Categories: DPDPAIndia

Digital Personal Data Protection Bill (DPDPB): Chapter 1 – Preliminary 1.2

2. (7) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;

The term “Data Processor” in this bill refers to any person or entity that processes personal data on behalf of a Data Fiduciary. A Data Processor could include service providers, contractors, or other third-party entities that are engaged by a Data Fiduciary to process personal data for specific purposes. The Data Processor is responsible for ensuring that personal data is processed in accordance with the instructions of the Data Fiduciary, and that appropriate technical and organizational measures are in place to protect the data.

Some may argue that the definition of “Data Processor” is too broad, as it could encompass a wide range of actors who may not have direct control over personal data, such as cloud service providers or other infrastructure providers. Others may argue that the responsibilities of a Data Processor are not clearly defined or enforceable, and that it may be difficult to hold them accountable for data breaches or other violations of the law.

2. (8) “Data Protection Officer” means an individual appointed as such by a Significant Data Fiduciary under the provisions of this Act;

The term “Data Protection Officer” in this bill refers to an individual who is appointed by a Significant Data Fiduciary to oversee and ensure compliance with the provisions of the Act. A Significant Data Fiduciary is a Data Fiduciary that meets certain criteria specified in the Act, such as processing a large volume of personal data, or processing sensitive personal data. The Data Protection Officer is responsible for monitoring and advising on the processing of personal data by the Significant Data Fiduciary, and for ensuring that appropriate policies, procedures, and safeguards are in place to protect the data and comply with the Act.
Counterpoints to consider:

Some may argue that the appointment of a Data Protection Officer is an additional burden for Data Fiduciaries, particularly smaller organizations that may not have the resources to appoint a dedicated officer. Others may argue that the effectiveness of a Data Protection Officer depends on their independence and authority within the organization, and that the Act should specify clear guidelines for their appointment and responsibilities.

2. (9) “gain” means-
(a) gain in property or a supply of services, whether temporary or permanent; or
(b) an opportunity to earn remuneration or greater remuneration or to gain a
financial advantage otherwise than by way of remuneration.

The term “gain” in this bill refers to any kind of benefit or advantage that a person may receive, whether temporary or permanent. Gain could refer to an increase in property, such as money or other assets, or a supply of services, such as free or discounted access to goods or services. Gain could also refer to an opportunity to earn remuneration or greater remuneration, or to gain a financial advantage in some other way, such as through investments or other financial transactions.

Some may argue that the definition of “gain” is too broad and could potentially encompass a wide range of activities that may not be directly related to the processing of personal data. Others may argue that the definition of “gain” should be more narrowly tailored to specifically target activities that involve the unlawful exploitation of personal data, such as identity theft or financial fraud.

2. (10) “harm”, in relation to a Data Principal, means –
(a) any bodily harm; or
(b) distortion or theft of identity; or
(c) harassment; or
(d) prevention of lawful gain or causation of significant loss;

The term “harm” in this bill refers to any negative impact or effect on a Data Principal that arises from the processing of their personal data. Harm could refer to bodily harm, such as physical injury or illness caused by the processing of personal data. Harm could also refer to non-physical harm, such as the distortion or theft of identity, which could lead to reputational damage or financial loss.
Additionally, harm could refer to harassment, which could include unwanted contact, intimidation, or discrimination based on personal data. Harm could also refer to the prevention of lawful gain or the causation of significant loss, which could occur if personal data is misused or mishandled in a way that prevents an individual from accessing a benefit or opportunity, or causes them to suffer a financial loss.

Some may argue that the definition of “harm” is too broad and could potentially encompass a wide range of negative impacts that are not directly related to the processing of personal data. Others may argue that the definition of “harm” should be more narrowly tailored to specifically target activities that involve the unlawful exploitation of personal data, such as identity theft or financial fraud.

2. (11) “loss” means –
(a) loss in property or interruption in supply of services, whether temporary or
permanent; or
(b) a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration

The term “loss” in this bill refers to any negative impact or effect on an individual that arises from the processing of their personal data. Loss could refer to a loss in property or interruption in the supply of services, whether temporary or permanent. For example, if personal data is misused or mishandled in a way that causes an individual to suffer a financial loss or the loss of access to a service they rely on. Loss could also refer to a loss of an opportunity to earn remuneration or greater remuneration, or to gain a financial advantage otherwise than by way of remuneration. For example, if personal data is misused or mishandled in a way that prevents an individual from accessing a job opportunity or other financial benefit they would otherwise have been entitled to.

Some may argue that the definition of “loss” is too broad and could potentially encompass a wide range of negative impacts that are not directly related to the processing of personal data. Others may argue that the definition of “loss” should be more narrowly tailored to specifically target activities that involve the unlawful exploitation of personal data, such as identity theft or financial fraud.

2. (12) “person” includes—
(a) an individual;
(b) a Hindu Undivided Family;
(c) a company;
(d) a firm;
(e) an association of persons or a body of individuals, whether incorporated or not;
(f) the State; and
(g) every artificial juristic person, not falling within any of the preceding sub-clauses;

In the context of the bill, the term “person” is used to refer to any legal entity that is capable of acting or being acted upon. This includes individuals, as well as a range of different types of organizations and entities, such as Hindu Undivided Families, companies, firms, and associations of persons or bodies of individuals, whether incorporated or not. The definition also includes the State, which refers to government entities or public institutions, and every artificial juristic person, which refers to any other type of legal entity that does not fall under the preceding sub-clauses.

Some may argue that the inclusion of such a broad range of entities under the definition of “person” could lead to confusion or ambiguity in the interpretation and application of the bill. Others may argue that the definition should be more narrowly tailored to exclude certain types of entities that are not relevant to the specific context of personal data protection.

(13) “personal data” means any data about an individual who is identifiable by or in relation to such data;
(14) “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal
data.

Section 2(13) and (14) of the Digital Personal Data Protection Bill provide definitions for the terms “personal data” and “personal data breach”, respectively.

Explanation for a layperson: Section 2(13) defines “personal data” as any data that is related to an individual and that can be used to identify that individual. Section 2(14) defines “personal data breach” as any unauthorized or accidental processing, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of that data.

These definitions are key to understanding the scope of the Act and the protections it provides for personal data. The definition of “personal data” is important because it specifies that any data related to an identifiable individual is covered by the Act, not just certain types of data. The definition of “personal data breach” is also important because it specifies the different ways in which personal data can be compromised, whether intentionally or unintentionally. The inclusion of “confidentiality, integrity or availability” in the definition of “personal data breach” highlights the importance of protecting personal data from a range of potential threats. It is worth noting that the definition of “personal data breach” includes both intentional and unintentional breaches, which means that organizations will be held responsible for any unauthorized processing of personal data, regardless of whether it was intentional or not.

Some may argue that the definition of “personal data” is too broad, and that it could potentially encompass data that is not actually sensitive or personally identifiable. Others may argue that the definition of “personal data breach” is too broad, and that it could potentially lead to a large number of false positives or trivial breaches being reported and investigated. There may also be concerns about the ability of organizations to comply with the reporting requirements for personal data breaches, particularly if they are required to report every potential breach, no matter how minor.

(15) “prescribed” means prescribed by Rules made under the provisions of this Act;
(16) “processing” in relation to personal data means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

Section 2(15) defines “prescribed” as something that is defined or specified by the rules made under this Act. Section 2(16) defines “processing” as a series of automated operations that can be performed on digital personal data, including collection, recording, storage, sharing, and deletion.

These definitions are important for understanding the terminology used in the Act and the rules that will be developed to implement it. The definition of “prescribed” is important because it specifies that certain details of the Act will be established by rules made under the Act, rather than being spelled out explicitly in the text of the Act itself. The definition of “processing” is important because it defines the various operations that can be performed on personal data, which are subject to the protections and requirements set forth in the Act. The inclusion of a broad range of operations in the definition of “processing” highlights the fact that personal data can be used in a variety of ways, and that each of these uses must be carefully regulated to protect the privacy and rights of individuals.

Some may argue that the definition of “prescribed” is too vague, and that it could lead to confusion or inconsistent implementation of the Act. Others may argue that the definition of “processing” is too broad, and that it could potentially encompass activities that are not related to personal data or that do not involve significant privacy concerns. There may also be concerns about the ability of organizations to comply with the detailed requirements for data processing set out in the Act, particularly if they are required to collect or share large amounts of data on a regular basis.

(17) “proceeding” means any action taken by the Board under the provisions of this Act; (18) “public interest” means in the interest of any of the following:
a. sovereignty and integrity of India;

b. security of the State;
c. friendly relations with foreign States;
d. maintenance of public order;
e. preventing incitement to the commission of any cognizable offence relating to
the preceding sub-clauses; and
f. preventing dissemination of false statements of fact.

Section 2(17) defines “proceeding” as any action taken by the Data Protection Board of India (established under this Act) in accordance with the provisions of this Act. Section 2(18) defines “public interest” as referring to situations where the sovereignty and integrity of India, the security of the State, or the prevention of crime or injury to a person is at stake.

These definitions are important for understanding the scope and context of the provisions in the Act that relate to proceedings and public interest. The definition of “proceeding” helps to clarify the types of actions that may be taken by the Data Protection Board, which will be responsible for enforcing the provisions of the Act and taking action against violations of personal data protections. The definition of “public interest” is important because it establishes circumstances where the interests of the State or the public at large may take priority over individual rights to privacy and data protection. The inclusion of the sovereignty and integrity of India in the definition of “public interest” highlights the fact that national security and geopolitical considerations may play a role in shaping the implementation of the Act.

“Public interest” means any action or decision taken in the interest of the country’s sovereignty, security, and friendly relations with foreign nations. It also includes actions taken to maintain public order and prevent any activity that could incite people to commit a crime related to the above sub-clauses. Additionally, it includes preventing the spread of false information that could cause harm to individuals or the society.

While the concept of “public interest” sounds good in theory, it can be open to interpretation and may be abused by those in power. There needs to be transparency and accountability in the actions taken in the name of public interest to prevent misuse of power.

Some may argue that the definition of “public interest” is too broad and could be used to justify actions that infringe on personal liberties or privacy without adequate justification. Others may be concerned that the emphasis on national security and the sovereignty of India could be used to suppress dissent or limit freedom of expression or assembly. There may also be concerns about the extent to which the Data Protection Board will be able to effectively balance the interests of the State and the public against the rights of individuals and organizations to protect their personal data.

Megha Agrawal

Recent Posts

Draft Rules for Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA), 2023, represents a major step forward in India's…

4 months ago

What is PHI (Protected Health Information)?

The concept of Protected Health Information (PHI) has gained significant importance in the modern digital…

9 months ago

What is PII (Personally Identifiable Information)?

The growing number of digital tools such as mobile phones, the Internet, e-commerce, and social…

9 months ago

RBI’s New Directive on DPDPA for Banks

Regulatory bodies are important for determining the path of banking in an evolving financial environment.…

9 months ago

DPDPA Compliance: Why Companies Must Seek Your Consent

In today's digital world, our personal information is incredibly valuable. It shapes our online experiences,…

9 months ago

DPDPA Compliance requirements for Businesses

The recent implementation of the Digital Personal Data Protection Act (DPDPA) has ushered in a…

9 months ago