The draft Digital Personal Data Protection Bill has exempted certain entities notified as data fiduciaries by the government from various compliances, including sharing details for the purpose of data collection.
The draft has come up with various provisions to ensure data handling entities collect data with the explicit consent of individuals (or data principals) and use it only for the purpose for which it has been collected.
The draft has proposed a penalty of up to Rs 500 crore in case data fiduciaries or entities processing data on their behalf violate any provision of the bill.
"The Central Government may by notification, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries as Data Fiduciary" to whom the certain provisions of the Act shall not apply, the draft said.
The provisions deal with informing an individual about the purpose for data collection, collection of children's data, risk assessment around public order, appointment of data auditor, among others.
The bill proposes to exempt government notified data fiduciaries from sharing details of data processing with the data owners under the "Right to Information about personal data".
Commenting on the draft, Deloitte India Partner Manish Sehgal said the title Digital Personal Data Protection Bill, 2022 signifies the intent to continue pushing the digitisation agenda, thereby offering a legal framework to govern collection, usage, processing, and storage of digital personal data.
However, the bill's exemptions for government agencies, along with exclusion of personal data stored and/or processed in non-digital (original / handwritten / paper) format may be a gap to protect personal data and ensure privacy in entirety, Sehgal added.
Sarthak Advocates & Solicitors' Managing Partner Abhishek Tripathi said while certain essential tenets regarding consent requirements for the processing of personal data have been retained from the earlier version of the bill, the distinction between sensitive personal data and personal data has been done away with.
"Deemed consent provisions particularly those arising out of public interest may also raise eyebrows, besides the extent of exemptions allowed. An important change relates to the substitution of earlier suggested Data Protection Authority of India with Data Protection Board of India.
"The functions, and most importantly composition of the Board are to be determined by the Government through delegated legislation. This may face constitutional challenge as it is arguably a case of excessive delegation," Tripathi said.