Open Access Research Article

THE CHRONICLE OF INDIAN DATA PRIVACY BILL - PROGRESSIVE PRINCIPLES, DOUBTFUL ENFORCEMENT BY: - RADHIKA DWIVEDI

Author(s):
RADHIKA DWIVEDI
Journal IJLRA
ISSN 2582-6433
Published 2023/04/13
Access Open Access
Volume 2
Issue 7
Download PDF Open PDF Citation Search Scholar

Published Paper

PDF Preview
Download Open

Article Details

THE CHRONICLE OF INDIAN DATA PRIVACY BILL - PROGRESSIVE PRINCIPLES, DOUBTFUL ENFORCEMENT
 
AUTHORED BY: - RADHIKA DWIVEDI
 
 
INTRODUCTION
What is the current data protection situation in India
The Indian Constitution recognizes the right to privacy as one of the essential rights that must be upheld. The verdict that established the right to privacy as a basic right was handed down by India's Supreme Court in August of 2017, and the date was 2017. This right, which is protected by the Constitution, has a significant impact on Indian law, to the extent that it shapes both policy and jurisprudence and serves as a check on the actions of the legislative and executive branches[1]. At the moment, the Information Technology Act from the year 2000 and the Information Technology Regulations from the year 2011 are the primary sources for the legislation that govern the processing of personal data. Indirect safeguards that have been adopted by the courts through a variety of rulings handed down over the years additionally protect individuals' personal data. There is no national monitoring authority in India to ensure the privacy of its citizens' personal information[2]. The Ministry of Electronics and Information Technology is in charge of the administration of the aforementioned legislation as well as the issuance of any additional rules. It is expected that the Data Protection and Data Privacy Act of 2022 (see this PDF), which is scheduled to go into effect in 2022, will require special adherence to the data protection principles of openness, purpose limitation, data minimization, and storage limitation.
The Digital Personal Data Protection Act, 2022
In the version for 2019, there were going to be severe restrictions placed on the export, processing, and storage of data in foreign countries. This measure was criticized by a number of organizations, the most notable of which being the Asia Internet Coalition. The Asia Internet Coalition is a trade organization that comprises firms like Google, Facebook, and Amazon. The critique was justified by pointing out that choices regarding transfers across international borders ought to be made without political involvement. As a consequence of this, the DPDP Bill, 2022 is less restrictive in terms of data traffic across international borders.
 
Applicability of the DPDP Act
The Bill will apply to the processing of digital personal data within India, regardless of whether the data was I gathered online or (ii) collected offline and then digitized. It is important to note that the Bill will not apply to data that was collected offline and then digitized. Additionally, it will apply to the processing of personal data that takes place outside of India for the purpose of marketing products or services to individuals in India or profiling those individuals. All data on an individual who can be identified based on the data itself or in relation to the data is considered to be personal data. The term "processing" refers to any action or series of activities that are carried out by an automated system on digital personal data. It encompasses activities such as collecting, storing, using, and sharing information[3]. However, the provisions of the DPDP Act, 2022 are also intended to apply to the processing of digital personal data that is carried out outside of India's territory in connection with the profiling of data subjects in India's territory or the offering of goods or services to data subjects in India's territory.
 
Obligations of the Data Processor
According to the provisions of Section 5 of the Bill, a data processor is required to only process personal data in accordance with the provisions of the DPDP Act, 2022 and the regulations made thereunder for a lawful purpose for which the data subject has consented or for which consent may be assumed in accordance with the provisions of the Act. This provision is intended to ensure that personal data is only processed in a manner that is legal and ethical. The bill does not detail the conditions under which consent can be assumed in certain situations[4].
 
A provision for an information duty on the side of the data processor is included in the drafted Indian law as well, which is analogous to the rules of the European Data Protection Regulation (GDPR). According to this, the individual providing consent must be informed by the data processor about the data gathered and the purpose for which the data is being processed. Yet, the language of the draft only refers to data subjects who have actively consented, and not to those whose consent is presumed. Those whose consent is assumed are not included. On the other hand, these are probably going to be meant in the context of complying with the principle of transparency, or they are going to be incorporated into the final law[5].
 
Special Data Processors
A data processor has the potential to be designated by the government as a special data processor under Section 11 of the draft, provided that the government conducts an analysis of the relevant elements (e.g. state security, scope of data processing, risk of injury to data subjects). In particular, this covers – in a manner analogous to Article 9 of the GDPR – processors of data on a large scale or of special categories of personal data[6].
 
Appointment of a Data protection officer
When a data processor is given a special classification, the company is required to hire a data protection officer who is located in India. A data protection officer and an independent auditor are both required to be hired in order to ensure that the Data Privacy and Data Protection Act of 2022 is followed properly. In addition, it is necessary to take further precautions, such as carrying out data protection impact assessments and carrying out audits on a regular basis.
 
Rights and obligations of Data Subjects
Right to Access Data (Article 15)
A data subject has the right to request and receive confirmation that their personal data is being processed. If you do, they have the right to request and receive a copy of the data you maintain, along with the following details[7]:
 
·         The reason(s) for processing.
·         The categories of personal information stored.
·         Who else (if anyone) will receive the transferred data. If you intend to transfer the data to a non-EU country or international organization, you must also specify the motives for doing so (which we will look at in a later article).
·         The length of time that the data will be stored (or how this period will be determined).
·         The rights of the data subject to have their information rectified, erased, or transferred, or to restrict or object to processing.
·         The right of the data subject to lodge a complaint with a supervisory authority (see our article on penalties).
·         The origin of the data (where it was not received from the data subject).
·         Whether the data will be subjected to automated processing (including profiling) and, if so, the processing's logic, significance, and consequences for the data subject.
 
As you may have observed, this list closely resembles the list of information required when requesting the data (considered in the previous article). If none of this information has changed, it may be sufficient to resend them the original privacy notice along with their data.
 
The exercise of this right should not have a negative impact on the rights and liberties of others. This may necessitate the removal of any personal information of other data subjects that would otherwise be included in the data copy. When feasible, you should grant data subjects secure access to their data via a remote self-service system. If you process a large quantity of information about the data subject, you have the right to request that they be more specific in their request.
Right to Have Data Transferred (Article 20)
The data subject has the following rights (in addition to the standard right of access) when personal data is processed on the basis of consent and through automated means:
 
·         The right to receive the supplied data in a structured, widely-used, machine-readable format.
·         The right to freely transmit these data to another controller.
·         If technically practicable, the right to have these data transmitted directly from one controller to the other.
 
The clearest instance in which this will be applicable is when the data subject wishes to transfer service providers. This essentially requires the previous provider to make the transition as simple as feasible for the data subject, including direct data transmission where applicable.
 
This privilege does not apply to processing that is required for the performance of a task in the public interest or in the exercise of official authority. As with the right of access, it should not be permitted to infringe upon the rights and liberties of others[8].
 
Right to Object to Processing ( Article 21)
A data subject may object to the processing of their personal data and have it ceased if it is necessary for the data controller's legitimate interests or for the performance of a task in the public interest or for the exercise of official authority (see our article on lawful grounds).
 
Consequently, this privilege functions similarly to the withdrawal of consent (for processing based on consent). In this instance, however, the data subject must provide an explanation for their objection based on their specific circumstances. In addition, unlike when assent is withdrawn, the data controller has the opportunity to overcome the objection by demonstrating compelling overriding grounds for the processing that outweigh the data subject's interests, rights, and freedoms[9].
 
However, the Regulation explicitly specifies that there is no defence to an objection to direct marketing. Since this type of processing will almost always be based on legitimate interests or consent, data subjects have a virtually absolute right to stop direct marketing.
 
Right to Have Data Erased – “Right to be Forgotten” (Article 17)
A data subject has the right to request the deletion of some or all of their personal information. You must then comply, but only if one of the following conditions is met:
 
·         The information is no longer required for the original purposes for which it was collected or processed.
·         The data subject withdraws consent for the processing, which was founded on consent.
·         The data subject effectively exercises his or her right to object (see above).
·         The data was improperly processed.
·         EU or national law mandates the erasure of the data.
·         The data was collected in relation to the provision of online services to children (that is, in circumstances where consent would require parental consent authorization).
 
These grounds will encompass a wide range of situations, although they will typically not apply to data processed for the performance of a contract with the data subject. In addition, even if one of the aforementioned conditions is met, you are not required to delete the data if:
 
·         The processing is required for the exercise of free speech or information.
·         The processing is required to comply with a legal requirement.
·         The processing is essential for the performance of a task in the public interest or in the exercise of official authority.
·         The data processing is required for medical or public health reasons.
·         The processing is necessary for archiving in the public interest, for historical or scientific research or statistical purposes.
·         The processing is essential for establishing, exercising, or defending legal claims or defenses[10].
 
Right to Restrict Processing (Article 18)
A data subject has an additional, more limited right to prevent data administrators and processors from processing their personal data in certain circumstances (with some exceptions). They have it exactly where:
 
·         The data subject contests the veracity of their data while it is being verified.
·         The processing is illegal, but the data subject does not wish for the data to be deleted.
·         The data controller no longer requires the information, but the data subject requires it to assert or defend legal claims or rights.
·         The data subject has exercised their right to object (see above), and it is currently being determined whether the legitimate interests of the data controller override this right.
 
If any of these conditions are met, all processing of the data (other than storage) must cease, unless it is done with consent, to establish or exercise legal claims or defenses, to protect the rights of others, or for vital public interest reasons. Once a restriction has been imposed, you must inform the data subject before lifting it[11].
 
In the majority of instances, data subjects will prefer to exercise their right to object or right to be forgotten, with this right serving as a supplement.
 
Cross – border Data Transfer
Cross-border data transfers are a crucial concern. The DPDP Act of 2022 also contains provisions to regulate these issues. In accordance with Section 17 of the DPDP Act, 2022, the government may specify countries or territories outside of India to which personal data may be transferred in accordance with the specified provisions after conducting an assessment based on relevant factors.
 
In addition, the next section will detail a few exceptions to the general rule. When it comes to the transfer of data across international borders, Section 17 does not apply:-
 
·         In the event that the processing of personal data is required for the purposes of the assertion or defence of a legal claim,
·         If it is essential for the performance of a judicial or quasi-judicial function for a court or other entity in India to process personal data in order to carry out their duties,
·         Cases in which the processing of personal data is necessary for the purposes of preventing, investigating, detecting, or prosecuting a criminal offense or the prosecution of any offense against a law include those in which:
·         When a person who resides in India processes the personal data of principals who are not situated within the territory of India in accordance with a contract that was entered into with a person who is located outside the territory of India.
 
Data transfers between countries are currently required to undergo a review by the central government to see how compliant they are with the laws of the destination country. Although it is encouraging that the objective is to govern international transfers on the basis of an adequacy assessment, the draft does not explain on what basis such an assessment should be carried out.
 
However, in the context of adequacy mechanisms and alternatives thereto, it is reasonable to assume that the government will evaluate the precedents and actions of the Court of Justice of the European Union in its various rulings, in particular the decisions in Scherms I and Scherms II. This is because the Court of Justice of the European Union has established a number of actions and precedents that are relevant to the context of adequacy mechanisms and alternatives thereto. From a data protection point of view, establishing objective variables or particular circumstances is a productive approach; nevertheless, such factors may not be generally relevant in all recipient countries. In light of this, it is imperative that mechanisms such as the Standard Contractual Clauses (SCCs) of the European Union, certifications, and so on, be taken into consideration as obligatory under the regulations[12].
 
Indian Data Protection Authority
The purpose of Clause 19 of the Bill is to make provisions for the creation of an Indian Data Protection Authority, which has not been established in India as of the present time. The authority is going to make an effort to digitalize as many of its responsibilities as is practically practicable. This includes the assignment of tasks within the authority, the receipt of complaints, the organization of hearing groups, the proclamation of decisions, and other duties[13].
 
Fines
In the event that the Indian data protection authority arrives at the judgment that a breach has occurred, it has the ability to levy fines, the amount of which is to be determined after considering a number of different criteria. Among them are things like the kind of the breach, how severe it was, how long it lasted, the kind of personal information that was compromised, and whether or not there is a chance that it will happen again. In the event that the Data Protection Act is violated, the offender may be subject to fines of up to the equivalent of approximately 30 million euros, which is approximately comparable to 2.5 billion yen[14].
 
CONCLUSION
In light of the fact that the Act, as specified in Section 29 of the DPDP Act, 2022, takes precedence over competing provisions of other laws, it is currently unknown how India will modify pre - existing regulations in order to create harmonisation in the regulatory landscape of India between the Act and already existing laws. In particular, it is yet unclear how international data transfers will be further precisely regulated, as well as what basis will be used to determine whether countries are enough, and this is a significant area of concern.
Under the provisions of the DPDP Act, 2022, it is highly probable that the member nations of the European Union will be deemed without much dispute as suitable countries by the Indian government. In spite of this, it is uncertain whether or not the EU would likewise issue an adequacy judgement for India in accordance with Article 45 of the GDPR. This will most likely depend, first and foremost, on how the proposed Indian data protection law is implemented in the regulatory landscape, as well as what adjustments are made before the DPDP, 2022 comes into force[15].
 
The DPDP Act, 2022 has not yet entered into force, and it is currently unknown when it will do so. This is because the bill does not define a period of implementation; rather, it only indicates that the provisions would enter into force on the date that is decided by the government. Recent reports suggest that the draft might be presented to parliament during the budget session that will take place in the beginning of 2023. At this point, it is required to wait for responses to the draft, which was available for public input until the 2nd of January 2023[16].
 

[1] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023).
[2] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023). 
[3] Draft Digital Personal Data Protection bill, 2022 (2023) PRS Legislative Research. Available at: https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022 (Accessed: April 12, 2023). 
[4] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023).
[5] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023). 
[6] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023). 
[7] TrueVault (no date) What are the rights of data subjects under GDPR?, TrueVault. Available at: https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr (Accessed: April 12, 2023). 
[8] TrueVault (no date) What are the rights of data subjects under GDPR?, TrueVault. Available at: https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr (Accessed: April 12, 2023). 
[9] TrueVault (no date) What are the rights of data subjects under GDPR?, TrueVault. Available at: https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr (Accessed: April 12, 2023). 
[10] TrueVault (no date) What are the rights of data subjects under GDPR?, TrueVault. Available at: https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr (Accessed: April 12, 2023). 
[11] TrueVault (no date) What are the rights of data subjects under GDPR?, TrueVault. Available at: https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr (Accessed: April 12, 2023). 
[12] TrueVault (no date) What are the rights of data subjects under GDPR?, TrueVault. Available at: https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr (Accessed: April 12, 2023). 
[13] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023). 
[14] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023). 
[15] Thadchanamoorthy, V. (2023) India's Digital Personal Data Protection bill, activeMind.legal. Available at: https://www.activemind.legal/guides/india-dpdp/ (Accessed: April 12, 2023). 
[16] Draft Digital Personal Data Protection bill, 2022 (2023) PRS Legislative Research. Available at: https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022 (Accessed: April 12, 2023). 

Article Information

THE CHRONICLE OF INDIAN DATA PRIVACY BILL - PROGRESSIVE PRINCIPLES, DOUBTFUL ENFORCEMENT BY: - RADHIKA DWIVEDI

Authors: RADHIKA DWIVEDI

  • Journal IJLRA
  • ISSN 2582-6433
  • Published 2023/04/13
  • Volume 2
  • Issue 7
Citation Download Paper Full Details Search on Google Search on Google Scholar

About Journal

International Journal for Legal Research and Analysis

  • Abbreviation IJLRA
  • ISSN 2582-6433
  • Access Open Access
  • License CC 4.0

All research articles published in International Journal for Legal Research and Analysis are open access and available to read, download and share, subject to proper citation of the original work.

Creative Commons

Disclaimer: The opinions expressed in this publication are those of the authors and do not necessarily reflect the views of International Journal for Legal Research and Analysis.

Current Issue

Ethics and Policy

For Authors