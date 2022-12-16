India’s quest for a comprehensive data privacy law began in 2010 with the constitution of the Justice Srikrishna Committee. The Committee’s report led to a string of data privacy bills in 2018, 2019 and 2021, each of which presented itself as a slightly modified version of its predecessor. However, in their language and length, these bills scarcely differed. In August 2022, the government withdrew the bill and about three months later — on November 18th — released the fourth iteration of the data privacy legislation: The Digital Personal Data Protection Bill, 2022 (Bill).

A social media debate ensued and the proposed legislation was subjected to threadbare analyses. A few days later, after matters had cooled down somewhat, we conducted an independent study of the legislation. To begin with, the inclusion of the word “digital” in the Bill’s title speaks to India’s longstanding goal of being a digitally forward society.

Simply put, the Bill has two major stakeholders — the Data Principal and Data Fiduciary. Data Principal refers to the subject whose data is being processed and Data Fiduciary is an entity that processes this data. The use of the term, “fiduciary” whilst referring to a data processor is significant. This term originates from the Latin word fiducia, or trust. In different spheres of the law, when one party owes a “fiduciary” duty towards another — a trustee, beneficiary, guardian or ward — the relationship between the two is guided by trust, assurance and good faith. The drafters of the Bill, therefore, seem to be affirming that the Data Fiduciary is responsible for safeguarding the interests of Data Principals.

In line with this philosophy, the rest of the Bill describes the obligations of the Data Fiduciaries towards Data Principals, the rights and duties of the latter and the regulatory framework through which data will be processed. While the Bill lists the “duties” of the Data Principals, these have no bearing on the realisation of the rights provided by the Bill. It marks new ground in Indian legislative history by using “she/her” pronouns.

Two aspects of the Bill are noteworthy. First, in addition to the general obligations to prevent the misuse of the personal data of individuals, the Bill has outlined a category of Significant Data Fiduciaries – entities that are required to comply with additional measures to safeguard the personal data of individuals. This distinction is essential as only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures. Such measures reduce the compliance cost of companies that are at a nascent stage.

Also in Express Opinion | Why the Personal Data Protection Bill is bad news for business

Second, onerous provisions on “data localisation” in the previous versions of the Bill, which mandated companies to store user data only within India, have been omitted. The reworked Bill permits the government to notify countries to which data transfers may be permitted. This is a major respite for several tech companies, who have long talked about the infeasibility of the data localisation provisions. A balance has now been struck between the legitimate concerns of businesses and the protection of personal data of individuals.

While the Bill is, by and large, comprehensive. Section 25 and Schedule I, that deal with penalties, require elaboration. Section 25 refers to the quantum of financial penalty that must be imposed on a person guilty of non-compliance in matters related to detail. The focus remains only on the nature and gravity of the violation. The proposed legislation does not consider the financial ranking of a company before imposing penalties.

Advertisement

The Bill must ensure that the penalties imposed are proportionate to the size and operations of a company – to be effective, fines must not drive companies into economic loss. A leaf can be taken from the European Union’s General Data Protection Regulation (GDPR), amongst other similar regulations, which levies penalties in accordance with the total turnover of companies.

Don't Miss from Express Opinion | There’s an expansion of state power in the domain of privacy

The Bill safeguards individual data, whilst also promoting cooperation between data fiduciaries and the government. While it draws upon the best practices of foreign jurisdictions, such as Europe and Australia, it has been drafted in a manner that is tailor-made to India’s requirements. Even the exemptions granted to the Centre are extremely restrictive and in sync with past judicial precedents and Article 19(2) of the Constitution.

The Bill marks a significant shift in the manner of drafting legislation. Historically, comprehending a piece of legislation in India has usually been akin to the membership of an exclusive club — only legal practitioners, policy professionals and a handful of politicians are able to understand and interpret laws. This Bill marks a transition from legalese to legal simplification. It realises that it is in our best interests to ensure that all laws — especially legislation that have a significant impact on citizens — are made accessible to all individuals irrespective of their professional or educational standing.

Advertisement

Rao is associate at Parinam Law Associates and Jain is a LLM candidate at the University of Cambridge