Analysis of the Draft Digital Personal Data Protection Bill, 2022

This article is part of a collaboration between Bar & Bench and Fidus Law Chambers to bring you the latest developments and insights into the issues surrounding Intellectual Property Rights and Information Technology laws and policies.

The Union Ministry of Electronics and Information Technology (MeitY) recently published and sought inputs on the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill), which seeks to replace the earlier Personal Data Protection Bill (PDP Bill) introduced back in 2019 and withdrawn in August 2022. While circulating the draft Bill, MeitY has invited comments from the public at large, which can be submitted by December 17, 2022.

Unlike the PDP Bill, the draft DPDP Bill only covers personally identifiable data (personal data) of a “person” (which includes an individual, a company/corporation/ organization/firm and the state), and the processing of digital personal data of such persons. It is also the first draft Bill which uses “her” and “she” as pronouns (a welcome change!).

The draft Bill covers processing (which includes collection/recording, storage, alteration, dissemination, removal/deletion etc.) of personal data, the obligations of the data fiduciary (one who determines the purpose and means of processing personal data), rights and duties of the data principal (whose personal data is involved), and also sets up a compliance framework, which includes the establishment of a Data Protection Board.

The notable features of the draft Bill are as follows:

1. Notice and Consent – The draft Bill contemplates seeking prior consent of the data principal in an “itemised notice”, which should disclose the description of personal data sought and the purpose of processing it. Only upon receiving the consent from the data principal can the data fiduciary access such personal data. Interestingly, depending on the circumstances, the consent may either be express or implied. In case of an express consent, it should be unambiguous and valid under law, and should also be made available to the data principal, in case access is requested. The data principal also retains the right to withdraw its consent (through a consent manager) at any time, in which case the data fiduciary shall (within reasonable time) cease processing the personal data.

If the data principal voluntarily provides their personal data to the data fiduciary, it will be considered as "deemed consent". Pertinently, deemed consent can only be provided for limited cases as illustrated in the draft Bill.

2. Obligations of the data fiduciary – The draft Bill imposes some significant responsibilities on the data fiduciaries, to ensure that personal data is processed, stored or erased in a safe and proper manner. These obligations include:

a. Security measures – The data fiduciary must ensure that it is taking necessary measures to protect personal data, failing which, it can be subject to a heavy penalty (discussed below). At any rate, if there is a breach, the data fiduciary or data processor (who processes data on behalf of the data fiduciary) must inform the Board and the data principal. This provision is critical since it ensures transparency in case of a breach, and enables the affected persons to take remedial measures to prevent further damage. It may, however, be worthwhile to identify a specific timeline for intimation to the data principal once the data fiduciary or processor becomes aware of a breach.

b. Deletion of data (Right to be Forgotten?) – The draft Bill contemplates deletion of personal data once the purpose for collection is no longer served, or the retention is no longer necessary. This is in addition to the right of withdrawal provided to data principals (as mentioned above) and suggests that the personal data should not be retained longer than necessary. The right to deletion is recognized as an obligation for data fiduciaries, and also (separately) as a right of the data principals.

c. Appointment of a Data Protection Officer (DPO) – Every data fiduciary must appoint a DPO who will address the data principal’s queries and concerns. However, the Bill does not suggest a timeframe for this response either.

d. Personal data of children – The Bill contemplates additional obligations while processing personal data of children, which includes seeking consent from parents/guardians.

e. Significant data fiduciary – While the Bill has not actually defined what a significant data fiduciary is, it seeks to reserve the Central government’s right to identify a data fiduciary as a significant data fiduciary if it handles high volume of sensitive personal data, involves a risk of harm to the data principal and the impact on the sovereignty and integrity of India, security of state, public order, etc.

These significant data fiduciaries must appoint an Independent Data Auditor (to ensure compliance with the provisions of the proposed Bill) and conduct a Data Protection Impact Assessment and periodic audit to ensure compliance.

3. Rights of the data principal – The draft Bill seems to put more emphasis on the rights of a data principal this time. These rights include:

a. Right to information – The data principal can obtain a confirmation of whether its personal data is being processed, along with the extent and type of personal data processed by the data fiduciary. In fact, the data principal, upon request, should also be provided with the identities of all the data fiduciaries accessing its personal data (in one place).

b. Right to correction or erasure – Similar to the earlier PDP Bill, the draft Bill permits the data principal to seek erasure or correction of their personal data. In case of correction, upon receiving a request, the data fiduciary shall update the data principal’s personal data. In case of erasure, the data fiduciary must erase the personal data that is no longer necessary, unless it is required for legal purposes.

c. Right of grievance redressal – At first instance, the data principal can register a grievance with the data fiduciary (which would typically be the DPO, but this is not clarified in the draft Bill), and in case of a non-satisfactory response or a lack of response within a maximum of seven days, they can register a complaint with the Board.

The draft Bill also stipulates the duties of the data principal, to the extent that the data principal must ensure that it is not registering a false grievance/complaint, not providing false or misleading information, or suppressing information.

4. Establishment of the Data Protection Board – The draft Bill also provides for setting up of a Data Protection Board, which will oversee compliance by the data fiduciaries (including data processors) and data principals with the provisions of the proposed Act. Interestingly, the draft Bill does not delve into the actual composition/strength of the Board, which may be prescribed later (perhaps in the Rules).

Some of the noteworthy provisions pertaining to the Board include:

a. It involves an online filing and file management system, along with electronic hearings.

b. The Board will derive its powers from the Code of Civil Procedure, 1908.

c. It will act on a complaint received by an affected person (no suo motu powers) and will, after giving opportunity/hearing to the concerned persons, dispose of the complaint “at the earliest” (no timeframe has been stipulated in the draft Bill). In case of non-compliance, the Board will ascertain whether such non-compliance is significant or not, before imposing penalty and/or directions on the losing party. However, before adjudicating on the merits, the Board will first determine the maintainability of the complaint.

d. In case the Board feels that the complaint is frivolous, it may issue a warning to the complainant or impose costs.

e. Appeals from the Board’s decisions will be preferred to the High Courts, and shall be filed within sixty days from the date of the Board’s order.

f. The Board also has the power to direct the parties to attempt to resolve the dispute through the Alternative Dispute Resolution (ADR) by a body/group designated by the Board.

5. Penalties imposed by the Board – The draft Bill proposes imposition of hefty penalties which are divided under six heads (under Schedule 1) and extend to a maximum penalty of ₹250 crore! This is substantially more than the maximum penalty stipulated in the PDP Bill. While doing so, the Board will give consideration to several factors including the nature of non-compliance, (including whether the non-compliance is repetitive), the gain/loss suffered, conduct, etc.

6. Transfer of data outside India – Unlike the PDP Bill, which mandated data localization (for data being transferred outside India), the draft Bill is completely silent on the rules governing transfer of data outside India. Instead, the draft Bill simply suggests that it will notify a list of countries to whom a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.

While this is only the initial stage for the draft DPDP Bill, it is worth mentioning that the Bill seeks to give some power to the data principal to control the extent to which its personal data is utilized. The Bill also seeks to introduce some transparency to the current system, under which the data principal has no idea of (mis)use of its personal data by third parties. Obviously, given the adolescent stage of the Bill, it will have to be seen how these features of the Bill will progress/develop with time.

The Bill also appears to have taken a hint from the questionable inclusion of non-personal data in the previous PDP Bill, and seeks to focus solely on the digital personal data.

Another critical feature of the draft Bill is its retrospective effect of “notice” to the data principal. This means that if the data fiduciary had collected any personal data of the data principal before the commencement of the proposed Act, it will have to give an itemised notice of the data collected by it, along with the purpose of such collection to the data principal.

The following are the potential pain-points that need to be addressed:

i. Defining timelines – The Bill seeks to impose certain obligations on data fiduciaries, however, without providing a timeframe. Some of the examples include the lack of deadline for deleting personal data (in case of withdrawal of consent), lack of timeline for the Board to adjudicate on a complaint, no deadline for the data fiduciary to erase personal data once the intended purpose is served, etc.

On the issue of deletion of personal data (once the purpose served), it will be interesting to see its inter-play with withdrawal of consent by the data principal. It appears that the potential inter-play will permit the data principal to seek erasure of personal data whenever it deems fit (with public policy and court directions being an exception, of course!).

ii. Wide definition of public interest – One of the major concerns in the draft Bill is the vast definition of the term “public interest” for contemplating “deemed consent”. For some reason, this definition includes search engine optimization (or operation of search engines) and “any fair and reasonable purpose,” which includes “any public interest” in processing personal data, and appears to be giving data fiduciaries a wide gamut of rights.

iii. Composition/powers of the Board – The Bill does not specify the composition of the Board, which ideally should be defined in the proposed Act itself. Perhaps this issue can be resolved by the corresponding Rules.

Interestingly, the Board has not been given suo motu powers to adjudicate on issues of breach of personal data, and is restrained to act only upon receipt of a complaint. Especially in cases involving mass breach (or substantial non-compliance), the Board should have suo motu powers to adjudicate on and impose necessary penalties on the losing parties.

iv. Limiting penalties – The Bill seems to focus on the severity of the non-compliance, and not the non-compliance itself. It states that if the non-compliance is not significant, the Board may choose to close the enquiry, and will only take remedial measures in case the non-compliance is significant. The problem here lies in the terminology, since “significant” is highly subjective and may lead to a potentially faulty interpretation. Perhaps the severity or significance of the non-compliance can be streamlined, or at least the Board must reserve the power to pass necessary orders/directions (with reduced costs) in case of non-significant non-compliance.

v. Excessive delegation/lack of clarity – The draft Bill appears to be either postponing or delegating much of the complicated (yet important) issues that ideally should be addressed in the proposed Act, by simply adding “as may be prescribed”. For instance, the draft Bill proposes that a significant data fiduciary must conduct a ‘Data Protection Impact Assessment’ in a manner which is not stipulated within the draft Bill at all. The provision simply states that such assessment must be “in relation to the objectives of this Act, as may be prescribed”.

vi. Wide set of exceptions – Section 18 of the draft Bill sets out the exceptions to the preceding Chapters (those relating to the obligations of the data fiduciary, and rights and duties of the data principal) and essentially recreates the issues found in the previous PDP Bill. For instance,

a. Section 18(2) continues with the wide exemption granted to the state without any of the procedural safeguards being referenced.

b. Section 18(3) allows the Central government to exempt any data fiduciary from the provisions of the draft Bill, without any governing principles.

c. Section 18(4) does not explain the reason or basis for granting the state (or any instrumentality of the state) an over-riding power or right against erasure of personal data.

vii. Sensitive personal data – Lastly, while the PDP Bill addressed sensitive personal data (which included passwords, financial data, biometrics, caste, sexual orientation, etc) along with the manner of processing such information (under explicit consent), the draft Bill does not address this at all. This might suggest that “personal data” under the draft Bill includes all types of personal data, including sensitive personal data, which makes the concern highlighted above (re exceptions under Section 18) even more troubling.

While much remains to be seen on the basis of how the draft Bill progresses with time, it is good to see that the issue of personal data protection is being reconsidered by the government.

Rohan Krishna Seth is a Senior Associate at Fidus Law Chambers.