Recently, the Government of India released the draft Bill titled, ‘The Digital Personal Data Protection Bill, 2022’, for public consultation. The Bill aims to provide protection to individual’s personal data and creates obligations on organisations that process such data.
In the digital age, users share their personal data voluntarily or involuntarily with digital service providers. For instance, in an ecommerce transaction for purchase of goods, a buyer generally provides his or her name, phone number, email id, address and payment details to the online portal. Further, by deploying technology, it is possible for the portal to ascertain the buyer’s location, device type (Android or Apple) and its IP address. Through data analytics a user’s profile is created, which can be used for targeted marketing.
Profiling of individuals on the basis of their sensitive personal data (i.e., the data that reveals an individual’s political opinions, race, religion, philosophical beliefs, health condition and sexual orientation) is more serious, as it can even be used for illegitimate purposes. Allegations on Cambridge Analytica of influencing the United States general elections in favour of Donald Trump are one of the known examples of misuse of personal data for political gains.
Due to its relevance, personal data has value in the market and is often traded in bulk by data collectors and data aggregators. This is the reason why several online service providers apparently do not charge any consideration from the users, albeit they monetise their personal data. In this process, the individuals have no control or say with respect to their personal data.
Owing to such repercussions, governments globally are becoming more sensitive towards the personal data of their citizens. Currently, over 100 countries have data protection laws and regulations in place. Such laws aim to shift the control of personal data from the hands of data collectors to the data principals, i.e., the individuals who are the real owners of the data.
In India, the Supreme Court in the year 2017 held that the ‘right to privacy’ is an intrinsic part of the ‘right to life’ guaranteed under the Constitution of India (KS Puttaswamy’s matter). The ‘right to privacy’ in itself is a wider right and covers ‘data privacy’ within its ambit.
Even though ‘data privacy’ is recognised as a fundamental right, for better protection of personal data and to restraint organisations from unlawful processing, there has been a need for enacting a codified law in the country. For promoting this objective, the Bill describes individuals or natural persons as the data principals and grants the following among other rights to them:
i. Right to obtain information on the manner in which their personal data would be processed or shared ii. Right to erasure of their data. iii. Right to nominate an individual to exercise rights on their behalf in case of their death or incapacitation.
With respect to data of children, the Bill defines a ‘child’ as a person below 18 years of age and mandates organisations to obtain verifiable parental consent to process personal data of their child. The Bill also prohibits processing of any personal data that is likely to harm a child in any manner. Additionally, the Bill prohibits the tracking or behavioural monitoring of children or targeted advertising directed at them.
Besides organisations operating in India, the Bill is equally applicable to overseas organisations that process personal data of individuals located in India for profiling purposes or for offering them goods or services. It is noteworthy that specific provisions regarding data localisation (i.e., storing data in India) for certain categories of personal data and non-personal data have been removed, which were included in the earlier drafts of the law on data protection.
A non-compliance of the provisions could result in financial penalty of up to ₹250 crore. The Bill specifies that a Data Protection Board would be established which will determine non-compliance and impose penalty, issue directions, and direct organisations to adopt urgent measures to remedy personal data breaches. Like its previous version, the Bill exempts the Government from various obligations under the law, which is not supported by many privacy activists and experts.
Nevertheless, once the Bill is enacted, individuals will have more power and control over their personal data collected by various non-Government organisations. It will also be possible for individuals to approach the Board for initiating proceedings against the non-compliers. This will fortify the privacy right of individuals in so far as it relates to personal data in digital form.
