Personal Data Protection Bill – What’s in Store?

Digital Personal Data Protection Law India: Personal Data Protection Draft Bill 2022

We are in the era of the 4th Industrial Evolution where “Data is the New Oil”, a humungous amount of data is generated by technologies viz. the Internet of Things, Big Data, Artificial Intelligence, E-commerce, and the presence of customers on the Internet applications. Hence protection of consumer data is of utmost importance. Considering the same Government of India (GoI) has also proposed a Digital Personal Data Protection Bill, 2022 the bill has been drafted by the Ministry of Electronics and Information Technology.

Background

Currently, India does not have any Data Protection Law. Though we have IT rules, 2011, but on the its basis we cannot protect digital data, hence government (Govt) has proposed the Digital Personal Data Protection Bill, 2022 in order to protect individual data privacy.

Justice B.N. Krishna Committee – 2018 was created by Govt, to create a Draft version of the Data Protection Bill.

In 2019, changes were proposed and incorporated in the 2018 bill and presented in Lok Sabha.

The bill was submitted to the review committee for their recommendations, but due to the Covid pandemic things got delayed and after 2 years, they suggested many changes. In response to this,  govt withdrew the bill.

Recently, in November 2022, a new revamped version of the Digital Personal Data Protection Draft Bill was launched and is currently in the consultation phase to get inputs from the industry, and public domain.

Important Terms of Digital Personal Data Protection Bill, 2022

Below are some of the important terms considered in the bill, this will help in having a better understanding of the Bill.

Types of Data

Personal Data – An individual can have certain characteristics, traits, and attributes using which we can identify a person. E.g. Data on basis of which a person can be uniquely identified like Aadhar No., Mobile No., PAN No.

Non-Personal Data – Data points on basis of which we cannot individually identify a person fall under this category. E.g. person with a height 5.7’ and weight 57 Kgs.

Sensitive Personal Data – A person’s data that is very critical or highly sensitive in nature. E.g. Financial Transactions, Biometric Data, Health Data, Genetic Data, and Religion.

Data Localization – The country where the individual’s data is generated, the storage and processing of the data should happen in the same country of origin. E.g. In case a social media platform takes an Indian individual’s data to US and stores and processes in the US, in that case, the principle of Data Localization is not followed.

Data Principal – Users of Digital products, who give their personal data to companies, Applications, and portals or Govt bodies.

Data Fiduciary – Companies or Govt Applications which collect personal data.

Data Minimization – If a company, Govt body, or Online Application needs some data from an individual, they should seek only that much data which is relevant or essential for their purpose. Data that is not required and unnecessary should not be collected.

Post Mortem Privacy – In case a person is not in the capacity or cannot take a decision due to non-presence or, in such cases the individual can nominate another person, who can take the decision on his/her behalf for the data associated with him/her.

Grounds for Data Processing by Fiduciary

‘Consent’ is the main basis for the processing of personal data under the Bill. Specifically, Article 5 of the Bill provides that data fiduciaries may process the personal data of a data principal only for a lawful purpose for which the data principal has, or is deemed to have, given in certain limited circumstances their consent.

Further to the above, the Bill encompasses detailed provisions on ‘Consent’, including (Article 7 of the Bill):

‘Consent’ means a freely, given, specific, informed, and unambiguous indication of the data principal’s wishes by which they, by clear and affirmative action, signify agreement to the data processing; request for consent shall be presented to the data principal in a clear and plain language; and data principals shall have the right to withdraw consent at any time, and the ease of such withdrawal shall be comparable to the ease with which consent may be given.

Role of Consent Manager

Most notably, the data principal may give, manage, review, or withdraw consent to the data fiduciary through a consent manager, which is an entity, accountable to the data principal, that enables the same to manage their consent through an accessible, transparent, and interoperable platform. In this regard, the Explanatory Note details that since it may not always be possible to keep track of the instances in which an individual’s consent has been taken for processing of his/her personal data, the Bill recognizes the role of consent managers, who allow data principals to have a comprehensive view of their interactions with data fiduciaries and the declarations of consent given to them.

Digital Data Protection Bill – What It Proposes?

• This Bill only deals with:
  • Digital Personal Data collected Online by Data Fiduciary.
  • Digital Personal Data is collected Offline but processed digitally by Data Fiduciary
  • Sensitive Digital Personal Data – Should be stored in India, but can be processed outside India and the consent of the Data Principal and permission of the Data Protection Authority is must.
  • Critical Personal Information – like data related to national security, need to be stored and processed only in India.
  • Govt can take nonpersonal data from any data fiduciary, e.g. demographic data from Social media platforms.
• Bill expressly excludes from its scope of application on:
  • non-automated processing of personal data;
  • offline personal data;
  • personal data processed by an individual for any personal or domestic purpose; and
  • personal data about an individual that is contained in a record that has been in existence for at least 100 years.
• Where this Bill will apply?
• Territory
  • Applicable to Data Principals only in India.
  • Not applicable to NRI’s Data Principals.
  • Data Fiduciary who collects and process data outside of India
• How Long the data can be stored?
  • In case a Data Principal gives consent to store or process data, then the consent will have a time period of validity, the data cannot be held by Data Fiduciary for an Infinite period.
• Controls to Data Principal
  • Access to Data
  • Get the Data Corrected
  • Deletion of Data
•  Data Minimization
  • Data Fiduciary should collect only that much data which is necessary or required to meet the requirements, no unnecessary data should be collected by the Data Fiduciary from Data Principal.
• Data Localization – Relaxation
  • Earlier bill was very stringent in the data localization policy, but in the current draft bill relaxation is given to Data Localization, this is done to benefit global majors of the world like Facebook, Twitter, and Uber and strengthen the Start-up ecosystem.
• Data Protection Board – Establishment
  • The Data Principal can raise issues with Data Protection Board in case they are facing any issues with Data Fiduciary regarding their personal data.
  • In case, the guidelines of the Bill are not followed by data fiduciaries, high penalties can be levied upon them.
• Post Mortem Privacy
  • In case of incapacity or death of the Data Principal, the Data principal can nominate a person who can control the rights of the Data principal in case of their absence.
• Deemed Consent
  • In case of Public interest deemed consent is allowed in the interest of the sovereignty of the country.
• Social Media – Responsibility
  • Verify the identity and information sharing of its user and share the same with Govt.

Data Protection Authority

• DPO – The company needs to appoint Data Protection Officer (DPO).  The Data Protection body will check whether the Data Fiduciary is in compliance with the Bill.
• Purpose Limitation – If Data principals’ consents need to be stored or processed, then it should have a legal purpose.
• Collection Limitation – If data is collected a clear-cut purpose for the collection of data should be defined.
• Right to be forgotten
  • In case the data principal has given consent to use his/her data for a purpose, but if the customer wants to take his consent back for the use of data and wants to get deleted from the records, then the same should be facilitated by Data Fiduciary.

Rights and duties of data principals

Right to information about personal data

Recognizing that every individual should be able to obtain certain basic information about their personal data, Article 12 of the Bill grants data principals the right to obtain from the data fiduciary confirmation about the processing, a summary of the personal data being processed, and the identities of all the data fiduciaries with whom the data has been shared, as well as the categories of data shared.

Right to correction and erasure of personal data

To enable correction, update, completion, and erasure of personal data where it is no longer needed, data principals are recognised with the right to correction and erasure of personal data.

Right of grievance redressal

The Bill gives data principals the right to register a grievance with the data fiduciary and to escalate the complaint to the Board, in case of a lack of response or unsatisfactory response from the data fiduciary.

Right to nominate

A data principal shall have the right to nominate any other individual, so that, in the event of death or incapacity of the data principal, the nominees may exercise the rights of the data principal on their behalf. In relation to the right in question, the Explanatory Note outlines that the right to the nomination has been borrowed from other sectors, where it is a basic practice and a right available to individuals.

Duties of data principals

Interestingly, the Bill also lists various duties that data principals are expected to abide by. The Explanatory Note explains that the inclusion of duties for data principals aims at ensuring that there is no misuse of rights and that the exercise of rights does not lead to an adverse effect on others’ rights.  Bill prohibits data principals from registering a false or frivolous grievance or complaint with a data fiduciary or the Board.

Situations where taking consent of the Data Principal would not be necessary

• In a situation where the data principal voluntarily provides their personal data to the data fiduciary and it is reasonably expected that they would provide such personal data;
• for the performance of any function under any law, or the provision of any service or benefit to the data principal, or the issuance of any certificate, license, or permit by the State or other state body;
• for compliance with any judgment or order issued under any law;
• for responding to a medical emergency;
• for taking measures to provide medical treatment or health services to any individual during a period of threat to public health;
• for taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order;
• for the purposes related to employment; or
• in the public interest, such as the prevention and detection of fraud, credit scoring, and processing of publicly available personal data.

Penalties – Data Fiduciary

Penalties will be levied on Data Fiduciary in case of any violation.

• In case of a minor violation, the penalties can be INR 5 Cr or 2 percent of annual global revenue
• In case of a major violation, the penalties can be INR 15 Cr or 4 percent of annual global revenue

Strengths of Digital Personal Data Protection Bill

• Data Sovereignty
• Protect against Cyber Attacks
• Avoid Data Breach
• Verification for Social media to counter anonymity
• Upholds Fundamental Right – Right to Privacy for Data Privacy.
• Ease of Doing Business for Start-ups
• Alignment with Global Data Privacy Policies like GDPR.

Weaknesses of Digital Personal Data Protection Bill

• Point of View – Empowering Data Fiduciary
• Less Strict, resulting in a reduction in protection.
• How independent will the Data Protection board will be?

Definitely, a step forward for protecting the Digital Personal Data of the Indian Citizens (Bhartiya Nagric).

The Importance of Privacy in Digital Marketing

The Importance of Privacy in Digital Marketing

How many times has an advertisement for a product appeared on your social media feed while you were having a real-time conversation about a similar subject? This is the subtlety and sophistication of the world of digital marketing, a world heavily reliant on customer data, as it is beneficial in providing a more targeted, and personalized experience to a customer.

Moreover, accelerated internet penetration in India, along with the proliferation of mobile telephony, has increased the user base, leading to scaling up the volume of personal data points provided to content, e-commerce, and social media applications and websites at unprecedented levels. This trend of providing personal data instead of a personalised user experience attracts a host of privacy considerations, such as data permissions, user consent, profiling, and informed data sharing.

Reliance on Data

Since the advent of the internet, the marketing industry has experimented and leveraged new mediums in ways that are beneficial to its clients. Marketing is integral to businesses all across the globe given that it can prove to be extremely profitable if done the right way. From market research to advertising, a good marketing strategy can make a business float, sink or thrust ahead.

When it comes to market research for the digital medium(s), data analysis is crucial as it facilitates not just the development of the right message, but also understanding how to reach the right person with the message, be it through search engines or social media platforms. Using data related to markers, such as age, gender, past purchase behaviour, and geographical regions, marketers can create personalized advertisements that strike the perfect balance between what the business is selling and what a consumer is looking for.

This balance rests on the bedrock of thousands of cookies that lie semi-dormant in our browsers, analysing our web-surfing patterns, noting the time we spend on a particular video or a photograph, our cursor movements on a particular social media post or the listings or articles we read and share over the internet.

One could safely say our online personas are a culmination of multiple layers of data, data that the marketers depend on to create accurate personality profiles for them to deliver the right product, and services, which we as consumers appreciate due to the salient personalization aspect of it.

Regulatory landscape and privacy considerations

In India, currently, Section 43A of the Information Technology Act, 2000 read with the Information Technology Rules (reasonable security practices and procedures and sensitive personal data or information) would amount to the applicable legal regime vis-a-vis privacy requirements for organizations.

The tipping point for a serious discussion on the need for a comprehensive privacy law came with the Supreme Court’s judgment in KS Puttaswamy (Retd.) and Anr v Union of India which recognized the right to privacy as a part of the right to life and personal liberty.

However, India is on the cusp of introducing a privacy law, the Personal Data Protection Bill, 2019. It was tabled in Lok Sabha in the winter session of the Parliament (December 2020).

If passed in its current form, PDPB will likely increase the cost of operations for organizations’ marketing campaigns. The impact would be due to the requirement to obtain explicit consent from users before processing personal data and inform the user about the nature and categories of personal data collected, along with the purpose, including profiling, for which the data is processed.

Hence, it is prudent for organizations to initiate their readiness efforts to integrate privacy as the backbone of their processing activities. A few best practices are as follows.

• Transparency and consent: Ensure you actively seek permission from your perspective and in-life customers, to contact them for marketing purposes only if their consent is in place. Therefore, a pre-ticked box that automatically opts a user will not cut it anymore as opt-ins need to be a deliberate choice. Additionally, consider prompting users to add themselves to your mailing list by launching a pop-up on your website.
• Purpose limitation: Focus on the data that you need, and refrain from asking for additional data elements. So, collect only the data that you need for efficient marketing and customer service.
• Data quality: Consider centralizing the personal data collection into a customer relationship management system, and make sure your users can access their data to review its proposed usage and make any changes as necessary. Additionally, you could explore auditing your mailing list by removing anyone who has not provided opt-in consent.
• Access: Ensure users have an overview of how their data is processed and what their rights are concerning privacy. Consider creating mechanisms that will let users easily access their data and withdraw consent for its use. 

Therefore, with reliance on data for efficient target marketing on one hand and compliance-related obligations on the other, marketers and organizations must tread this thin line between value creation through data and the privacy of the customers.