Digitial Personal Data Bill 2022 feedback

1. www.bestfitsolutions.in 1 nmds@bestfitsolutions.in Feedback on The Draft Digital Personal Data Protection Bill,2022 submitted to MeitY Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer Director

2. www.bestfitsolutions.in 2 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB STRUCTURAL ISSUES

3. www.bestfitsolutions.in 3 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A01 Rationale 1.The word individual is also used in the same Act with a different meaning and context which can be confusing. Refer 6(2)(b)-(b) “itemised” means presented as a list of individual items 21(3) The Board may authorise conduct of proceedings relating to complaints, by individual Members or groups of Members. 2.Standardise the wording aligned to international laws which is “Natural Person” Existing Section Word ‘Individual’ used in multiple places 15 occasions Recommended Section Replace ‘Individual’ with natural persons except in clauses 6(2)(b)-(b) & 21(3) Chapter No Clause No 1 Preamble 2(3),2(6),2(8),2(12),2(13),3(3),4(3)(c),4(3)(d) 2 8(4),8(5),8(6),11(2),15,19(3),30(2)

4. www.bestfitsolutions.in 4 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A02 Rationale Harm does not include mental harm and is restricted to bodily harm. Existing Section “harm”, in relation to a Data Principal, means - a. any bodily harm; or b. distortion or theft of identity; or c. harassment; or d. prevention of lawful gain or causation of significant loss; Recommended Section “harm”, in relation to a Data Principal, means - a. any bodily harm or mental harm; or b. distortion or theft of identity; or c. harassment; or d. prevention of lawful gain or causation of significant loss; Chapter No Clause No 1 2(10)

5. www.bestfitsolutions.in 5 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A03 Rationale Sec 30 is as follows: (1) The Information Technology Act, 2000 (“IT Act”) shall be amended in the following manner: (a) section 43A of the IT Act shall be omitted. Sensitive Personal Data has been for a while and needs to continue as it requires additional protection Existing Section Definition of Sensitive personal data is missing Recommended Section “Sensitive Personal data” means personal data which needs additional safeguards and shall be as prescribed. Chapter No Clause No 1 2

6. www.bestfitsolutions.in 6 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A04 Rationale The clause “in writing” has been used 6 times in the Bill. In this digital world it looks absurd .IT Act 2000 Sec 4 has already mentioned what is writing. For clarity purpose add that definition. Alternatively substitute “for reasons to be recorded in writing” with “ for reasons to be recorded and communicated “ Existing Section Definition of writing needs to be introduced Recommended Section "in writing" shall include communication in electronic form as defined in clause (r) of sub- section (1) of section 2 of the Information Technology Act, 2000 read along with Sec 4 Chapter No Clause No 1 2

7. www.bestfitsolutions.in 7 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A05 Rationale Bad in law. Not a legal term. Already this is covered in the General Clauses Act 1897 13 A of Section13. Gender and number. —In all [Central Acts] and Regulations, unless there is anything repugnant in the subject or context, — (1) words importing the masculine gender shall be taken to include females; and (2) words in the singular shall include the plural, and vice versa. This is contradictory and can be challenged in court and will also restrict it to her Existing Section (3) the pronouns “her” and “she” have been used for an individual, irrespective of gender. Recommended Section 1. Delete the sub section : (3) the pronouns “her” and “she” have been used for an individual, irrespective of gender. 2. All ‘her’ to be replaced by ‘him’ 44 instances Chapter No Clause No 1 3(3)

8. www.bestfitsolutions.in 8 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A06 Rationale The jargons must be standardised Standardisation. Move this section to definitions at the appropriate place Existing Section For the purpose of this sub-section, “profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of a Data Principal. Recommended Section Move the clause as it is to definitions Chapter No Clause No 1 4(2)(3)

9. www.bestfitsolutions.in 9 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A07 Rationale No clarity 1. Personal data is already defined as that of ‘an individual’ in sec 2 and again repeating is redundant and bad in law 2. Whether it is applicable to physical record or an electronic record. 3. 100 years from when is not mentioned .is it on revolving basis 4. The construction of the sentence itself is not understandable to common man. Need to rephrase. 5. Also explore the possibility of shifting entire 4(3) related to Applicability to the schedule so that there is flexibility in adding additional as and when required. The IT Act 2000 schedule one is very clear .It should be in similar lines Existing Section personal data about an individual that is contained in a record that has been in existence for at least 100 years. Recommended Section personal data in the form of an electronic record which is more than 100 years old ,on a rolling basis. Chapter No Clause No 1 4(3)(d)

10. www.bestfitsolutions.in 10 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A08 Rationale 1. There is lot of difference between colloquial language and written language. The wordings must be changed. 2. “Itemised” does not have clarity 3. The Data Protection Officer and other details clause 7(3) must be shifted here as it should be logically part of the notice and not consent. Hence the clause shifted here Existing Section On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data. Recommended Section (1) On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and simple language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data. (a) “itemised” means presented as a list of individual items grouped topic wise and serially numbered. (2) The notice shall contain the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act Chapter No Clause No 2 6(1)

11. www.bestfitsolutions.in 11 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A09 Rationale .“In the same document” is not transparency. It needs to be communicated to the customer. The objective of transparency is not achieved. It could be tricky as data principal will not have a copy of the notice. Existing Section “notice” can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed. Recommended Section “notice” can be in physical form or electronic form a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form and shall be communicated to the Data Principal as may be prescribed. Chapter No Clause No 2 6 (2)(a)

12. www.bestfitsolutions.in 12 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A10 Rationale 1. We are talking about digital India and on the other hand talking about photocopies. This illustration must be redrafted. 2. Refer Point A09 above for deletion of the last sentence Existing Section Illustration: ‘A’ contacts a bank to open a regular savings account. The bank asks ‘A’ to furnish photocopies of proof of address and identity for KYC formalities. Before collecting the photocopies, the bank should give notice to ‘A’ stating that the purpose of obtaining the photocopies is completion of KYC formalities. The notice need not be a separate document. It can be printed on the form used for opening the savings bank account. Recommended Section Illustration: ‘A’ contacts a bank to open a regular savings account. The bank asks ‘A’ to furnish photocopies of proof of address and identity for KYC formalities. Before collecting the proof photocopies, the bank should give notice to ‘A’ stating that the purpose of obtaining the photocopies proof is for completion of KYC formalities and is a legal requirement. The notice need not be a separate document. It can be printed on the form used for opening the savings bank account. Chapter No Clause No 2 6(2)

13. www.bestfitsolutions.in 13 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A11 Rationale 1. There is lot of difference between colloquial language and written language. The word ‘plain’ must be changed. 2. The Data Protection Officer and other details in clause 7(3) must be shifted to Clause 6(1) as it should be logically part of the notice and not consent. 3. The sections must be standardised. In Section 6 the local language clause is a separate sub section whereas in 7 is it not hence converted to sub section. Existing Section Every request for consent under the provisions of this Act shall be presented to the Data Principal in a clear and plain language, along with the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. The Data Fiduciary shall give to the Data Principal the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India. Recommended Section Every request for consent under the provisions of this Act shall be presented to the Data Principal in a clear and simple language, along with the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. (4) The Data Fiduciary shall give to the Data Principal the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India. Chapter No Clause No 2 7(3)

14. www.bestfitsolutions.in 14 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A12 Rationale Bad in law. The word public interest is already defined in 2(18). This is directly contradicting that definition. Credit scoring cannot be public interest. Also, public interest is covered specifically in 8(9)(c) which further adds to the confusion. The public interest word has to be replaced by a better word to avoid confusion. Earlier bill used the clause “Reasonable Purposes” Existing Section in public interest, including for: (a) prevention and detection of fraud; (b) mergers, acquisitions, any other similar combinations, or corporate restructuring transactions in accordance with the provisions of applicable laws; (c) network and information security; (d) credit scoring; (e) operation of search engines for processing of publicly available personal data; (f) processing of publicly available personal data; and (g) recovery of debt; Recommended Section in the following circumstances, including for: (a) prevention and detection of fraud; (b) mergers, acquisitions, any other similar combinations, or corporate restructuring transactions in accordance with the provisions of applicable laws; (c) network and information security; (d) credit scoring; (e) operation of search engines for processing of publicly available personal data; (f) processing of publicly available personal data; and (g) recovery of debt; Chapter No Clause No 2 8(8)

15. www.bestfitsolutions.in 15 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A13 Rationale Reasonable security safe guards are very open. No bench mark etc. It can be prescribed by the authority or by rules., hence the clause “as may be prescribed” to be added. Existing Section Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach. Chapter No Clause No 2 9(4) & Schedule 1(1) Recommended Section 1.Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach as may be prescribed 2. The schedule 1(1) also needs to have the clause “ as may be prescribed”

16. www.bestfitsolutions.in 16 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A14 Rationale Independent auditor qualifications, competence etc needs to be defined so “as may be prescribed” to be added Existing Section appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act; and Chapter No Clause No 2 9(4) Recommended Section appoint an Independent Data Auditor, who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act; and For the purpose of this section, “Data Auditor” shall have the necessary qualifications, competence and independence as may be prescribed.

17. www.bestfitsolutions.in 17 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A15 Rationale How can one data fiduciary show the data of another data fiduciary unless it is a consent manager? Ambiguous clause. For example, if I open an account with Bank A, how can Bank B with whom I don’t have any relation , be able to show the details with another fiduciary? This can happen only with Consent Manager. It should be a typo error. As a Data Principal, I would like to know with which all data processers I am sharing my data Existing Section The Data Principal shall have the right to obtain from the Data Fiduciary: (3) in one place, the identities of all the Data Fiduciaries with whom the personal data has been shared along with the categories of personal data so shared; and Chapter No Clause No 3 12(3) Recommended Section The Data Principal shall have the right to obtain from the Data Fiduciary: (3) in one place, the identities of all the Data Fiduciaries or Data Processors with whom the personal data has been shared along with the categories of personal data so shared; and

18. www.bestfitsolutions.in 18 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A16 Rationale Typo error and subject to gross misinterpretation. English to be changed and separate sub section for erasure.Correction is different from erasure Existing Section (2) A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal: (a) correct a Data Principal’s inaccurate or misleading personal data; (b) complete a Data Principal’s incomplete personal data; (c) update a Data Principal’s personal data; (d) erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose. Chapter No Clause No 3 13(2) Recommended Section 2) A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal: (a) correct a Data Principal’s inaccurate or misleading personal data; (b) complete a Data Principal’s incomplete personal data; (c) update a Data Principal’s personal data; (d)erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose. (2) A Data Fiduciary shall, upon receiving a request for erasure from a Data Principal shall erase the data of the data principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose. In case the data principal is unable to erase the same due to legal reasons the same shall be communicated back to the Data Principal

19. www.bestfitsolutions.in 19 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A17 Rationale The clause “in writing” has been used 6 times in the Bill. In this digital world it looks absurd .IT Act Sec 4 has already mentioned what is writing. For clarity purpose add that definition. Alternately introduce the definition “in writing “as mentioned above already as per the IT Act Refer Point A04 above. Existing Section for reasons to be recorded in writing Chapter No Clause No 5 20(2),21(2),(4),(5) & (11),22(1) Recommended Section “for reasons to be recorded and communicated”.

20. www.bestfitsolutions.in 20 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A18 Rationale The Bill is only talking about the penalties which will go to a specific fund of Data Protection authority. The bill talks about only penalty. Where is the compensation due, as a result of the harm or loss to the Data Principal? It is totally silent on the same. In case of the IT Act, it was introduced in 2008. This is very important. Existing Section Penalties Chapter No Clause No 5 25 Recommended Section Add the relevant Compensation clause accordingly

21. www.bestfitsolutions.in 21 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A19 Rationale Deleting this section without any new clause on sensitive personal data is going to be dangerous. Personal data needs to be classified as sensitive for certain classes of data. Sensitive data needs additional protection and penalty for breach of this data needs additional penalty. Similarly, privacy policy and many other aspects are important Existing Section 1) The Information Technology Act, 2000 (“IT Act”) shall be amended in the following manner: (a) section 43A of the IT Act shall be omitted; Chapter No Clause No 6 30(1)(a) Recommended Section The following sections must be reworked to include sensitive data : Sec 17 -Transfer of data Sec 9(4)

22. www.bestfitsolutions.in 22 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Structural Issues – A20 Rationale Linked to the modification in Sec 9(4) Existing Section Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub- section (4) of section 9 of this Act Schedule Clause No 1 (1) Recommended Section Failure of Data Processor or Data Fiduciary to take reasonable security safeguards, as may be prescribed, to prevent personal data breach under sub-section (4) of section 9 of this Act

23. www.bestfitsolutions.in 23 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB LANGUAGE ISSUES

24. www.bestfitsolutions.in 24 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Language Issues – B01 Rationale Child is already defined by clause 2(3) as (3) “child” means an individual who has not completed eighteen years of age ? The word individual should not be repeated English language framing. Existing Section “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child Chapter No Clause No 1 2(6) Recommended Section “Data Principal” means the individual to whom the personal data relates and in case of child it shall include the parents or lawful guardian of such a child.

25. www.bestfitsolutions.in 25 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Language Issues – B02 Rationale Typo error. How can false statements be fact ? Existing Section “public interest” means in the interest of any of the following: (a) sovereignty and integrity of India; b. security of the State; c. friendly relations with foreign States; d. maintenance of public order; e. preventing incitement to the commission of any cognizable offence relating to the preceding sub-clauses; and f. preventing dissemination of false statements of fact. Chapter No Clause No 1 2(18)(f) Recommended Section “public interest” means in the interest of any of the following: (a) sovereignty and integrity of India; b. security of the State; c. friendly relations with foreign States; d. maintenance of public order; e. preventing incitement to the commission of any cognizable offence relating to the preceding sub-clauses; and f. preventing dissemination of false statements or fact.

26. www.bestfitsolutions.in 26 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Language Issues – B03 Rationale 1.Typo/Spelling mistake as per Indian English it is “digitized” 2. In order to align with the IT Act change the statement. IT Act does not use the jargon digitized. The correct word shall be electronic record. Existing Section (1) The provisions of this Act shall apply to the processing of digital personal data within the territory of India where: (b)such personal data collected offline, is digitized Chapter No Clause No 1 4(1)(b) Recommended Section (1) The provisions of this Act shall apply to the processing of digital personal data within the territory of India where: (b) such personal data collected in Non electronic form/Physical Form is converted to an electronic record. Interpretation: Electronic Record is defined in sec 2(t) of the information technology Act 2000

27. www.bestfitsolutions.in 27 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Language Issues – B04 Rationale Offline data is not written English it is colloquial English. As mentioned in Point A04 above, in order to align to IT Act ‘electronic record ‘can make life simpler for everybody. By this one-word non- automated processing is also covered and need not be mentioned explicitly. Offline can be subject to interpretation. Existing Section (3) The provisions of this Act shall not apply to: (a) non-automated processing of personal data; (b) offline personal data; Chapter No Clause No 1 4(3)(a) & 4(3)(b) Recommended Section (3) The provisions of this Act shall not apply to: (a) personal data in the form of a non- electronic record. Explanation : Electronic Record is as defined in Sec 2(t) of Information Technology Act 2000

28. www.bestfitsolutions.in 28 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Language Issues – B05 Rationale There is lot of difference between colloquial language and written language. The wordings must be changed Existing Section Where a Data Principal has given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary must give to the Data Principal an itemised notice in clear and plain language containing a description of personal data of the Data Principal collected by the Data Fiduciary and the purpose for which such personal data has been processed, as soon as it is reasonably practicable Chapter No Clause No 2 6(2) Recommended Section Where a Data Principal has already given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary must give to the Data Principal an itemised notice in clear and simple language containing a description of personal data of the Data Principal collected by the Data Fiduciary and the purpose for which such personal data has been processed, as soon as it is reasonably practicable

29. www.bestfitsolutions.in 29 Mr Nanda Mohan Shenoy CDPSE, CISA ,CAIIB Language Issues – B06 Rationale English and standardisation Existing Section (2)Failure to notify the Board and affected Data Principals in the event of a personal data breach, under sub- section (5) of section 9 of this Act (3)Non-fulfilment of additional obligations in relation to Children; under section 10 of this Act. (5)Non-compliance with section 16 of this Act Schedule No Clause No 1 (2),(3),(5) Recommended Section (2)Failure of Data Processor or Data Fiduciary to notify the Board and affected Data Principals in the event of a personal data breach, under sub-section (5) of section 9 of this Act. (3)Non-fulfilment of additional obligations by Data Fiduciary in relation to Children; under section 10 of this Act. (5) Non-compliance with section 16 of this Act by the Data Principal

Digitial Personal Data Bill 2022 feedback

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Digitial Personal Data Bill 2022 feedback

Plus De Contenu Connexe

Similaire à Digitial Personal Data Bill 2022 feedback (20)

Plus par Nanda Mohan Shenoy (20)

Plus récents (20)