal, be related to or constitute financial data, health data, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, all of which have been defined in the Bill 2021, and Critical personal data, another facet of personal data, which is yet to be defined.<\/p>\n

Rules of Processing of Personal Data<\/strong><\/p>\n

The Bill 2021 permits any kind of processing of personal data by any person, as long as the processing is done in a fair and reasonable manner, while ensuring the privacy of the data principal and such processing is subject to the provisions enumerated within the Bill 2021 and the rules and regulations made thereunder.<\/p>\n

Such processing would be permitted only if it is done according to the purpose consented to by the data principal or for any other purpose that is incidental or connected with such purpose and which the data principal would reasonably expect.<\/p>\n

The Bill 2021 explicitly also states that personal data should only be collected to the extent that is necessary for the purposes of processing of such personal data.<\/p>\n

Data fiduciaries are mandated to provide clear notice to data principals in multiple languages to the extent necessary so that they can easily comprehend. The notice should carry details of specific information, including purposes of processing, nature and categories of personal data being collected and the basis of processing.<\/p>\n

It is even stipulated that a data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and is required to delete the personal data at the end of such period. Personal data may only be retained for a longer period if explicitly consented to by the data principal or to comply with any obligation under law.<\/p>\n

For an effective implementation of the procedures and processes, the Bill 2021 requires the data fiduciaries to formulate and implement certain policies and measures to ensure that their managerial, organizational, business practices and technical systems are in order. Such policies are required to be certified from the Authority. Data fiduciaries are required to take steps to ensure personal data processed is complete, accurate not misleading and updated, having regard for the purpose for which it is processed. It is also the responsibility of data fiduciaries to use commercially accepted technology while dealing with the personal data, ensure that the legitimate interests of businesses are achieved, the processing is protected and carried out in a transparent manner and the interest of the data principal is taken into account at every stage of such processing to keep in check the procedures that are being implemented. These steps help keep the measures taken by the data fiduciary in strict compliance and ensure that the mechanism of processing remains effective at all stages.<\/p>\n

Data fiduciaries are accountable for compliance of obligations under the Bill 2021 and rules made thereunder for data processed by them or on their behalf. Further, under the Bill 2021, the provision of goods and services or enjoyment of legal right cannot be made conditional on the consent to the processing of any personal data not necessary for the purpose or be denied based on the exercise of such choice. This is a significant difference from the position in the Information and Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, wherein body corporates have the option not to provide goods or services for which the information was sought, in case the provider of information does not consent or provide the data or information sought to be collected or later withdraws their consent.<\/p>\n

Processing of personal data of children below 18 years must be done in a manner that protects rights of the child. Data fiduciary is required to verify the age of user and obtain parent\u2019s or guardian\u2019s consent before processing personal data of a child. Profiling or tracking or behavioral monitoring of or direct advertising directed at children by data fiduciaries is prohibited.<\/p>\n

The Bill 2021 also required the data fiduciaries and processors to implement data safety standards and practices and prevent unauthorized misuse, access, modifications, disclosures or destruction and also to review these safeguards periodically.<\/p>\n

The Authority is to be notified by the Central Government of India to monitor and enforce the application of the data protection legislation, as and in the manner that has been laid down comprehensively in the Bill 2021. The Authority can issue directions to the data fiduciary or data processors for enforcing the provisions of the Data Protection Act.<\/p>\n

Rights of the Data Principal<\/strong><\/p>\n

One of the most significant aspects of the Bill 2021 are the rights that have been granted to the data principal with respect to the processing of their personal data. Apart from the other basic rights such as obtaining of consent, provisions related to notices, etc. a data principal will also enjoy the following rights under the Bill 2021:<\/p>\n