On November 18, 2022, the Ministry of Electronics and Information Technology released the draft of the Digital Personal Data Protection Bill, 2022 (“DP Bill”), inviting suggestions and comments from relevant stakeholders. As India emerges as an economy with over 760 million active internet users, the purpose of the much-anticipated DP Bill seems to be to set forth a framework regulating the processing of ‘digital personal data’ in a manner that is commensurate with the Indian users’ expectations of having an open, safe, trusted, and accountable internet. The DP Bill intends to strike a balance between the rights of Data Principals to protect their digital personal data and the requirement of processing such data by the Data Fiduciaries.
While the explanatory note to the DP Bill already expounds on the plain and simple language of the framework, this article intends to give the reader not only a brief walk through the key provisions of the DP Bill (Part A) but also highlight some key points for further deliberation while the DP Bill is still in its consultation phase (Part B).
Global Principles of data protection–The provisions of the DP Bill have been pedestal-ed on the globally accepted principles of data protection, namely,
(a) lawfulness, fairness, and transparency; (b) purpose limitation; (c) data minimization; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality; and (g) accountability.
Applicability - The scope of applicability of the DP Bill has been limited to the processing of only ‘digital personal data’. Essentially, the framework intends to regulate only such data about an identifiable individual (“Personal Data”) which is either collected online or digitized (post collection offline). Further, the territorial scope of the DP Bill extends to processing of Personal Data outside India in cases where the processing pertains to profiling of Data Principals or offering of goods or services to Data Principals in the territory of India.
Notice and Consent –The provisions in respect of notice and consent embody the principles of fairness and transparency and require Data Fiduciaries to provide Data Principal with a notice in clear and plain language containing a description of Personal Data being sought and the purpose of processing such Personal Data. The Data Fiduciary is further obligated to provide an option to the Data Principal to access such notice in either English or any of the 22 languages specified under the Eighth Schedule of the Constitution. Consent still remains the foundation for processing of Personal Data, and while such consent is required to be obtained for a ‘specified purpose’ by way of a clear affirmative action of the Data Principal, the DP Bill also makes carve outs for specified scenarios/grounds where insisting on express consent would be in-efficacious (for instance, where the processing of Personal Data is reasonably necessary to perform or conclude a contract or transaction).
Data Fiduciary and Significant Data Fiduciaries – The primary responsibility of complying with the provisions of the DP Bill, including maintaining adequate security safeguards and notifying the Data Principal in case of a data breach, has been imposed on Data Fiduciaries. What is notable is that this obligation is agnostic to any non-compliance by the Data Principals of the provisions of the DP Bill.The DP Bill seems to have retained the idea of ‘Significant Data Fiduciaries’ (“SDF”) from its predecessor, the Personal Data Protection Bill of 2019 (“2019 Bill”). Additional obligations have been imposed on such SDFs like appointment of a Data Protection Officer who will be based in India and an independent data auditor; and undertaking data protection impact assessments. The DP Bill defines ‘Data Principal’ as the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.
Data Protection Board – The DP Bill envisages the establishment of a data protection board which will act as an independent body and exercise supervisory functions which shall be ‘digital by design’ (“Board”). The Board has been vested with wide ranging powers, including the power of reviewing its own orders, referring disputes/complaints to alternate dispute resolution mechanisms, and accepting voluntary undertakings from defaulters. Data Principal can register complaints with the Board in the event their grievances are not redressed by Data Fiduciaries within 7 days of filing such grievance.
Cross-border Transfer of Data – Unlike the 2019 Bill, the DP Bill does not set forth strict data localisation requirements which comes as a relief to various homegrown small tech start-ups. Having said that, cross border data transfers may now be subject to the Central Government’s assessment of the transferee jurisdiction/territory. While the intent to regulate cross border transfer on the basis of ‘adequacy’ assessment seems progressive, the DP Bill does not spell out the mechanism or grounds on which such assessment is to be made.
Voluntary Undertaking and Gradation of penalties –While criminal penalties have not been contemplated, the DP Bill introduces a deterring financial penalty, ranging from Indian Rupees Ten Thousand to Rupees Five Hundred Crore. Notably, the DP Bill also lays down penalties in cases of non-compliance by Data Principals. In addition to the penalty provisions, a mechanism to facilitate voluntary undertakings has also been introduced under the DP Bill with an intent to ensure compliance rather than penalise non-compliance.
As digital innovation in India grows, the attempt to come up with a concise and clear legislation which acknowledges the inevitability of data processing as well as the significance of rights of Data Principals is laudable. While proposed data protection legislations have undergone various modifications to reach the current version, we have analysed some provisions keeping in mind potential practical challenges, and domestic and global standards.
Data Protection Board of India and overlapping powers – The Board has the power to, inter alia, direct Data Fiduciaries to adopt measures to remedy or mitigate any harm caused to Data Principals in case of a data breach and carry out such other functions as may be notified by the Central Government. Subject to further clarifications, which may be provided in terms of the rules prescribed under the DP Bill, there appears to be a regulatory overlap between the powers and functions of the Board and the CERT-In on bare reading of certain provisions of the DP Bill (for instance, the obligation on Data Fiduciaries to report instances of personal data breach to the Board, which may currently be reported to CERT-In under the current regulations). Considering that the DP Bill is in addition to and not in derogation of other laws (unless in cases of conflict), the Government may need to re-assess and demarcate the authority, powers and functions of the Board and CERT-in in respect of, inter alia, reporting of cyber breaches and incidents.
Non-automated Processing of Personal Data –The provisions of the DP Bill apply to processing of digital Personal Data, inter alia, where such Personal Data collected offline is digitised. In essence, any Personal Data received in offline/physical format, if recorded/stored/registered in an electronic form should be governed by the provisions of the DP Bill, irrespective of it not being accessible in specific criteria or automated process (similar to the concept of ‘filing system’ under the GDPR). However, the DP Bill expressly excludes from its ambit non-automated processing of Personal Data, which inevitably raises a question in respect of the compliance burden on Data Fiduciaries in case of ‘non-automated processing of digital Personal Data’.
Cross Border Transfers and Adequacy Decision –Subject to a few exceptions under the DP Bill, the Government has been vested with the absolute authority to notify the countries and territories to which a Data Fiduciary can transfer Personal Data. Given that the DP Bill has been framed in view of the Indian authorities recognizing the magnitude of data processing capabilities of Data Fiduciaries, the intention to regulate the flow of Personal Data to select jurisdictions on assessment of objective factors prima facie seems to be a positive move. However, in context of adequacy mechanisms and the alternatives thereto, it can be reasonably expected that the Government would be assessing the judicial precedents and measures set forth by the Court of Justice of the European Union in its various rulings, most notably the Safe Harbour Decisions in Schrems I and Schrems II. While notifying objective factors or specific terms and conditions is a constructive approach from the perspective of data protection, such factors/terms might not be universally applicable on all transferee jurisdictions. Accordingly, mechanisms like EU’s ‘Standard Contractual Clauses' (SCCs), certifications, etc., must be considered to be prescribed under the rules.
Deemed Consent – The DP Bill takes into consideration limited circumstances where consent would be deemed to have been given by Data Principals. A chunk of these circumstances make carve outs for consensual processing of Personal Data for state functions where such processing is necessary and the same are largely in line with the tests laid down by the Supreme Court in the Puttaswamy case relating to the scope of limitation of the constitutional right to privacy. The reason why it is ‘largely’ and not ‘entirely’ in line with the tests is because upon bare reading of the provisions of the DP Bill, scenarios like provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State are not dependent on such activities being undertaken under the ‘existence of a law’ or in a manner that is authorised by any law.In addition to the aforesaid, consensual processing of Personal Data may also be done in case of medical emergencies involving threat to life or immediate threat to the health of the Data Principal. In context of such processing, a parallel may be drawn with the India’ draft Health Data Management Policy (“NDHM”) (the latest iteration of which was released in April this year) which also envisages provisions relating to processing of Personal Data in case of medical emergencies. Notably, the NDHM contemplates appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill, or mentally incapacitated, or where the data principal is facing a threat to life or a severe threat to health and is unable to give valid consent. Unlike the DP Bill, the NDHM does not propose ‘deemed’ consent in absence of a nominee but rather shifts the right to give valid consent on behalf of the Data Principal to an adult member of the family of the Data Principal.
Processing of Personal Data of Children – Similar to the 2019 Bill, the DP Bill imposes additional obligations on Data Fiduciaries in respect of processing of Personal Data of children. The provisions introduce compliances in relation to obtaining of verifiable parental consent and restrictions on processing for certain purposes. It is noteworthy that the DP Bill recognizes Personal Data of children as a special category and makes Data Fiduciaries accountable for the manner of its processing, however, it is undeniable that the proposed provisions would have considerable impact on Data Fiduciaries considering that a major chunk of the internet users in India are below 18 years of age. Further, implications on the operation of gaming companies will also need to be assessed since DP Bill categorically restricts processing of Personal Data in manner that is likely to cause harm to a child without really explaining what constitutes as a manner which is likely to cause harm. The foregoing, in addition to keeping the threshold of age of consent at 18 years and absence of a structured regulatory regime in India for the online gaming industry, raises more questions and concerns on the mechanism in which the intent is purported to be achieved.
Non-compliance of duties by Data Principals – The DP Bill clarifies that any consent which constitutes an infringement of its provisions shall be invalid to the extent of such infringement. While the illustration provided under the DP Bill is quite clear in its implication, the reading of the aforesaid provision together with other provisions brews an enigma on the effectiveness of imposing certain duties of Data Principals, specially when the burden to comply with the provisions remains on the Data Fiduciary. To simplify, in the event a Data Principal furnishes any false or inaccurate information or impersonates another person, any consent provided by such Data Principal is invalid to the extent of such false/inaccurate information. This essentially creates a conundrum since the obligation to seek valid consent lies on the Data Fiduciary and this responsibility exists irrespective of any non-compliance of the Data Principals with her duties as stated under Section 9(1) of the DP Bill.
Amendment to RTI Act - The DP Bill proposes to amend the Section 8.1(j) of the Right to Information Act, 2005 in a manner that disclosure of personal information may be absolutely denied to a RTI applicant (irrespective of it being in larger public interest). Such an absolute taking away of reasonable caveats available under the RTI Act may be misused and has the capability to weaken the importance of RTI, especially since majority of the information that may be sought in an RTI application can be outright refused on the ground that it falls under 'personal information’.
Rishi Anand is a Partner, Chirag Jain is a Principal Associate and Shreya Singh is an Associate at DSK Legal.