Amendments to Current Law

The Indian government released a new draft of the Digital Personal Data Protection Bill in November 2022. The DPB (Data Protection Bill) will replace the current laws in India that deal with data protection. It will replace Section 43A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These current laws, along with sector-specific laws, currently govern data protection in India.

Applicability and Scope

  1. Scope: The bill applies to the processing of “digital personal data,” excluding non-personal data and non-digital formats. It does not differentiate between sensitive personal data (SPD) and critical personal data (CPD).
  2. Territorial applicability: The bill applies to processing digital personal data within India’s territory. It also applies to processing digital personal data outside India if it involves profiling or offering goods/services to individuals in India.
  3. Processing activities: The bill does not apply to non-automated processing, processing for personal/domestic purposes by individuals, and personal data in records existing for at least 100 years.
  4. Regulation of non-personal data: The bill does not regulate non-personal data, fulfilling the demand of stakeholders. However, it maintains a broad territorial scope, potentially affecting foreign businesses processing personal data of individuals in India incidentally.

Key Provisions

Notice: The data fiduciary must provide a Data Principal with prior notice before collecting personal data. The notice should include information about the purposes of data processing, the nature of personal data collected, the right to withdraw consent, and cross-border data transfers if applicable. The notice should be clear and may be issued in multiple languages. However, the requirement for multilingual notices and disclosure of specific entities may be clarified through Codes of Practice. Practical issues may arise in disclosing entity names and determining data sources in complex data sharing architectures. The Data Protection Authority has the power to add to the disclosure requirements but should exercise it carefully to avoid excessive details that could make the notice cumbersome and compromise clarity.

Purpose and Collection Limitation: Data fiduciaries must process personal data in a fair and reasonable manner to protect the privacy of the Data Principal. They are allowed to collect only necessary personal data for processing. Personal data can be processed for purposes specified in the consent notice, other incidental purposes reasonably expected by the Data Principal, or purposes listed in the exceptions to consent. Additional consent is required from Data Principals if previously collected personal data is to be used for new or unspecified purposes.

Storage Limitation: Personal data should only be retained until the purpose of collection is fulfilled. Data fiduciaries should have data retention policies and delete data in certain situations. Data principals can request the deletion of their personal data, and the data fiduciary must confirm its removal from their systems and any other companies processing the same data.

Transparency of Processing: The DPB mandates data fiduciaries to implement transparency and accountability measures. They must provide information to Data Principals about the categories of personal data collected, the purpose of processing, exceptional situations, data principals’ rights, cross-border transactions, and Data Trust Score (if applicable). The DPB allows for the addition of other specified information through regulations. Additionally, data fiduciaries must inform Data Principals about important operations in data processing, which will be defined through regulations.

Consent: Consent is when a data principal agrees to their data being processed for a specific purpose. It should be free, specific, informed, and unambiguous, and given through clear affirmative action. The specified purpose should be mentioned in a clear and itemized notice. Data principals can withdraw consent and use consent managers. If consent is withdrawn, the data fiduciary must stop processing the principal’s data, unless authorized or necessary. Data principals have the right to access information in English or a language specified in the Constitution. The 2022 Bill aims to be simple, accessible, and inclusive. Data fiduciaries need to provide notice only for consent-based processing, not for deemed consent. Data processors may have to stop processing if the data principal withdraws consent.

Deemed Consent: The 2022 Bill introduces the concept of “deemed consent” which means that consent is not explicitly required in certain situations. It includes cases where the data principal voluntarily provides their data or can be reasonably expected to do so, and for functions under the law, among others. Deemed consent is also recognized for public interest purposes, such as preventing fraud and ensuring network security. Fair and reasonable purposes can be specified by the government through rules. However, the 2022 Bill does not explicitly include “legitimate interests” and “performance of a contract” as grounds for processing personal data without consent, which has been a longstanding industry demand. The power to specify fair and reasonable purposes now rests with the central government instead of the data protection authority as in previous iterations.

Cross-border data transfers: The 2022 Bill does not mention local storage or localization requirements. However, it introduces new conditions for cross-border data transfers. The central government has the power to notify countries or territories where personal data can be transferred. During this notification, the government can assess necessary factors, though the details are still awaited. Cross-border transfers are limited to jurisdictions notified by the government, applying to all personal data. This resembles the adequacy mechanism in the GDPR. Unlike the GDPR, the Bill does not recognize other grounds for overseas transfers, such as standard contract clauses or certifications.

Personal Data Breach: Either the data fiduciary or the data processor must report a personal data breach, which includes unauthorized processing and accidental disclosure of personal data. Failure to ensure reasonable security safeguards can result in penalties of up to INR 250 crores for data fiduciaries and data processors. Failure to report a breach can lead to penalties of up to INR 200 crores. The previous 72-hour reporting timeline has been removed, and data processors are now included in the obligation to report breaches. However, some stakeholders have expressed concerns about their ability to report breaches due to lack of visibility over the processed data. Industry views suggesting that only data fiduciaries should be responsible for reporting breaches have been disregarded.

Significant Data Fiduciaries: The government can identify “significant data fiduciaries” (SDFs) based on factors such as the volume and sensitivity of data they process, the risk of harm to data principals, and their impact on India’s sovereignty and integrity. SDFs have additional obligations, including appointing an independent data auditor, conducting data protection impact assessments, and appointing a data protection officer in India. The government’s power to designate SDFs and their obligations are mostly unchanged from the JPC Bill. However, the 2022 Bill no longer automatically considers social media platforms meeting user thresholds as SDFs. Previously, data protection impact assessments were mandatory for specific processing activities, but now they are required for all SDFs.

Obligations on Data Fiduciary: Data fiduciaries are required to ensure the accuracy and completeness of the data they process, remove or stop retaining data when its purpose is fulfilled, and establish grievance redressal mechanisms. They must publish details of a data protection officer or appoint someone who can address data principals’ inquiries about their personal data processing. Data fiduciaries are responsible for complying with the provisions of the 2022 Bill. Their obligations under the 2022 Bill are similar to those in the JPC Bill and the 2019 Bill.

Obligation of Data Processor: The 2022 Bill imposes obligations on data fiduciaries, with some obligations extended to data processors. Both fiduciaries and processors must take reasonable security measures and report personal data breaches. Data fiduciaries can engage data processors through a valid contract, and sub-processing is allowed if permitted by the contract. This recognition aligns with industry demands, but the 2022 Bill introduces the new requirement for data processors to notify personal data breaches.

Rights of Data Principles: Data principals have several rights, including the right to access information about their processed data, correct and erase their data, nominate someone to act on their behalf, and seek grievance redressal. The right to data portability, allowing the transfer of personal data between service providers, has been removed from the 2022 Bill. The 2022 Bill introduces duties for data principals, such as complying with the law, refraining from false grievances, providing authentic information, and following applicable laws. Previous versions of the Bill did not include duties for data principals.

Data Protection of Children: According to the 2022 Bill, a child is defined as a person below 18 years of age. Data fiduciaries must obtain parental consent for processing children’s data and are prohibited from tracking or targeting advertisements to children. However, exemptions to these rules can be prescribed by the central government. Unlike previous versions, data fiduciaries processing children’s data are no longer considered SDF (Significant Data Fiduciaries). The age of consent remains at 18 years, despite criticism from civil society and the industry.

Regulatory Aspect

Sandbox: The DPB allows the creation of a public interest sandbox to encourage innovation in AI, ML, and emerging technologies. Data fiduciaries and certified start-ups can apply for inclusion in the sandbox for a specified term of up to 12 months, with a maximum usage period of 3 years. Participation exempts the fiduciaries from certain obligations, as specified under the DPB.

Data Protection Authority: The DPB envisions the establishment of an independent data protection authority (DPA) with various powers and responsibilities, including making regulations, specifying additional information for notices, determining reasonable purposes of processing without consent, certifying privacy by design policies, approving codes of practice, and undertaking actions for data breaches. The DPA’s autonomy and potential conflicts in its regulatory mandate have been subject to debate.

Codes of Practice: Codes of practice can be issued by the DPA or approved by the DPA upon submission by relevant entities. These codes address specific implementation aspects, such as notice requirements, data retention, valid consent, user rights, transparency, accountability, data destruction, breach notifications, and cross-border data transfers.

Privacy by Design: Data fiduciaries are required to implement a “Privacy by Design” policy, similar to the GDPR. They can voluntarily submit their policy for certification by the DPA, which, if compliant, will be published on both the fiduciary’s and the DPA’s websites.

Power of the Government to issue directions to the DPA: The Government can issue binding directions to the DPA, considering India’s sovereignty, integrity, security, foreign relations, or public order. The DPA has the opportunity to express its views beforehand, if practicable.

Exemptions: The DPB provides exemptions for processing personal data of non-Indian individuals by data processors contracting with foreign entities. The Government has the power, based on public interest grounds, to direct the inapplicability of DPB provisions to government agencies, subject to prescribed safeguards. Exemptions are also granted for small businesses, personal/domestic purposes, judicial functions, legal proceedings, and research, archiving, and journalistic purposes.

Penalties, Offences and Compensation

The DPB includes various enforcement measures: financial penalties, criminal liability, and compensation for Data Principals.

Financial Penalties: The DPB proposes financial penalties for offenses, with a maximum of INR 5 crore or 2% of the ‘total worldwide turnover’ for certain violations, and INR 15 crore or 4% of the ‘total worldwide turnover’ for others. Penalties apply to violations of processing obligations, security safeguards, cross-border data transfers, and failure to address data breaches promptly. The ‘total worldwide turnover’ includes the turnover of group entities resulting from the Data Fiduciary’s processing activities.

Criminal Penalties: Re-identifying de-identified data without consent is a criminal offense under the DPB. It applies to any person, not just Data Fiduciaries or Processors, with penalties including imprisonment up to three years or a fine of up to INR 2,00,000.

Compensation: Data Principals can seek compensation from Data Processors or Fiduciaries for harm caused by violations of the DPB. Specialized forums for redress may lead to data protection litigation.

Class Action: The DPB allows Data Principals or a class of affected individuals to file class-action lawsuits against Data Fiduciaries or Processors for seeking compensation. The DPA may forward these actions to a designated officer for further processing.

Implementation Period

The Parliamentary Committee proposed a phased approach for implementing the DPB. It recommended appointing the Chairperson and Members of the DPA within three months, the DPA starting its activities within six months, registration of data fiduciaries starting within nine months, adjudicators and appellate tribunal commencing work within twelve months, and the Act becoming effective within 24 months from notification. However, the DPB does not specify these timelines, allowing the Government to implement provisions at different times through notifications.