The Draft Personal Data Protection Bill, 2022 (Part II)

Presenting Part II of answering all your questions on the recent personal data protection bill released by MeitY, India.

12. What does the bill say about the right to correction and erasure of personal data?

The Data Principal shall have the right to request for correction or erasure of personal data by the Data Fiduciary and the Data Fiduciary upon receiving such request shall correct inaccurate or misleading personal data, complete any personal data which is incomplete in nature, update the personal data and erase the personal data that is no longer necessary for the purpose for which it was retained. (Unless the retention is for legal purposes)

13. What is the requirement of grievance redressal?

The Data Principal shall have the right to readily available means of registering a grievance with a Data Fiduciary. The Data Principal may hold the right to register a complaint with the Board when he receives unsatisfactory or no response from the Data Fiduciary within 7 days or such a shorter period that may be prescribed later.

14. Who can a data principal nominate and for what purpose?

The Data Principal shall have the right of nomination in a manner that may be prescribed later. Under this right, the Data Principal shall nominate any other individual who in the event of death or incapacity of the nominating Data Principal can exercise the rights of the Data Principal in accordance with this Act. (Incapacity refers to unsoundness of mind or body)

AKP Comments: An additional step of obtaining nominee information of data principal shall have to be included in the digital journey.

15. What are the duties of a Data Principal?

The bill lays down certain duties on the Data Principal such as complying with other applicable laws, not registering false grievances, or furnish false particulars or suppressing material information etc. However, the bill points out that any breach of duties on part of the Data Principal does not waive or condone the liability of the Data Fiduciary.

16. What are the key penalties proposed?

Applicable penalties as per Schedule 1 of Bill are-

1. Failure to take reasonable security safeguards to prevent personal data breach: Up to ₹250 crores
2. Failure to notify the Board and affected Data Principals of a personal data breach: Up to ₹200 crores
3. Non-fulfilment of additional obligations in relation to processing data of children: Up to ₹200 crores
4. Non-fulfilment of additional obligations of Significant Data Fiduciary: Up to ₹150 crores
5. Violation of user duties: Up to ₹10,000
6. For all other non-compliances under this Act: Up to ₹50 crores

AKP Comments: The key penalties in this bill are targeted at the data fiduciary. The quantum of penalties is very high and ideally, the bill should also lay down parameters that shall be used to determine this penalty otherwise there is scope for misuse.

17. What are the key obligations in relation to any breach or misuse?

AKP Comments: When personal data is being stored, the data fiduciary is under an obligation to maintain adequate safeguard standards. It is possible that details on what shall be considered adequate safeguards shall be provided through rules and regulations. If there is any breach of personal data, the same has to be reported to the Board. Presently, it is required to be reported to CERT-IN, in this regard the CERT-IN guidelines are much more stringent and require notification upon breach within 48 hours and also provide penalties for non-performance.

The bill covers data leakage as an offence but only if it leads to bodily harm, harassment prevention of lawful gain or causes financial loss. The bill also covers distortion of identity or identity theft. The bill interestingly does not make a reference to infringement of privacy or data leaks that may not lead to any of the above.

18. Key points on the use of Data for Credit scoring and related processes

AKP Comments: It is interesting to note that a Data Principal shall be deemed to have given consent if the processing of such data is necessary for the prevention and detection of fraud, network and information security, credit scoring and recovery of debt. Hence, many of the functions of the banks, NBFCs, digital lenders, their supporting fintech and neo-banks shall not require additional consent and deemed consent shall suffice. This is more important since the bill requires that any Data Fiduciary shall be required to give notice and take consent for even those data that was processed previously before the bill has been introduced.

19. No implementation periods

The Digital Personal Data Protection Bill, 2022 (the “DPD Bill”) does not specify an implementation period but mentions that its provisions shall come into effect on the date(s) appointed by the Central Government. Further, the government has been allowed to give different dates for the different provisions of the Bill.

AKP Comment: No implementation dates have been prescribed for the application. Some provisions may likely be implemented by the government in a phased manner. The 2021 Bill provided an 18 (eighteen) month implementation period (like the GDPR) and stakeholders had hoped this would be reintroduced in the current draft of the DPD Bill.

20. What are some key pointers on difficult-to-implement obligations for the industry?

There are certain obligations under the latest bill which may require a lot of preparation on part of the industry and may also be onerous and impractical in certain cases. Some of these obligations have been provided below:

1. Where before the commencement of the Act, any data that has been processed, the Data Fiduciary again take note of the Data Principal and provides an itemised notice to her. This is difficult to implement especially where Data Fiduciary has already erased the data or has anonymised the data. What may follow in such circumstances has not been made clear under the Act.
2. The option to access the itemised notice and description of personal data and the purpose of the processing shall have to be made available not just in English but also in the regional language chosen by the Data Principal.
3. Considering the digitisation of the entire journey, the provision of itemised notice may be difficult. This is important also because a Data Fiduciary and Data Processor shall not be able to process data for any other purposes other than those specified in this itemised notice. Hence, the notice in itself in many cases may end up becoming a click-wrap agreement.
4. Withdrawal of consent: Further, the Data Principal has although been given the right to withdraw their consent, however, in many cases the data processing is happening in automated mode and is done within seconds. Hence, it is unclear how the withdrawal of consent shall operate by the Data Principal especially in the digital lending space in the event that the Data Principal provides her personal information and receives a loan within a few minutes and goes ahead to withdraw her consent. In such instances, recovery of loans and follow-up on the same would become difficult. However, another way of interpreting it is that any storing of data for a continuation of such loans or financial services shall be covered by deemed consent where such provisions are considered for deemed consent.

21. The bill entitles the Data Principals with certain rights. Those rights are:

Right to Information about Personal Data:

The Data Principal shall have the right to obtain the following information from the Data Fiduciary:

1. Confirmation on personal data being processed or has been processed.
2. Summary of the personal data under processing or which has been processed and processing activities are undertaken by the Data Fiduciary.
3. Identity of all the Data Fiduciary with whom the personal data has been shared and the categories of personal data that has been shared.
4. Any other information as may be prescribed.

Right to correction and erasure of personal data:

The Data Principal shall have the right to request for correction or erasure of personal data by the Data Fiduciary and the Data Fiduciary upon receiving such request shall correct inaccurate or misleading personal data, complete any personal data which is incomplete in nature, update the personal data and erase the personal data that is no longer necessary for the purpose for which it was retained. (unless the retention is for legal purposes)

Right to nominate:

The Data Principal shall have the right of nomination in a manner that may be prescribed later.

Under this right, the Data Principal shall nominate any other individual who in the event of death or incapacity of the nominating Data Principal can exercise the rights of the Data Principal in accordance with this Act. (Incapacity refers to unsoundness of mind or body)

It is interesting to note that in order to provide the Right to Nominate to a Data Principal, the Data Fiduciary shall be required to ask the Data Principal to nominate any other person at the time of registering only. This adds another step to the journey of digitising.

22. Appointment of Data Protection Officer: The bill states that an individual appointed by a Significant Data Fiduciary under this Act shall be considered a Data Protection Officer.

AKP Comments: Data Protection Officer is an additional obligation for Significant Data Fiduciary under the Bill and therefore their appointment is not mandatory for all Data Fiduciaries.

Authored by:

Mr Anuroop Omkar, Partner