The Draft Digital Personal Data Protection (PDP) Bill, 2022, which is open for public comment until January 2nd, will reshape the way data is collected, stored, and processed by entities once it is implemented. The draft has been prepared after incorporating comprehensive views and processes taken in the past, as well as in accordance with Global Developments in advanced economies that are conducive to the needs of Modern India.
The country’s Supreme Court declared privacy to be a fundamental right under the constitution in 2017. The Supreme Court directed the government to develop data protection rules for the country that are consistent with the fundamental right to privacy.
In 2019, the Government introduced the draught Personal Data Protection Bill (PDP Bill), 2019, which was later withdrawn.
Under the present draft, Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
In the event of a personal data breach, the Data Fiduciary or Data Processor, as applicable, must notify the Board and each affected Data Principal in the form and manner prescribed.
Every Data Fiduciary shall publish, in the manner prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer the Data Principal’s questions about the processing of her personal data on behalf of the Data Fiduciary.
A Data Fiduciary shall not engage in child tracking or behavioural monitoring, nor shall he or she engage in child-targeted advertising.
The Central Government may designate any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary based on an evaluation of relevant factors such as the volume and sensitivity of personal data processed, the risk of harm to the Data Principal, the potential impact on India’s sovereignty and integrity, state security, and public order.
The Significant Data Fiduciary must appoint a Data Protection Officer, who must be based in India and represent the Significant Data Fiduciary under the provisions of this Act.
The Central Government will notify such countries or territories outside India to which a Data Fiduciary may transfer personal data under specified terms and conditions.
The Central Government will establish the Data Protection Board of India to receive complaints, make decisions, and perform other functions. The Board’s functions will be designed to be digital.
The Central Government may consider establishing a mechanism for staggered phase-wise implementation of the Draft Bill, taking into account the practical difficulties that entities may face in meeting such obligations. There would be significant operational and technological implementation challenges for the Company. This would necessitate enough time to lay the groundwork for implementation.
Draft is well intended. However for effective implementation, a sufficient transition period has to be in place for the development/implementation of systems that support multilingual notice processes. Given the current technological and operational landscape, it would be difficult for many companies, particularly financial services firms, to provide multi-lingual notice in composite formats for providing multiple types of services across channels and products.
The draft bill by the government is a welcome step that addresses the urgent need to protect the privacy of Indian citizens in line with many developed nations without impeding the growth of digital economy.