- News
- Columns
- Interviews
- Law Firms
- Apprentice Lawyer
- Legal Jobs
- हिंदी
- ಕನ್ನಡ
On July 5, 2023, the Union Cabinet formally approved the Digital Personal Data Protection Bill (“Revised Bill”), thereby paving the way for its introduction in the upcoming monsoon session of Parliament (2023). The Ministry of Electronics and Information Technology (“Ministry”) released the draft of the Digital Personal Data Protection Bill (“Draft Bill”) on November 18, 2022, along with an explanatory note for stakeholder consultations. The purpose of the Draft Bill was set out to regulate the processing of the personal information data, (“PI”) that is related to a Data Principal, (“DPs”) by Data Fiduciaries (“Fiduciaries/Businesses”) and Data Processors (“Processors”).
The Ministry has concluded its consultation process on the Draft Bill. While the specific changes in the Revised Bill are yet to be seen, preliminary reports indicate that the Revised Bill has not undergone significant modifications from its previous iteration in 2022 when the same was first introduced and has primarily been fine-tuned in certain areas.
Considering this, we have outlined the aspects of the Draft Bill pertaining to the processing of personal information that are anticipated to potentially impact Businesses once the revised data protection regulation comes in force.
The Draft Bill was made applicable to the Businesses that process PI (whether collected online or converted from physical to digital format) within the territory of India. It was also applicable on Businesses operating outside India which process PI of any DP in India in relation to profiling or offering of goods and services [Section 4(1) and 4(2)]. However, the Draft Bill excludes from its ambit the ‘non-automated’ processing of PI (even if the same is in digital form). This essentially implied that a digitised record/document (containing PI) on which automated data processing is not or cannot be carried out, was outside the scope of the applicability of the Draft Bill.
Further, in relation to the data processing for DPs which are located outside India, the same were exempted from the obligations provided under Chapter 2 of the Draft Bill [Obligations of Data Fiduciary] if the processing was undertaken by a Person in India pursuant to a contract executed with a Person outside India [Section 18(1)(d)]. This is similar to the exemption granted to any body-corporate processing sensitive personal data or information from certain provisions under the SPDI Rules, 2011, if such processing is done under a contractual obligation.
“person” includes— (a) an individual; (b) a Hindu Undivided Family; (c) a company; (d) a firm; (e) an association of persons or a body of individuals, whether incorporated or not; (f) the State; and (g) every artificial juristic person, not falling within any of the preceding sub-clauses
Before obtaining specific, free, and informed consent in an unambiguous and affirmative manner from the DP, Businesses were required to share with the DP an itemised list containing all the PI intended to be collected, the purpose of collecting such PI, and a description of each type of PI [Section 6(1) read with Section 7(1)].
This notice could be part of existing privacy policies or could be contained in any other document. However, such privacy notice could not be assumed to have been read by the DP by merely making it accessible via a website hyperlink page and therefore was required to be prominently displayed to the DP at the time of obtaining consent and before processing of PI.
The written notice was required to be clear, plain, and available to DPs in English, with an option to read the same in all of the 22 languages listed in the Eighth Schedule of the Constitution [Section 6(3)]. In a similar vein, by way of the Intermediary Rules, 2022, all intermediaries were instructed to prominently publish their rules and regulations, privacy policy, and user agreement in the above-mentioned languages.
Consent forms were required to be clear and presented in plain language, including contact details of the designated officer/employee (or Data Protection Officer for Significant Data Fiduciaries [Section 11]) either within the consent notice or separately.
Businesses were required to possess and implement appropriate technological infrastructure for effective adherence to their duties under the Draft Bill, and to facilitate the DPs to exercise their rights, including in relation to the right to withdraw consent or to correct and erase their PIs [Section 9(3)]. If such obligations remain in the Revised Bill, the Businesses, especially the bootstrapped ones, are likely to get affected by the burden of this compliance and the cost attached thereto.
When there is fair, reasonable basis and legitimate interest involved in relation to processing of PI, the Draft Bill provided for ‘deemed consent’ [Section 8] available to Fiduciaries. For instance, when DPs are reasonably expected to do so; for employment-related purposes; or for matters where legitimate interests of Fiduciaries outweigh the adverse effects on the rights of DPs.
Consent Managers [Section 7(6)] were defined as third party Data Fiduciary, who were accountable to and had to act on behalf of DP to enable them to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. Consent Managers were to be registered with the Data Protection Board (“Board”) [Section 7(7)]. The Ministry has already released technology specifications for an electronic consent framework in light of the vision promulgated under the draft India Data Accessibility and Use Policy, 2022 and the draft Data Empowerment and Protection Architecture (DEPA) Framework. The financial sector has its own Consent Managers for data sharing and consent management in form of Account Aggregators, which are regulated by the RBI. The Businesses in all likelihood will have to make technological and programming integrations with such Consent Managers and may have to deploy consent management tools to enable material compliance of their duties and rights of the DPs.
Each affected DP and the Board were required to be notified by the Businesses in the event of a personal data breach, by the Businesses and Processors, as the case may be. Unlike the CERT Directions, the Draft Bill did not clarify whether both the Fiduciary and the Processor involved in the same personal data breach must each report to the Board and the DPs, or if it can be a single and combined reporting.
"personal data breach" means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
For example, if an employee's laptop containing PI of DP is stolen, it would be considered a personal data breach. However, without clear guidelines for determining the reporting process, particularly for informing each affected DP, there is a risk of data fatigue due to the potentially high number of notifications received by DPs. To undertake this compliance, the Businesses and Processors will be required to deploy the necessary personnel, procedures, and IT systems in place, which is likely to increase the cost of compliance.
Under Annexure I of the CERT Directions, certain personal data breaches are classified as cyber security incidents and must be reported to CERT-In within 6 hours. However, the Draft Bill did not prescribe a specific timeline for reporting personal data breaches to the Board and DP.
As a consequence of the obligations anticipated under the Revised Bill on the Businesses (drawing from the Draft Bill) it is likely that the Businesses will be required to review and update their IT, data protection, data retention, and cybersecurity policies. It will be essential for Businesses to have internal policies that include reasonable safeguards for handling and protecting personal information, procedures for consent withdrawal, correction, erasure, and grievance redressal, and provisions for providing information to data subjects. The policies must also have to convey the conditions for data transfer, including the list of the notified territories.
Upon receipt of DP’s consent, Businesses were permitted to transfer PI to any other Processor (or other Fiduciaries), provided there exists a valid contract between the Fiduciary and such transferee Processor/Fiduciary. Further, in cases where the Processor was permitted under its contract with the Fiduciary to subcontract its processing activities, the same was subject to the existence of a valid contract with such sub-contracted Processor [Section 9(9)]. The requirement of data localisation had been removed, but powers were given to the Central Government to notify adequate or trusted territories, where PI may be transferred cross border [Section 17].
Even under the Revised Bill, it is anticipated that Businesses will have to formulate procedures to obtain verifiable parental consent for processing PI of any individual below the age of 18 years [Section 10(1)]. Post obtaining this parental consent, the Businesses will be required to ensure that such processing does not cause harm to children [Section 10(2)]. Businesses are also prohibited from undertaking tracking and behavioural monitoring of children or targeted advertisements towards them [Section 10(3)].
“harm”, in relation to a Data Principal, means – (a) any bodily harm; or (b) distortion or theft of identity; or (c) harassment; or (d) prevention of lawful gain or causation of significant loss.
Businesses were mandated not to deny a service if a DP had already consented to the necessary processing of PI for that service, even if consent was denied for additional non-necessary PI processing [Section 9(6)]. Businesses were asked to cease retaining PI once its purpose is served and no longer necessary for legal or business purposes. Alternatively, to maintain retention, the Businesses can modify the PI in a manner where it can no longer be associated with the DP (i.e., anonymisation or de-identification) [Section 7(4) read with Section 9(6)]. In case of request by DPs for erasure of their PI, the Businesses will be required to adhere to such requests immediately, unless retention is necessary for a legal purpose [Section 13(2)(d)].
Significant Data Fiduciaries were required to appoint a Data Protection Officer who had to be based in India and responsible to the Board of Directors; appoint an independent data auditor and undertake a data protection impact assessment [Section 11].
Depending on factors such as nature, gravity, duration, and preventive measures taken, the financial penalties on Businesses ranged from ₹250 crore to a maximum of ₹500 crore per instance.
As this Revised Bill will be the precursor to the first substantial and overall data protection law of India, the obligations and compliances expected, and the costs associated therewith are likely to increase for various actors upon its enactment. At this juncture, it is important for Businesses and Processors to revisit the manner and scope of data processing they undertake to operate their businesses, in view of the following principles: (a) lawfulness, fairness and transparency; (b) purpose limitation; (c) data minimization; (d) accuracy; (e) storage limitation; (f) integrity & confidentiality; and (g) accountability.
Nakul Batra is a Partner and Aankhi Anwesha is an Associate at DSK Legal.