NASSCOM Feedback on the Draft Digital Personal Data Protection Bill of 2022

Terms of use

Terms of Use

The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.

All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.

Disclaimer

The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.

For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.

New

See all

No notification found.

NASSCOM Feedback on the Draft Digital Personal Data Protection Bill of 2022

Varun Sen Bahl

@varunsenbahl1

January 3, 2023

Public Policy

579

On January 2^nd, 2022, we submitted our comments on the Draft Digital Personal Data Protection Act of 2022 (Bill) to the Ministry of Electronics and Information Technology (MEITY). In this blog post, we summarise the key points from our feedback on the Bill. These are in the sequence in which they appear in the Bill.

The Bill’s objectives: The Explanatory Note to the Bill recognises that processing must be carried out in a manner that is fair and transparent to the individuals concerned. This is an important principle, and we suggest inserting this into the Preamble as part of the objective.
Transition: the implementation of the Bill should follow a phased approach, where its provisions are brought into effect in a staggered manner, so that entities have adequate time to transition.
Scope (paper records): we recognise that the intention is to leave paper records out of scope of the Bill. However, the use of undefined terms (e.g., offline, online, digitised) or complex terms (e.g., “automated”) can make it difficult to interpret. We suggest simplifying the drafting by stating that the Bill does not apply to the processing of personal data that is not in electronic form.
Scope (anonymised data): the Bill only applies to the processing of personal data. However, unlike previous drafts, the exclusion of anonymised data, (i.e., data that is not or no longer personal data) is not explicitly stated. This should be stated in the Bill.
Definition (Data Principal): this definition should not conflate children and their guardians. Globally, a data principal is a term that refers to one individual. This should be reflected in the Bill.
Requirement for multiple languages: the blanket obligation to provide information in all the languages in the 8^th Schedule of the Constitution will be onerous. Instead, only require data fiduciaries to provide information in English and one more language, taking into consideration the context of the principal.
Purpose limitation and data minimisation: these are recognised in the Explanatory Note but are not contained in the Bill’s text. To avoid any gaps, these should be in clause 5.
Consent collection: drawing from the Singaporean law, the Bill should clarify that consent will not be collected using false or misleading information or by using deceptive practices.
Withdrawal of consent in voluntary provision of personal data: the Bill recognises that consent can be withdrawn. This should also be in the case where a data principal is deemed to have provided consent by voluntarily providing her personal data, as contemplated in the circumstance in sub-section (1) of section 8.
Consent managers: the Bill should clarify that consent may be given either directly to a Data Fiduciary or through a Consent Manager. Either through rules or an illustration, the Bill should clarify what is meant by stating that the Consent Manager is a Data Fiduciary.
The term “deemed consent”: this term has been drawn from Singaporean law. However, there, the term is used to refer to the voluntary provision of personal data, which our Bill captures in clause 8(1). However, the rest of clause 8 are not situations of “deemed consent”, but rather, “additional grounds and purposes”. The Bill should use this term instead for the heading and drafting of clause 8.
The examples of “public interest” in clause 8(8) do not fit here. These should, instead, be shifting to the next clause 8(9) as examples of reasonable grounds of processing.
The scope of technical & organisational measures in clause 9(5) should be contextualised by linking them to the concept of data protection by design and by default.
The security safeguards required in clause 9(4) should be both reasonable and proportionate, so that entities can bring in a risk-based approach.
Data breach reporting: The obligations for data breach reporting by Data Fiduciaries and Data Processors should be segregated. Data Processors only being required to report breaches to Data Fiduciaries, while Data Fiduciaries report to the Board and principals.
Law enforcement access to personal data: The safeguard from the Explanation to Rule 6 of the SPDI Rules under the IT Act, for government entities to only seek personal data held by Data Fiduciaries or Data Processors via written requests, should be continued into this law. Additional safeguards may be brought in via rules.
Children’s data: introduce a principle that all rules under this clause shall be made in the best interests of the child. Also, drop the use of the word “verifiable”.
Duties of Data Principals: these duties are too broad and risk going into matters beyond personal data protection. They should only apply to Data Principals in proceedings before the Board or when exercising the right to correction and erasure and only when the Data Principals act knowingly.
Transfer restrictions: the clause on cross border data flow should recognise a range of transfer mechanisms, including bilateral or multi-lateral arrangements, as well as binding schemes that operate at the level of organisations, such as standard form contractual clauses.
Exemption for processing of personal data in the interest of investigation of offences: this should only be limited to the State and its agencies, and not be available to private actors, to prevent misuse.
Exemption for processing of foreign personal data in India should be limited to such processing by Data Processors in India, not by “any person”. This is to avoid unintentionally creating a protection gap. The goal of this exemption should be only to ensure the Bill does not apply to the foreign data controllers who are governed by their own laws, and to avoid conflicts between such foreign laws and Indian law as applied to the Indian Data Processor.
Functions of the Board: to create a feedback loop between the Board and the Central Government, the Board should be tasked with a specific function to make recommendations to the Central Government to further the objectives of this Act, including to recommend when the Central Government should issue guidance or modify rules.
Rulemaking: The Bill should clarify, in line with existing policy, that all rules will be subject to prior public consultation.

We attach below our feedback as submitted to the MyGov portal. Please contact varun@nasscom.in for any queries and concerns.

#data #dpdpb2022 data protection Personal Data Protection Bill #meity

Disclaimer

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.

Download Attachment

Varun Sen Bahl

Manager - Public Policy

Reach out to me for all things about data regulation, cybersecurity policy, and internet governance.

Member Connect Monthly Digest - Jul...

Member Connect Updat..

Newsletters

18 Sep 2024