The Ministry of Electronics and Information Technology ("MEITY") has issued a draft of the Digital Personal Data Protection Bill, 2022 ("the Bill") available for public comment, along with a note that explains each provision and the principles behind them. The bill aims to ensure that digital personal data is handled in a way that protects a person's right to privacy. It regulates digital collection and processing personal data .
This Pulse issue discusses the bill's potential impact on the nonprofit sector once it becomes law and outlines the broad compliances for which the sector must prepare.
Refer to our earlier issue on Data Protection for Civil Society Organizations here to know more about the existing compliances on upholding data privacy.
Currently, under Section 43A of the Information Technology Act of 2000, all body corporates are responsible for implementing and maintaining reasonable security measures to ensure that no one suffers an unreasonable loss or benefit as a result of the processing, dealing, or handling of sensitive personal information. Failure to do so may subject you to liability for damages. All non-profit organizations, including trusts, societies, Section 8 businesses, and any group of people involved in a profession, are covered by this provision.
Application of the Bill
The bill will apply to the processing of personal data collected in India in two situations:
(i) when personal data is collected online from data principals, and
(ii) when personal data is collected offline and then transferred to a digital format.
The DPDP Bill will also cover processing personal data outside of India if that processing is related to profiling people in India or offering goods and services to data principals in India.
So, if the bill is passed by the Parliament in its current form, it will apply to all nonprofits and charitable organizations that collect personal information from their stakeholders online or offline and then digitize it.
Important Concepts and Definitions
Personal Data: Any information about a person who can be identified by or in connection with that information.
Data Principal: The individual to whom the personal data belongs, which includes the child's parents or legal guardians if the person is a child.
Data Fiduciary: Any person who, alone or in collaboration with others, determines the purpose and means of processing personal data are referred to as a data fiduciary.
Data Processor: Any person who processes personal data on behalf of a data fiduciary.
So, the people who have an interest in the data would be the data principals, and the nonprofits or charities would be the data fiduciaries.
Here are a few broad features of the bill that are likely to impact the nonprofit sector.
When a data principal has consented to the processing of her personal data before the commencement of the bill, the data fiduciary must, as soon as reasonably practicable, provide an itemized notice in simple language that describes the personal data collected and the purposes for which those purposes have been processed.
A consent manager is a data fiduciary who gives the data principal an easy-to-use, transparent, and interoperable platform for giving, managing, reviewing, and withdrawing consent.
In certain circumstances, personal data can be processed by virtue of deemed consent from the data principal wherein the data principal voluntarily provides their personal data and it is reasonably expected that they would provide such personal data. In such cases, the data subject's explicit consent is not required.
Right of the data principal
The bill grants the data principal the right to
1) obtain such information from the data fiduciary, including a summary of the personal data that has been processed and the identities of the fiduciaries with whom the data has been shared;
2) correct wrong or incomplete information; and erase their personal data from the data fiduciary, unless the retention is necessary for a legal purpose;
3) register a grievance with the data fiduciary, and if unsatisfied with the response, register a complaint with the data protection board, and
4) Nominate any individual to exercise his rights upon his death or incapacity.
Data Fiduciary’s Obligations
The data fiduciaries are required under the bill to take reasonable security precautions to prevent personal data breaches and ensure the protection of personal data. Some of the obligations are as follows:
Failure to take reasonable security safeguards to prevent personal data breaches is punishable by a penalty of up to Rs. 250 crores and the failure to notify the Board in case of a data breach is punishable by a penalty of up to Rs. 200 crores.
Retention of Personal Details
It's important to keep in mind that personal data shouldn't be kept if it's no longer necessary for legal or business reasons or if it's no longer being used for the reason it was collected.
Data fiduciaries can transfer data outside of India only to countries and territories that the Central Government may notify in the future.
Data fiduciaries have the additional obligation to obtain verifiable parental consent while processing the personal data of a child and refrain from such processing that would cause harm to the child and from tracking, monitoring, and targeted advertising aimed at children. Failure to adhere to this is liable to a penalty of up to Rs. 200 crores. Nonprofit organizations working with children have the additional responsibility to comply with this provision.
Depending on the volume and nature of data processed, the Central Government has been vested with the power to exempt certain fiduciaries from issuing notice before consent, ceasing to retain data after the purpose has been served, accuracy, the provision related to children, and the data principal's right to information about his personal data. However, the bill does not indicate what kind of fiduciaries will be granted the benefit of the exemption.
At any time, anyone can give the Board a voluntary undertaking to follow any part of the bill. Such a voluntary undertaking may be publicized. The explanatory note published along with the bill considers this provision as a measure to encourage timely admission and rectification of lapses. The focus of the bill is on enabling and facilitating compliance rather than penalizing non-compliance. So, it is a way for the data fiduciary to fix a data breach at any time after it has happened and keep the Board from taking action against them.
The language of the bill has been kept clear and concise to make it accessible to the general public. The bill is drafted in a manner to make it easier for businesses to do business in India. The bill is open for public consultation until January 02, 2023, and nonprofit organizations can visit the website and give their comments on the provisions of the bill. It is an opportunity for the nonprofit sector to voice their operational concerns through this public consultation.