Digital Data Protection Bill 2022

Explained

Dr. Sunil T T

College of Engineering Attingal

[email protected]

December 15, 2022

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 1 / 47
 Background: Global Scenario

Growth of Internet
Major Data Breaches
Need for data protection
GDPR, US and Chinese laws

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 2 / 47
 Background:Growth of Internet
In india the current internet user base is 76 crore and is expected to reach 120
crore.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 3 / 47
 Background:Major Data Breaches in Recent Times

Yahoo data breach (2013)

First American Financial Corporation data breach (2019)
Equifax data breach (2017)
Marriott International data breach (2018)
Adult FriendFinder Networks data breach (2016)
U.S. Office of Personnel Management data breach (2015)
Facebook data breach (2019)
Cambridge Analytica incident

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 4 / 47
 European, US and Chinese Laws
European Union Model:
GDPR : focuses on a comprehensive data protection law for processing of
personal data.
In the EU, the right to privacy is enshrined as a fundamental right
GDPR seeks to protect an individual’s dignity and her right over the data she
generates.
US Model:
Not linked to privacy
Limited sector-specific regulation
The activities and powers of the government vis-a-vis personal information
are well-defined and addressed by broad legislation such as the Privacy Act,
the Electronic Communications Privacy Act, etc
China Model:
Personal Information Protection Law (PIPL) 2021
Protection against misuse of personal data
Data categorized on on levels of importance-restricts
. . .cross
. . . . border
. . . . . transfer
. . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 5 / 47
 Background:Indian Scenario
Justice K. S. Puttaswamy (Retd) vs Union of India 2017:
In August 2017, a nine-judge bench of the Supreme Court held that
Indians have a constitutionally protected fundamental right to privacy
that is an intrinsic part of life and liberty under Article 21.
B.N. Srikrishna Committee 2017:
The Report has a wide range of recommendations to strengthen privacy
law in India including restrictions on processing and collection of data,
Data Protection Authority, right to be forgotten, data localization etc
Data protection bill 2019
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha
on December 11, 2019.
It was sent to a joint parliamentary committee
Govt. withdrew the bill later
Some of the reasons , opposition from major stakeholders, compliance
difficulties ,Issues with Data Localization : Alleged blanket exemption to
Govt agencies
Data protection Bill 2022
Watered down version of 2019 bill available for . . public
. . . . . comments
. . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 6 / 47
 Definitions

Data
Data Principal
Data Fiduciary
Significant Data Fiduciary
Data Processor
Data Protection Officer
Gain
Harm
Loss
Personal data
Personal data breach

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 7 / 47
 Definitions

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 8 / 47
 What is Data ?
DPDP act defines data as
A representation of
information
facts
opinions
instructions
in a manner suitable for communication, interpretation or processing by humans or
by automated means

Personal Data is defined as

any data about an individual who is identifiable by or in relation to such data.

Comment: This is some what vague, compared to European GDPR, The Bill does
not distinguish between personal data, and sensitive personal data, which is a
crucial distinction recognition that some types of data require stricter and stronger
protection than others .
. .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
.
.
. . .
. . .
.

Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 9 / 47

Personal Data Breach

Any unauthorised

processing of personal data or use,

accidental disclosure, alteration,
acquisition, destruction of or loss of access to
sharing, personal data,

that compromises the confidentiality, integrity or availability of personal data.

Comment: Bill does not mention unreasonable surveillance

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 10 / 47
 Personal Data as per GDPR

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 11 / 47
 Who is Data Principal ?

Data Principal refers to the individual whose data is being collected.

In the case of children (<18 years), their parents/lawful guardians will
be considered their “Data Principals”.

(a) Adult (b) children

Figure: Data Principal

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 12 / 47
 Who is Data Fiduciary ?

Meaning of fiduciary
Involving trust, especially with regard to the relationship between a trustee and a
beneficiary.
Eg. ”The company has a fiduciary duty to shareholders”

ഏകേദശ മലയാളം അർത്ഥം വിശ്വസ്തത വിശ്വാസത്തിൽ അധിഷ്ഠിതമായ

രക്ഷാധികാരി എെന്നാെക്ക എടുക്കാം

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 13 / 47
 Who is Data Fiduciary ?

DPDP bill defines

“Data Fiduciary” as any person who alone or in conjunction with other
persons determines the purpose and means of processing of personal data

Person includes
an individual;
a Hindu Undivided Family;
a company;
a firm;
an association of persons or a body of individuals, whether incorporated or
not;
the State; and
every artificial juristic person
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 14 / 47
 Who is Data processor and What is processing ?
Data Processor
means any person who processes personal data on behalf of a Data Fiduciary;

Processing
in relation to personal data means an automated operation or set of operations
performed on digital personal data, operations such as

collection, indexing,
recording, sharing,
organisation, structuring,
disclosure by transmission,
storage,
dissemination or otherwise making
adaptation,
available,
alteration,
restriction,
retrieval,
use, erasure
alignment or combination, destruction
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 15 / 47
 Gain, Harm and Loss
Gain
Gain in property or a supply of services, whether temporary or permanent; or
An opportunity to earn remuneration or greater remuneration or to gain a
financial advantage otherwise than by way of remuneration.

“harm”, in relation to a Data Principal, means

-
Any bodily harm; or
Distortion or theft of identity; or
Harassment; or prevention of lawful gain or causation of significant loss;

loss” means –
Loss in property or interruption in supply of services, whether temporary or
permanent; or
A loss of an opportunity to earn remuneration or greater remuneration or to
gain a financial advantage otherwise than by way of
. . remuneration
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 16 / 47
Issues with ”harm”

The 2019 Bill recognized unambiguously that some harms require greater
measures of protection and redressal mechanisms in place than others, which has
been excluded from the present Bill

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 17 / 47
Application of the Act

The act apply to the processing of digital personal data within the territory of
India where
Such personal data is collected from Data Principals online; and
Such personal data collected offline, is digitized.

Processing of digital personal data outside the territory of India, if such processing
is in connection with any profiling of, or activity of offering goods or services to
Data Principals within the territory of India.

Profiling = processing of personal data that analyses or predicts aspects

concerning the behavior, attributes or interests of a Data Principal.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 18 / 47
Act is not applicable

Non-automated processing of personal data;

Offline personal data;
Personal data processed by an individual for any personal or domestic
purpose; and
Personal data about an individual that is contained in a record that has been
in existence for at least 100 years.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 19 / 47
Obligations of Data Fiduciary-Notice

Grounds for processing digital data.

Allowed to process data only for the lawful purpose for which consent is given or
deemed to have been given

Comment lawful is somewhat vague. The purpose must be specific and clear

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 20 / 47
Obligations of Data Fiduciary -Notice

Issue itemized Notice to data principal

Itemized notice should be in clear and plain language
Description of personal data sought to be collected
Purpose of processing such personal data

Notice
Can be a separate document, or an electronic form, or a part of the same
document in or through which personal data is sought to be collected,

itemized
A list of individual items

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 21 / 47
Obligations of Data Fiduciary-Notice

Before collecting these information bank should give you a notice stating the
purpose. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 22 / 47
Obligations of Data Fiduciary-Consent

Consent of the Data Principal

freely given,
specific,
informed and unambiguous
indication of the Data Principal’s wishes to the processing of her personal data for
the specified purpose.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 23 / 47
Obligations of Data Fiduciary-Consent

Request for consent

Should be Clear and in plain language ,
Details of a data protection officer or responsible individual should be given
Data principal has the option to access the request in any language listed in
8th schedule of the constitution

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 24 / 47
Obligations of Data Fiduciary-Consent

Data Principal has the Right to withdraw consent

At any time
The consequences of such withdrawal shall be borne by such Data Principal
Up on withdrawal Data Fiduciary shall, within a reasonable time, cease and
cause its Data Processors to cease processing of the personal data

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 25 / 47
Consent Manager

Consent Manager
The Data Principal may give, manage, review or withdraw her consent to the
Data Fiduciary through a Consent Manager.
The Consent Manager specified in this section shall be an entity that is
accountable to the Data Principal and acts on behalf of the Data Principal

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 26 / 47
Obligations of Data Fiduciary-Questions on Consent

Burden of Proof
Data Fiduciary shall be obliged to prove that a notice was given by the Data
Fiduciary to the Data Principal and consent was given by the Data Principal

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 27 / 47
Deemed consent

A Data Principal is deemed to have given consent to the processing of her

personal data if such processing is necessary
Reasonable expectation eg. Number taken for reservation
For the performance of any function under any law by state eg bank account
no for crediting a refund
For compliance with any judgment or order issued under any law;
For responding to a medical emergency
To provide medical treatment or health services to any individual during an
epidemic
To ensure safety of, or provide assistance or services to any individual during
any disaster, or any breakdown of public order;
For the purposes related to employment
In public interest
Please refer to the draft bill for details
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 28 / 47
 General obligations of Data Fiduciary
A Data Fiduciary shall be responsible for complying with the provisions of
this Act
Data Fiduciary shall make reasonable efforts to ensure that personal data
processed by or on behalf of the Data Fiduciary is accurate and complete, if
the data is used for
making decisions that affect data principal
is likely to be disclosed by the Data Fiduciary to another Data Fiduciary
Implement appropriate technical and organizational measures
Take reasonable security safeguards to prevent personal data breach.
In the event of a personal data breach, the Data Fiduciary or Data Processor
as the case may be, shall notify the Board and each affected Data Principal,
A Data Fiduciary must cease to retain personal data as soon as the purpose
is over or the legal or business necessity is over
Publish details of data protection officer
Set up a grievance redressal mechanism
Transfer data to another data fiduciary or data processor only with a valid
contract .
. .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
.
.
. . .
. . .
.

Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 29 / 47

 Obligations: personal data of children

A data fiduciary should

Obtain Parent consent
Not permitted to do tracking or behavioral monitoring
Not undertake such processing of personal data that is likely to cause harm
to a child

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 30 / 47
Significant Data Fiduciary

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 31 / 47
 Obligations of Significant Data Fiduciary

Appoint Data protection officer

Appoint data auditor to evaluate compliance of the act
Undertake such other measures including Data Protection Impact Assessment
Comment : While the present Bill does recognise ‘significant data fiduciaries’, it
defers to the Government to lay out the grounds for defining them through Rules
which the Government can introduce at a later date. Such an omission and
deference concentrates the power with the Executive, and delegates a function
which belongs within the remit of the legislature

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 32 / 47
Rights of Data Principal

Right to information about personal data

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 33 / 47
Rights of Data Principal
Right to correction and erasure of personal data

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 34 / 47
 Rights of Data Principal

Right of grievance redressal

Register a complaint with data fiduciary

Approach Data protection board

Right to nominate

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 35 / 47
Duties of Data Principal

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 36 / 47
Transfer of Data outside India

The Central Government may notify such countries or territories outside India
to which a Data Fiduciary may transfer personal data

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 37 / 47
Exemptions
The provisions of Chapter 2 (OBLIGATIONS OF DATA FIDUCIARY) except
sub-section (4) of section 9 (not clear) , Chapter 3 (rights and duties of data
principal) and Section 17 (transfer beyond border)of this Act shall not apply
where:

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 38 / 47
Government Exemptions

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 39 / 47
Government Exemptions: issues

Section 18 of the Bill has widened the scope of government exemptions even
further. The requirement of proportionality, reasonableness and fairness have
been removed for the Central Government to exempt any department or
instrumentality from the ambit of the Bill.
This is in conflict with the law laid down in the K.S. Puttaswamy
judgement1. The Supreme Court had explicitly held that the restriction on
the right to privacy of an individual must withstand the test of
proportionality. ] The exemptions extended to the Government under the Bill
cannot be said to meet these requirements.
Furthermore, the Bill’s express exemption to the Government from deleting
the data which it has collected despite the purpose of such data collection
having been met contradicts the principles of purpose limitation, and data
minimisation.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 40 / 47
 Compliance framework

Data Protection Board of India

Statutes relating to the composition of the board is currently vague in the
draft bill
It will be appointed by central government
Members will have the status of public servant (IPC section 21)

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 41 / 47
 Compliance framework

Functions of Data protection Board of India

to determine non-compliance with provisions of the Act and impose penalty
under the provisions of the Act;
to perform such functions as the Central Government may assign to the
Board under the provisions of this Act or under any other law by an order
published in the Official Gazette.
Standard legal principles such as ”Audi alteram partem” should be followed.
Board will have the powers of a civil court.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 42 / 47
 Compliance framework

Review and Appeal

The Board may review its order
An appeal against any order of the Board shall lie to the High Court.
No other civil court will have jurisdiction in data privacy matters of persons.
Alternate Dispute resolution
The board can direct for alternate dispute resolution
Comment: The appeal jurisdiction is rather vague. It does not specify the
jurisdiction of High courts.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 43 / 47
Financial Penalty

Maximum 500 crores

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 44 / 47
Financial Penalty

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 45 / 47
 Clarifications Required

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 46 / 47
 Thank You

References : Software Freedom Law Center, India

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Dr. Sunil T T (College of Engineering Attingal) December 15, 2022 47 / 47