THE PERSONAL DATA PROTECTION BILL 2023 – INTRICACIES
After plethora of debates, discussions and deliberations the Digital Personal Data Protection Bill 2023 was passed in the parliament on August 7 2023 that introduced the nation to various realms of data fiduciaries, and the way data is utilized by various institutions. Initially, the users of data, who had access to vagaries of personal information for bureaucratic purposes or otherwise had no obligation while processing confidential data of data principals. India needed a data protection bill to be at par with the global standards due to it’s fair share of struggles in keeping pace with rights like personal liberty, right to be forgotten along with public welfare and governmental standards and requirements. Though a lot of organizations have their own way of compliance and technology policies pre-ordained it has now become essential for the policies to defy the key aspects of the bill. Pertaining to applicability of the bill, the provisions of the bill will come into force only when the central government notifies it in the official gazette.
DATA FIDUCIARY VS DATA PRINCIPAL
The bill draws our attention to the difference between data fiduciary and data processor. The storehouse of data is called as a data principal. When the data of the data principal is collected for a specific purpose subsequent to which it is digitally processed, the latter entity becomes the data fiduciary who is under an obligation to comply with obligations on data fiduciaries set out in the bill. In case an organization processes personal data on behalf of another organization, the former entity will be called as a data processor. The organization on behalf of which the data is processed is called as data fiduciary. A few entities in specific situations will be treated as significant data fiduciaries. The list of situations may include: The goodwill and mutual benefit of public order, situations of risk to electoral democracy and threat to security of state, risk to tights of data principals and impact on sovereignty and integrity of the nation, with due regard to volume of personal data processed by the data fiduciaries. When an organization falls into the category of the abovementioned situations, it will be called as a significant data fiduciary. The applicability of the bill extends to processing of personal data collected in digital form and processing a personal data collected in non-digitized form and digitized subsequently. However, not all personal data are same. The Information Technology (Reasonable security practices and procedures and sensitive personal data or protection) Rules, 2011 classifies information into personal data and sensitive personal data or information. Unfortunately, the bill does not do so and considers all personal data uniformly without an intelligible differentia. One panacea to this issue is, continuation of applicability of Information Technology Act 2000 albeit the data protection bill getting enacted. Under Sec 43 A of the IT Act, one has to provide compensation for failure to protect personal sensitive data or information. So, even if the bill fails to ordain a differentiation of personal and personal sensitive data with punishment thereto, bi-compliance of both legislations simultaneously will facilitate better protection of personal data of individuals.
GUIDING PRINCIPLES OF THE BILL
Forming a balance between need for protection of personal data and need to process data for lawful processes from governmental objectives the bill seeks to achieve protection with minimum disruption to enhance ease of doing business and living so that India’s digital economy and innovation ecosystem see a dynamic change. Few principles that guide the implementation of the bill include consented, lawful and transparent use of personal data, purpose limitation of using data for the ascertained purpose at the time of obtaining data from the data principal, data minimization which seeks to collect a small amount of data apropos the purpose intended to be served. The ancillary principles include principle of storage limitation of preserving and storing as much data that is required for the time being, and principle of security, safeguards and accountability. The accountability factor is constantly kept on check vide adjudication of data breaches, infringement of principles enshrined in the bill, and imposition of penalties in case of damage. The bill is, SARAL (Simple, Accessible, Rational and Actionable Law). With plain language, clear illustrations and dearth of cross referencing the provisions have been kept lucid for common individuals to grasp. Though there are powers conferred on the board to remediate and mitigate data breaches, or perform judicial and regulatory functions, processing Indian personal data under foreign contract and locate defaulters and their financial assets, the exemptions granted to certain authorities becomes a bone of contention in understanding the intention of the proposed bill.
THE RIGHTS PROVIDED BY THE BILL
The individuals now have the right to access the information about the processed data, the right to be forgotten that has been interpreted as a foreign judgment has taken a form of a right as seeking erasure of the data, the right to get the grievance redressed, and in case of an unforeseen circumstance of death or incapacity, the data principal has the right to select a nominee for representation of his, and his data. When data breaches are found, the data protection board is intimated immediately in addition to which if the data principal withdraws the consent, the data is sought to be erased. The bill mandates appointment of an auditor who can conduct periodic data protection impact assessment to ensure higher degree of data protection. Extending the protection to children, data fiduciary is allowed to process the data of children only with parental consent and processing that is detrimental to child welfare, like targeted advertising, behavior monitoring or tracking are prohibited.
CONCLUSION
The exceptions provided for non-compliances of certain provisions of the bill can still be concerning. For approved mergers, de-mergers, or prevention, detection, investigation and prosecution for enforcement of legal rights and claims can be arbitrarily used. But much leeway is provided for voluntary undertakings from data fiduciaries since the board is permitted to request the government to block the website of data fiduciary that is found to be repeatedly breaching the data protection guidelines. However, a question arises, as to what if the data fiduciary is the government itself. The bill fails to provide clarity on this aspect.