The Ministry of Electronics and Information Technology has been discussing different elements of digital personal data and its protection and has drafted the 'The Digital Personal Data Protection Bill, 2022'. The draught Bill's goal is to allow for the processing of digital personal data in a way that acknowledges both the right of persons to protect their personal data and the necessity to handle personal data for authorised reasons, as well as matters related to or incidental to those purposes.
In India, this is the fourth edition. The Justice Srikrishna Committee, established by the Ministry of Electronics and Information Technology with the goal of developing a data protection law for India, proposed the first draught of the Bill, the Personal Data Protection Bill, 2018. The government revised this draught and tabled it in the Lok Sabha in 2019 as the Personal Data Protection Bill 2019. The Lok Sabha also passed a motion on the same day to send the PDP Bill 2019 to a joint committee of both Houses of Parliament. Due to the pandemic's delays, the Joint Committee on the PDP Bill 2019 presented its report in December 2021. The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021, that incorporated the recommendations of the JPC. However, in August 2022, citing the report of the JPC and the "extensive changes" that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
The DPDP Bill 2022 applies to any digitally-enabled personal data processing. This would encompass both online personal data and offline, personal data that has been digitised for processing. Non-essence, by being totally inapplicable to data processed manually, provides a little lesser level of protection than previous versions, which merely excluded data handled manually by "small companies" and not in general. Furthermore, in terms of geographical applicability, the Bill includes the processing of personal data gathered by data fiduciaries inside the territory of India and processed to supply products and services within India. Inadvertently, the current terminology appears to preclude data processing by Indian data fiduciaries who collect and handle personal data outside India on behalf of data principals who are not situated in India. This would have an impact on the legislative safeguards given to clients of Indian start-ups operating abroad, reducing their competitiveness. This view appears to be reinforced by the DPDP Bill, 2022, which exempts most of its safeguards from applicability to personal data processing of non-residents of India by data fiduciaries in India.
The foundation of most data protection laws is giving the data subject complete control over their personal data. This happens by demanding a thorough notification to the data principle on diverse elements of data processing based on which the data principal can offer explicit permission for such processing. While there are several exceptions for the non-consent-based processing of personal data, the data principal still has the right to access, modify, delete, and so on. Concurrently, the data fiduciary has the task of data minimisation, which is to collect only the personal data necessary to fulfil the aim of processing (collection restriction); process it only for the purposes stated and no more (purpose limitation), and to retain it in its servers only for so long as is required to fulfil the stated purpose (storage limitation).
The current draught makes no specific mention of some data protection principles, such as collection limits. This would empower a data fiduciary to acquire any personal data approved by the data principal. Making collection purely reliant on consent ignores the reality that data principals frequently lack the necessary knowledge of what type of personal data is appropriate for a certain purpose. A picture filter app, for example, may handle data about your location or contact information even if it does not need such information to perform its primary function of applying the filter. The idea of "sensitive personal data" is likewise eliminated.
Depending on the increased potential of harm that can result from the unlawful processing of certain categories of personal data, most data protection legislations classify these categories as "sensitive personal data". Illustratively, this includes biometric data, health data, genetic data etc. This personal data is afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments. By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.
Furthermore, the Bill limits the amount of information that a data fiduciary is required to send to the data principal. While previous iterations required considerable information to be provided for the data principal in terms of the data principal's rights, grievance redressal mechanism, the retention period of information, source of information collected, and so on, the current draught limits the scope of this information to the personal data sought to be collected and the purpose of processing the data. While this may have been done in an attempt to simplify the warning and avoid information overload, data protection authorities propose various methods such as infographics, just-in-time notices, and so on to provide a complete yet understandable notice.
The DPDP Bill 2022 also adds the idea of "deemed consent". In effect, it bundled purposes of processing which were either excluded from consent-based processing or were considered "reasonable reasons" for which personal data processing may be performed under the basis of "deemed consent". However, there are significant worries about this because of the poorly phrased reasons for the processing, such as "public interest," and the elimination of further protections to protect the rights of data principals.
A significant addition to the right of data principals is that it respects the right to post-mortem privacy which was lacking from the PDP Bill, 2019 but had been recommended by the JPC.