Technology Law Analysis

December 17, 2021

Proposed Indian Privacy Law Revamped: Light at the End of the Tunnel?

 

Detailed Analysis of the New Data Protection Bill in India

I. Amendments to Current Law

The DPB, when enacted, will replace Section 43A1 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Current Law) which currently, in tandem with sectoral laws, provide for the data protection framework in India.

II. Applicability

The DPB applies to the processing of personal data of natural persons, of which SPD and CPD are subsets. The natural person whose data is being processed is referred to as a “Data Principal”. Further, the proposed law applies to both automated and non automated processing, as further elaborated in Section XVIII.

  1. Retrospective Applicability

    The DPB is silent about retrospective applicability, i.e. applicability to data collected before the law comes into effect. However, the report issued along with the PDP Bill stated that the law will apply to any ongoing processing once introduced. While this has not been addressed in the Report, the same understanding ought to continue.

    Sans any such current legal requirement, it is likely that prior to the enactment of the DPB substantial amounts of personal data would have been obtained with consent. Thus, data fiduciaries will need to obtain necessary consents for the continued processing of such personal data.

    Similarly, data fiduciaries may have to delete all such personal data which was obtained by them without specific consents, unless specific consent is obtained for continued processing of such personal data, in accordance with the DPB.

  2. Definitions

    Several definitions in the DPB are open-ended. This could create uncertainties in the manner in which the DPB will be interpreted, implemented and enforced.

    For instance, the definition of harm includes references to “any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled”, “any observation or surveillance that is not reasonably expected by the data principal” and “psychological manipulation which impairs the autonomy of the individual”, all of which are ambiguous and open-ended. The updated definition of “harm” also includes any other harm as may be prescribed by the Central Government. Thus, raising concerns of untested inclusions to the definition of “harm” by the Central Government from time to time.

  3. Personal Data

    Personal data has been defined as data about, or relating to, a natural person who is directly or indirectly identifiable, having regard to any (or combinations of) characteristic, trait, attribute or any other feature of the identity of such natural person, and includes any inference drawn from such data for the purpose of profiling.

    The definition of personal data is extremely wide in comparison to the Current Law. While the Parliamentary Committee noted stakeholders’ suggestion of excluding ‘inferences drawn from profiling’ from the definition of personal data, the same has not been reflected in the definition incorporated under the DPB.

    With the exception a few specifically identified provisions,2 and other exemptions which may be granted (such as an exemption from complying with requests for enforcing Data Principals’ rights), the provisions of the DPB are equally applicable to non-automated (manual) processing of personal data, Thus, several non-digital businesses, which manually collect and process personal data (not qualifying as SPD or CPD), will be expected to comply with consent requirements, and demands for enforcement of the right to confirmation and access, and the right to correction and erasure, unless the DPA provides exemptions.

  4. Sensitive Personal Data

    SPD is a subset of personal data and consists of specified types of data, such as financial data, health data, official identifier, sex life, sexual orientation, biometric data,3 genetic data, transgender status, intersex status, caste or tribe, religious or political belief, etc. The DPA has the power to declare further categories of data as SPD. The DBP also bars the processing of certain forms of biometric data as may be prescribed, unless it is permitted by law.

    Several stakeholders had urged the Parliamentary Committee to adopt an exhaustive definition of SPD, as opposed to an open-ended and inclusive definition. However, it did not adopt this recommendation.

    There are certain additional compliance requirements for SPD, such as the data localization and restrictions on processing. We have covered these below. As a result of these additional compliance requirements, the BFSI and Pharmaceutical industries are likely to get affected as both ‘financial data’ and ‘biometric/health data’ have been retained as categories of SPD. Our specific observations are below:

    • Financial data: The definition of financial data ought to have been restricted to ‘authentication information’ for financial instruments alone. Information such as a bank account number, on its own, and in the absence of other information relevant to authentication and access to financial accounts and information, is unlikely to cause harm to the Data Principal. For example, with the advent of the usage of mobile phone numbers as primary means to enable digital payments, they are often used in lieu of bank account numbers as the identifiers for mobile wallets.

    • Biometric data: In addition to fingerprints, iris scans, facial images, biometric data has been defined to include ‘behavioral characteristics’. The said term is not defined. Prima facie, it could impact voice activated assistants and assistive technologies which are used by people with disabilities. Further, the Central Government has the overarching power of carving out certain kinds of biometric data from processing, as it may deem fit, resulting in further uncertainty over the legality of incorporating security and access control hardware in various devices.

    • Religious or political beliefs/ caste or tribe: Interestingly, the DPB also includes religious or political beliefs / caste or tribe within the realm of SPD. However, in the Indian context, the inclusion of these items does not appear to be entirely relevant as they might be disclosed via individuals’ surnames.

    • Official identifiers: Official identifiers have been defined to include any number, code or other identifier, assigned to a Data Principal under a provision of law for the purpose of verifying the identity. While Aadhaar UIDs have been removed from the illustrative list of official identifiers, the inclusive definition is still broad enough to include Aadhaar UIDs, since it includes any number or identifiers used for the purpose of verifying the identity of a Data Principal. Given that some official identifiers may be asked for verification by various government as well as non-governmental bodies, it will burden many organizations with compliance requirements by virtue of just collecting such data in electronic form.

  5. Processing

    Processing has been defined very broadly to include an operation or set of operations performed on personal data, and may include operations such as collection, organization, storage, alteration, retrieval, use, alignment or combination, indexing, disclosure, etc.

  6. Data Fiduciaries and Data Processors

    Entities processing personal data, may be either “Data Fiduciaries” (the entity that determines the purpose and means for processing) or “Data Processors” (the entity that processes personal data on behalf of a Data Fiduciary). These ’entities’ may be the State, a company, a non-government organization, a juristic entity or any individual. While most obligations under the DPB are applicable to data fiduciaries, limited obligations have also been imposed upon data processors, such as the necessity to implement security safeguards.

  7. Non-personal / Anonymized Data

    NPD (Including anonymized data (i.e. data which cannot identify a Data Principal)) has been defined as “data other than personal data” and has now been included within the scope of the DPB.

    The extent to which large datasets can be truly anonymized (an irreversible process) is still a matter of global debate, as there may always be identifiers from which it may be re-identified as personal data. However, for the purposes of the DPB, anonymization is presumed to be possible, and the discussion here is on that basis.

    The Central Government may direct any data fiduciary or data processor to provide any anonymized personal data or other NPD in order to enable better targeting of service delivery or to aid evidence-based policy making in a manner as may be prescribed. This obligation to share anonymized data is applicable to data fiduciaries and data processors alike. It must be kept in mind that it may not be practical for data processors to share data without instruction from data fiduciaries. It is unclear whether this data would have to be provided only to the State or to private parties as well; In addition, terms of the provision of such data, such as fair compensation, have not yet been specified. The DPB also reserves the power of the Central Government to frame policies for the promotion of the digital economy including for the handling of NPD including anonymized data.

    Separate to the developments on the PDP Bill, a committee constituted by the Ministry of Electronics and Information Technology to explore the governance of NPD under the Chairmanship of Kris Gopalakrishnan released a second and revised report with their recommendations on the governance of NPD and the establishment of a separate (and independent) NPD framework, which contemplates introducing a framework for sharing of NPD in certain circumstances. We will have to wait and watch as to whether the policy released by the Central Government on NPD follows the NPD Framework recommended by this committee.

  8. Extra Territorial Application

    In addition to being applicable to the processing of personal data collected within the territory of India and collected by Indian citizens/companies; the DPB is designed to have extra territorial application.

Applicability of the DPB

Processing

Data Principal

(only Natural Persons)

In India

Overseas

Located in India

Located overseas

Data Fiduciary / Processor

Located in India

Unless specifically exempted, such as in the case of outsourcing contracts.

Located overseas

If in connection with any business carried on in India, or any systematic activity of offering goods or services to Data Principals within India; or in connection with any activity which involves profiling of Data Principals within India.

X

The DPB does not define what would amount to ‘carrying on business in India’. For reference, the Australian Privacy Principles without defining ‘carrying on business’ have interpreted it to generally involve conducting some form of commercial enterprise, ‘systematically and regularly with a view to profit’; or to embrace ‘activities undertaken as a commercial enterprise in the nature of an ongoing concern, i.e., activities engaged in for the purpose of profit on a continuous and repetitive basis’. While the Report of the Parliamentary Committee acknowledges suggestions to clarify this point, guidance on the interpretation of the phrase has not been included in the DPB.

The DPB has tried to ensure a balance between seeking to ensure the applicability of the DPB to the personal data of foreign residents processed in India, and at the same time has provided for exemptions, where necessary to promote data processing activities in India.

Section 2 of the DPB which sets out the applicability of the law, prescribes a territorial nexus with India for establishing jurisdiction for the purposes of the DPB - this could be on the basis of residence of the Data Principal, or the residence of the data fiduciary. If the data is processed by any person or entity within India, then the provisions of the DPB will apply. This could possibly go on to show that India is seeking to provide an equivalent level of data protection to the data of foreigners, hence increasing the chances of gaining ‘data adequacy’ status from jurisdictions such as the EU.

However, in view of the fact that India has a well-developed domestic data processing industry the Central Government has been given the power to exempt the processing of personal data of Data Principals located outside India by Indian data processors, if pursuant to a contract executed with a person outside the territory of India.

III. Major Obligations

  1. Notice

    The data fiduciary is obligated to provide a Data Principal with adequate notice prior to collection of personal data, either at the time of collection, or as soon as reasonably practicable (if the personal data is not directly collected from the Data Principal) (Notice). To fulfill the Notice requirement, certain key information is required to be provided to the Data Principal by the data fiduciary, such as:

    • The purposes for which the data is to be processed;

    • The nature and categories of personal data being collected;

    • The right of the Data Principal to withdraw their consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; and

    • information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable.

    This Notice should be clear, concise and comprehensible and it is also specified that a Notice may be issued in multiple languages whenever necessary. However, the DPB is not clear as to when such multilingual notices may be necessary, and this may be specified through Codes of Practice.

    From a practical implementation perspective, we note that the information required to be shared in a Notice is extensive, detailed and fairly granular. Some practical issues that are likely to arise are:

    • Details about individuals and entities with whom such personal data may be shared is required to be provided upfront in the Notice itself. It is not clear whether the names of such entities are required to be disclosed or only the categories. We believe that the final law should clarify that broad categories should be sufficient as at the time of collection of the personal data the data fiduciary is unlikely to have access to the names of all entities who may process such personal data.

    • The source from where such personal data is collected, is also required to be disclosed. Ascertaining the source in a complex data sharing architecture may get very difficult, especially where multiple group companies or related entities may be involved. Further, it may also result in notice fatigue amongst Data Principals, due to the multiplicity of Notice(s) that may need to be sent out by data fiduciaries.

    • The DPA has been empowered to add to the list of items to be disclosed in the Notice. The DPA should exercise this power cautiously so as to ensure that the Notice does not contain granular details, so as to render the Notice too cumbersome, thereby compromising clarity and conciseness as required under the DPB.

  2. Purpose and Collection Limitation

    Data fiduciaries processing personal data, are required to do so in a fair and reasonable manner so as to ensure the privacy of the Data Principal.

    Data fiduciaries are permitted to collect only such personal data from that is necessary for the purposes of processing. Personal data may be may be processed only for (a) the purposes specified to the Data Principal under the consent Notice; or (b) any other incidental purpose that the Data Principal would reasonably expect the personal data to be used for, given the context and circumstances in which such personal data was collected, or (c) the purposes listed under the exceptions to consent in Clause 12 of the DPB. Therefore, using previously collected personal data for new (or previously unspecified) purposes would require additional consents from Data Principals.

  3. Storage Limitation

    Personal data may be retained only until the purpose of collection is completed. Data fiduciaries should consider developing data retention policies, outlining the length of time they will hold on to the personal information of its users, as there is a positive obligation to delete such data in certain situations.

    Data principals have the right to request the deletion of their personal data at any time. Compliance with such requests, require the data fiduciary to confirm the removal of such personal data from both its own systems, and those of any other companies who were processing the same data on its behalf. It must be noted that in a digital ecosystem, the feasibility of accurately confirming the complete deletion of data to the exclusion of any and all digital footprints, remains questionable.

  4. Transparency of Processing.

    The DPB requires data fiduciaries to implement measures which facilitate and demonstrate transparency and accountability measures. These measures are intended to provide adequate information to Data Principals on the manner in which their data is being processed and also provide notification on data breaches.

    The DPB requires data fiduciaries to provide the following information relating to their processing of personal data, in the manner as may be specified by regulations:

    • Categories of personal data being collected.

    • The purpose for which such personal data is being processed.

    • Categories of data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm (as defined under the DPB).

    • The existence of, and the procedures for the exercise of Data Principals’ rights.

    • Information relating to cross border transactions generally carried out by the data fiduciary.

    • The Data Trust Score of the data fiduciary (wherever applicable).

    The above list is not exhaustive, since the DPB also reserves the provision to add ‘any other information as may be specified by regulations’.

    In addition to the above, the data fiduciary is also required to inform the Data Principal of ‘important operations’ in the processing of personal data. However, what constitutes ‘important’ has not been defined under the DPB and has instead been left to be specified through regulations.

IV. Grounds for Processing personal data and SPD

The DPB requires all personal data to be processed on the basis of consent obtained in accordance with Clause 11 of the DPB, with the exception of certain limited circumstances where personal data may be processed without consent.

  1. i. Processing on the basis of consent

    • The DPB lays down the test for ‘valid consent’ for personal data, i.e. consent which is free (as per the Indian Contract Act), informed (considering whether the information required under the notice provision has been provided), specific (considering whether the Data Principal can determine the scope of consent for the purpose), clear (indicated through affirmative action in a meaningful way) and capable of being withdrawn (considering the ease of withdrawal of such consent compared to the ease with which consent was granted).

      The consent requirements under the DPB would also require data fiduciaries to enable Data Principals to withdraw consent and request correction or erasure of the data.

    • “Explicit consent” remains the only permissible ground for processing and transfer of SPD. “Explicit consent” has been defined as consent that is obtained in clear and specific terms without recourse to inference from conduct or context, and after informing the Data Principal of the purposes of processing activities which likely to cause significant harm, and providing the Data Principal with options to separately consent to the purposes of, operations in, and use of different categories of SPD. Obtaining explicit consent can prove to be impracticable or inappropriate in certain situations, such as in the case of processing SPD of employees, capture of biometric data such as video feed from security cameras – or in situations where such data is processed for fraud-detection, or for the purposes of complying with regulatory reporting requirements or court orders.

    • In an attempt to make consent more meaningful and prevent its abuse, the DPB also provides that data fiduciaries cannot make the provision of their services / goods conditional on the consent of the Data Principal to collect and process personal data that is not necessary for the provision of the services / goods by the data fiduciary, and cannot be denied based on exercise of choice. Accordingly, in situations where such processing of personal data is necessary for the provision of services, a data fiduciary may require the provision of services to be premised upon obtaining the consent of the Data Principal. Considering the increasingly complex nature of personalized services derived from processing of multiple fields of personal data, the determination of whether some personal data is necessary for the particular of specific services could become a complicated exercise based on the unique circumstances of each product or service in consideration.

    • The DPB places the burden on the data fiduciary to demonstrate that consents obtained by it, adhere to the elements specified above. Under the current scheme of the DPB, discharging this burden will require a data fiduciary to prove the absence of coercion in obtaining consent. This goes against the basic principles of burden of proof.

    Consent Manager:

    The DPB has introduced the concept of ‘consent managers’, identified as data fiduciaries who will enable Data Principals to gain, withdraw, review and manage consent through “accessible, transparent and interoperable” platforms. These consent managers are to be registered with the DPA and will be subject to certain regulations as the DPA may specify.

    The idea of ‘consent managers’ is innovative but relatively untested in practice for personal data, though to a certain extent, the “Account Aggregator” framework prescribed by the Reserve Bank of India (RBI), contemplates a similar role for Account Aggregators, requiring them to develop platforms that enable customers to manage consent and information across financial accounts and products. The underlying intention appears to be mitigation of ‘consent fatigue’ and providing greater awareness to the uninitiated. These entities will be a new class of players in the data ecosystem. It will be interesting to keep an eye on the implementation of the consent manager framework.

    It appears from the role of the consent manager that they are supposed to be acting as a service provider to Data Principals to manage their consent. If that were the case, consent managers should not be categorized as data fiduciaries, or a separate category of data processors who may be subject to limited compliances. In order to qualify as data fiduciaries under the DPB, consent managers would have to determine the purpose and means for processing of data.

  2. Processing on grounds other than consent

    Personal data may be processed without consent for specified grounds including:

    • if processing is “necessary” for: (a) the performance of certain State functions (i.e., the provision of any service or benefit to Data Principal, or the issuance of any certificate, license or permit); or (b) “under any law” that is made by Parliament or a State legislature;

    • for prevention, investigation or prosecution of any offence or any other contravention of any law;

    • for compliance with court orders;

    • in connection with legal proceedings;

    • in connection with disasters or medical emergencies;

    • for employment-related purposes (where the Data Principal is an employee of the Data Fiduciary);

    • for journalistic purposes;

    • for personal or domestic purposes;

    • for classes of research, archiving or statistical purposes specified by the DPA; and,

    • for reasonable purposes as specified by regulations issued by the DPA.

    “Reasonable purposes” may include prevention of unlawful activity, credit scoring, recovery of debt, network and information security, among other items. These reasonable purposes may be specified after taking into consideration factors such as the legitimate interest of the data fiduciary in processing for that purpose, whether it is reasonably expected and practicable for consent to be taken, the degree of adverse effect of the processing activity on the rights of the Data Principal, and the reasonable expectations of the Data Principal having regard to the context of processing.

    Although further clarity would be appreciated, a plain reading of section 12 indicates that SPD may be processed without consent on all the grounds specified above except employment-related purposes. The DPA is given the power to specify additional safeguards for the purposes of “repeated, continuous or systematic collection” of SPD for profiling.

    With respect to the State’s processing of personal data, the DPB grants fairly wide leeway to the State (see (i) and (ii) above). Ideally, State and non-State actors could have been treated at par in the DPB, to the extent that such treatment did not impede compelling State interests.

    From the perspective of businesses, it is a welcome move that consent has been made a prominent ground for the processing of personal data and SPD. This has been done in spite of voices to the contrary suggesting the exclusion of consent as a ground altogether. The ‘reasonable purposes’ provision leaves discretion with the DPA to notify additional purposes for which consent may not be required to process personal data. However, contracts between parties has not been specifically identified as a ground for processing without express consent. As these grounds are to be specified by the DPA, there may be an opportunity for industries to make representations for additional grounds to be added.

V. Personal and Sensitive Personal Data of Children

Age of consent: The DPB mandates that parental consent will be necessary for the processing of personal data of children (i.e., persons below the age of eighteen years).

Obligations of Data Fiduciaries: Data fiduciaries are to verify the age of children and seek parental consent before processing their personal data.4 Thus, the obligation to ensure age gating / verification and the necessary tools will have to be implemented by businesses. Age verification mechanisms are to be specified by regulations.

Bar on profiling/tracking children: Data fiduciaries are barred from undertaking activities such as profiling, tracking, behavioral monitoring, targeting advertising directed at children, or any form of processing that could cause significant harm to children.

This provision triggers when there is significant harm caused to children. While significant harm is defined, the interpretation of what encapsulates significant harm and who determines it is debatable.

These provisions may lead to practical implementation issues for the following reasons:

The DPB removes the concept of a “guardian data fiduciary” from the previous version and classifies all data fiduciaries processing children’s personal data as SDFs. Additionally, the exemption from consent granted to counseling and child protection services from the previous version has been removed.

There are certain platforms which are targeted / focused on young adults aged 14-18 such as casual gaming, education, or even specific video platforms. Seeking parental consent in each of these cases would not only be difficult but also impractical. While the Parliamentary Committee noted that stakeholders suggested that the age of children should be 13/14/16 years for the purpose of the definition, it did not adopt this recommendation.

Businesses catering to those below 18 might be affected. Education focused startups, who rely on targeted advertisements for example, may suffer due to the bar on processing of personal data of children. Similarly, audio / video streaming platforms may not be able to offer suggestions based on individual preferences. Importantly, emerging technologies such as AI, which are used as teaching aids may not be able to function as the profiling, tracking and behavioral monitoring of children will now not be allowed minus any exceptions to profiling or processing of data. Blanket restrictions such as this are likely to hinder effective service delivery to children, such as for educational purposes.

VI. Rights of Data Principals: Right to Confirmation and Access / Right to Correction

The DPB provides detailed rights to the Data Principal to access and correct their data.

With regards to a right of review, the DPB grants rights to: (a) a confirmation about the fact of processing; (b) a brief summary of the personal data being processed; and (c) a brief summary of processing activities. Similarly, the right of correction has been developed in the DPB into a detailed step-wise process for how correction, completion or updating of the personal data should be done. The DPB also grants the right to request for erasure of personal data which is no longer necessary for the purpose for which it was processed.

In addition, the DPB also grants Data Principals, the right to access in one place and in a manner as may be prescribed via any regulations (a) the identities of all the Data Fiduciaries with whom their personal data has been shared; and (b) details as to the categories of their personal data which has been shared with such Data Fiduciaries, which seems quite onerous.

The DPB requires businesses to provide the Data Principal with summaries of the personal data being processed rather than the entire data dump. This may require some effort on the part of Data Fiduciaries.

VII. Data Portability

In an attempt to grant users more control over their data, the DPB introduces a provision with respect to data portability, whereby Data Principals may seek from the Data Fiduciary, their personal data in a ‘structured, commonly used and machine-readable format’. The DPB however does not specify the technical specifications of such a format, or what would be threshold for ‘common use’.

The personal data to be provided to the Data Principal would consist of: (i) data already provided by the Data Principal to the Data fiduciary; (ii) data which has been generated by the Data fiduciary in its provision of services or use of goods; (iii) data which forms part of any profile on the Data Principal, or which the Data fiduciary has otherwise obtained.

Exemptions have been provided for instances where (i) the data processing is not automated; (ii) where the processing is necessary for compliance of law, order of a court or for a function of the State; and significantly, (iii) where compliance with the request is technically not feasible.5 The erstwhile exemption in the PDP Bill for data that reveals trade secrets has been omitted from this version of the law.

In relation to points (ii) and (iii) of the personal data to be provided to Data Principals above, following issues arise:

  • It is not clear whether this provision would include the passing of the ‘ownership’ or ‘title’ of the processed data to the Data Principal or mere transfer.

  • It is not exactly clear as to what would constitute data which is ‘generated’ by the Data Fiduciary, which would also be in the nature of personal data? Would this extend to derivative data as well? This may result in digital businesses(s) having to forcibly share user information which may also include information / methodologies gathered by data analytics, with competitors. Hence, this may act as a disincentive for data technology innovation.

  • It is also not clear as to what constitutes ‘data which forms part of the profile of the Data Principal’, especially the manner in which this ‘profile data’ would differ from personal data of the Data Principal.

Crucially, the right to data portability may be exercised not only against SDF’s but any Data fiduciary. This includes large platforms that collect personal data but also smaller companies and startups that may collect personal data for the purpose of improving their services. While large platforms may be able to sufficiently comply with these requirements, it may be difficult for smaller companies who may not have the resources to spare from their core services. For instance, major platforms are now introducing tools to enable transferring photos from one platform to another. But introducing the obligation to provide personal data in this format may be onerous for smaller companies, particularly when the standard of providing such personal data is not specified. Standards that are “commonly used” differ between developers and the general populace may not be well versed with the technicalities of various formats. Besides, the purpose of seeking such data is also important. The format for a user wanting to inspect their personal data may be quite different from a format for a user wanting their personal data to move to a different service. Some of these practical issues are not adequately addressed by the DPB and need to be fleshed out more thoroughly.

VIII. Right to be Forgotten

The DPB introduces a ‘Right to be Forgotten’. The right can be exercised by a Data Principal only through an order of an adjudicating authority who will determine the reasonability of the request for erasure. This right appears to apply with regard to publishers or intermediaries who may be regarded as Data Fiduciaries, such as content streaming platforms, e-commerce platforms, aggregators etc.

A Data Principal can request for an order directing the Data Fiduciary to ‘restrict or prevent continuing disclosure or processing of personal data’. The DPB brings in the restriction to ‘process’ data under the Right to Be Forgotten, which may unnecessarily widen the scope of this right. As a general concept this right is meant to remove information from the public domain that is no longer relevant. Since ‘processing’ is a wider term, it may restrict data where it is used even in an anonymized form, or where it is irreversibly integrated with other data sets. However, it should be examined whether the exercise of the right to be forgotten should be subject to further restrictions such as processing as required under law.

A Data Principal can request for an order directing the Data Fiduciary to ‘restrict or prevent continuing disclosure or processing of personal data’. The DPB brings in the restriction to ‘process’ data under the Right to Be Forgotten, which may unnecessarily widen the scope of this right, which is meant to remove information from the public domain that is no longer relevant. Since ‘processing’ is a wider term, it may be restricting data where it is used even in an anonymized form, or where it is irreversibly integrated with other data sets.

Courts in India have adjudicated on the question of the right to be forgotten before in a number of instances.6 Notably, the Madras High Court observed that it would be more appropriate to wait for the enactment of a Data Protection Act and rules thereunder to recognise and enforce a right to be forgotten. In this respect, enactment of this provision would be crucial.

The Right to be Forgotten is not absolute and is subject to the Data Principal showing that his/her right overrides (a) the right to freedom of speech and expression of any other citizen. (b) the right to information of any other citizen, or (c) the right to retain, use and process such personal data legally by a data fiduciary.

In addition, it is important to note that, the Supreme Court in Justice K.S Puttaswamy v. Union of India7 has observed that the right to remain anonymous may form a part of the fundamental right to privacy. While there seems to be no conclusive ruling to this effect in India to this effect, in the United States, the right to publish anonymously is protected as part of the right to free speech. In the case McIntyre v. Ohio Elections Commission, the US Supreme Court said that “Anonymity is a shield from the tyranny of the majority. . .. It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.” Similarly, even if it can also be argued that the right to speak anonymously is protected by Article 19(1)(a) of the Constitution of India, Article 19(2) provides that any restriction in the interest of security of the State is reasonable.

In any event, a Data Principal is empowered to request for erasure of personal data, which is no longer necessary for the purpose for which it was processed, and the storage period limitation requires personal data to be ordinarily be deleted once the purpose of processing has been achieved.

IX. Data localization

The DPB provides that SPD may be transferred outside India, but a copy of the data should be stored in India. Further, certain CPD may be identified by the Central Government which should only be processed in India. Additionally, personal data may be freely transferred and stored outside India. The intention behind the DPB appears to be to make the data localization obligation applicable only for SPD belonging to Indian residents, however, this has not been made clear, as the data localization obligation applies generally to SPD under the DPB presently. One of the recommendations of the Parliamentary Committee is that the Central Government should, in consultation with sectoral regulators, prepare an extensive policy on data localisation encompassing broadly aspects such as: (i) the development of adequate infrastructure for the safe storage of data of Indians which may generate employment; (ii) introduction of alternative payment systems to cover higher operational costs; (iii) inclusion of systems to support local business entities and start-ups; (iv) promote investment, innovations and fair economic practices; (v) proper taxation of data flow; and (vi) creation of local AI ecosystem to attract investment and to generate capital gains.

The Parliamentary Committee also stated that the revenue generated from data location should be used for welfare measures in the country, especially to help small businesses and start-ups to comply with data localization norms, and that Government surveillance on data stored in India must be strictly based on necessity.

A few concerns arise:

Mixed data sets: It is very likely that data will be collected and stored as a mixed data set, comprising of both personal data and SPD, and at times possibly even CPD. Since, it may be practically difficult to separate the SPD and CPD from such a data set, the entire data set would have to be stored locally, due to the element of SPD and CPD. For example, as stated earlier in the Indian context, surnames of individuals would demonstrate the caste / religion of Data Principals. This may result in data collected containing items of SPD, even though it was not intended.

CPD: The DPB does not give any guidance/examples on what data would compromise or be notified as CPD. Delegation of the right to determine / notify CPD to the Government without specific guidance under the DPB grants excessive powers to the Government in relation to DPB, which may not be preferable.

Data collected directly by foreign entities: It is to be determined whether data collected directly by foreign entities would be subject to the localisation requirement.

X. Cross Border Transfers

The DPB proposes that SPD may be transferred outside India only when:

  1. The transfer is subject to a contract or intra-group scheme (for within group entities, similar to binding corporate rules) approved by the DPB in consultation with the Central Government,8 or

  2. The Central Government (in consultation with the DPB) prescribes a particular country or section within a country or a particular international organization (or class thereof) for which the transfer is permissible,9 or

  3. The DPB, in consultation with the Central Government, approves particular transfer(s) for a specific purpose.

SPD may be transferred outside India subject to either points (a) or (b) above being fulfilled (similar to personal data), and wherein the Data Principal has explicitly consented to such a transfer. The DPB however also empowers the Central Government to notify specific ‘critical personal data’ that may be transferred outside India, without restriction:

  • To a party outside India engaged in provision of health services or emergency services and where the transfer is required for prompt action such as to respond to a severe medical emergency, provision of medical treatment or health services or to provide safety or assistance to individual during any disaster or break-down of public order (although, this transfer must be informed to the DPA within a period of time as prescribed), and

  • A particular country or section within a country or a particular international organization prescribed by the Central Government for which the transfer is deemed permissible.

The DPB continues to retain restrictions upon cross-border transfer of personal data, SPD and CPD. However, several modes of cross-border transfer have now been made subject to decisions taken by the Central Government. For instance, the DPA is now required to consult with the Central Government prior to approving intra-group schemes or standard contractual clauses for cross-border transfers of SPD. Likewise, the transfer of SPD to a foreign government is prohibited without the approval of the Central Government.

It appears that the Central Government favors the use of approved clauses / schemes between the transferor and transferee, or specifically notifying certain countries / organizations that in its view, meets an adequate level of data protection and enforcement mechanism.

In addition, it is unclear as to whether the restrictions and compliances pertaining to cross border transfer of SPD would apply in the instance of direct collection of SPD of Indian Data Principals by Data Fiduciaries outside India, or if the restrictions may only apply to transfer of SPD from Data Fiduciaries in India (post collection from the Data Principal) to third parties outside India.

The explanation to what constitutes to be against public or State policy includes where an act has a ‘tendency’ to harm the interest of the State or its citizens. It is unclear as to how the term “tendency” is likely to be interpreted.

XI. Breach notifications

A ‘data breach’ under the DPB includes breach of personal data as well as breach of NPD. While a breach of personal data is defined in respect of a particular Data Principal, a breach of NPD is defined as that which generally compromises its confidentiality, integrity or availability.

If there is a breach of personal data processed by the Data Fiduciary, the Data Fiduciary should notify the Data Protection DPB of such breach within 72 hours of becoming aware of the breach. The notifications should contain certain particulars, either submitted to the DPB together or in phases. The data breach reporting is now mandatory (to be done within 72 hours) and is not subject to the result of any self-assessment by a Data Fiduciary.

Further, while no reporting obligations have been included with regard to NPD breaches, the DPB contemplates the issuance of rules by the Government, for mitigating NPD breaches.

In case of a breach of personal data, the DPB may direct the Data Fiduciary to notify the Data Principal of such breach, undertake remedial actions and to post the details of the breach on its website after considering the personal data breach and the severity of harm to the Data Principal. The DPA may also direct the Data Fiduciary to adopt any urgent measures or remedy to mitigate harm to a Data Principal.

In case of a breach of NPD the DPA must take steps as may be prescribed later by the Government through subsequent rules.

It is unclear as to how the DPA will coordinate with specialised agencies such as the Computer Emergency Response Team (CERT-In) and the MeitY’s Standardisation Testing and Quality Certification (STQC) which are currently vested with the responsibility of monitoring and mitigating the impact of data breaches, and testing and certifying hardware and software products. The DPB does not provide a general obligation for the DPA to consult with other sectoral regulators. However, the specification of appropriate actions required of data fiduciaries in the aftermath of a data breach, is included within the scope of subjects on which the DPA may issue or approve a Code of Practice. The DPA is required to consult with sectoral regulators in the development of a Code of Practice. It is therefore likely that the CERT-In would be consulted in the development of the relevant code of practice.

XII. Significant Data Fiduciary

The DPB is empowered to notify certain Data Fiduciaries or entire classes of Data Fiduciaries as ‘Significant Data Fiduciaries’ (SDFs).10 The concept of an SDF appears to stem from the attempt at identifying and regulating entities that are capable of causing significant harm to Data Principals as a consequence of their data processing activities.

Accordingly, the DPB proposes that such SDF register itself with the DPB and prescribes greater levels of compliances to be undertaken by such SDF, such as carrying out data protection impact assessments prior to significant processing activities, record keeping, independent data audits, and the appointment of a data protection officer.

The data protection officer appointed by an SDF is required under the DPB to be a senior level officer or a key managerial personnel11 (in case of a company) or an equivalent employee (in case of other entities). The DPB also describes various functions of such a data protection officer including acting as the point of contact for redressal of grievances of Data Principals and advising the SDF on various compliances under the bill. The DPB also mentions that SDFs will be regulated by respective sectoral regulators.

In addition, the DPB requires any social media platforms12 with users above a certain threshold as may be prescribed by the Government in consultation with the DPA, whose actions are likely to have a significant impact on the sovereignty and integrity of India, electoral democracy, security of the State or public order; as well as Data fiduciaries who process data relating to children, or provide services to children are also included in the definition of an SDF. Such social media platforms are required to enable voluntary verification for its users in a manner that may be specified. It is not clear whether this will be specified by the DPA or the Central Government.

The factors to be taken into account for the notification of SDFs are quite subjective, leaving significant discretion with the DPA. Certain obligations like a data protection impact assessment prior to commencing data processing may slow down time-sensitive Big Data exercises and have a chilling effect on experimental processing activities.

As with the expanded definition of “harm”, the inclusion of certain types of social media platforms within the definition of “significant data fiduciaries”, appears to stem from concerns of harm arising from profiling. Social media platforms, whose actions are likely to have a significant impact on the sovereignty and integrity of India, electoral democracy, security of State or public order, have been designated as significant data fiduciaries. The inclusion of the phrase “electoral democracy” appears to acknowledge evidence of coordinated misinformation and voter manipulation campaigns run by third parties on major social media platforms in India and other jurisdictions.

The introduction of these provisions seems to stem from the broad purpose of the DPB as set out under the “Statement of Objects and Reasons”. As per the “Statement of Objects and Reasons”, the DPB seeks to bring a strong and robust data protection framework for India and to set up an authority for protecting personal data and empowering the citizens' with rights relating to their personal data ensuring their fundamental right to "privacy and protection of personal data", as well as “ensure the interest and security of the State”.

While it is possible for social media platforms to make verification a part of their terms and conditions for users to register on the platform (which is a matter of contract between the platform and its user), a provision that mandates social media platforms to verify identities of its users and then identify their accounts as verified accounts may not be preferable, unless conclusively substantiated to be in the interest of security of the State. However, the current provision only prescribes voluntary verification of users. It is also important to note that anonymity may operate for at least two distinct levels – anonymity of the user with respect to the company that operates a platform, and anonymity of the user with respect to other users on the platform. The Government could consider requesting social media platforms to verify user accounts for the purpose of the company that operates the platform (in order to comply with law enforcement agencies, etc.) while allowing the users to retain anonymity with respect to other users on the platform.

The Parliamentary Committee also makes certain recommendations to hold social media platforms who do not function as intermediaries liable as publishers for the content on their platforms and posted via unverified accounts. While these recommendations do not find their way into the text of the law, these recommendations appear out of the scope of the DPB and may be subject to challenge.

XIII. Sandbox

The DPB has empowered the DPA to create a sandbox13 in public interest for the purpose of encouraging innovation in Artificial Intelligence, Machine Learning or other emerging technologies.

Eligibility: Data Fiduciaries as well as start-ups whose privacy by design policies have been certified by the DPA are eligible to apply.

Application: Data Fiduciaries applying for inclusion in the sandbox will have to submit the term for which it intends to use the sandbox (which cannot exceed 12 months), the innovative use of technology, Data Principals participating, and any other information as may be specified by regulations.

Term: The maximum period a Data Fiduciary may use the sandbox is 3 years.

Exemptions: Participation in the sandbox will exempt the participating Data Fiduciary from certain obligations:

  • To specify clear and specific purposes for collection of personal data;

  • Limitation on collection of personal data;

  • Restriction on retention of personal data; and

  • Any other obligation under purpose and collection limitations under Sections 5 and 6 of the DPB.

The DPA is empowered to specify the penalties applicable to Data Fiduciaries participating in the sandbox, along with the compensation that can be claimed by Data Principals from such Data Fiduciaries. From a reading of the DPB, it appears that no additional penalties would be applicable to such Data Fiduciaries other than those specified by the DPA.

The DPA should keep in mind existing sectoral sandboxes while issuing these regulations.

XIV. Data Protection Authority

The DPB also contemplates the creation of an independent data protection authority (DPA). The DPA has been given a wide range of powers and responsibilities, which inter alia include:

  • making regulations under the DPB,

  • specifying the additional information to be included in a notice which the Data Fiduciary is required to provide to the Data Principal at the time of collection,

  • specifying reasonable purposes of processing of personal data without consent,

  • prescribing regulations in respect of processing of children’s personal data,

  • certification of privacy by design policy,

  • approval of codes of practice,

  • registration of ‘consent managers’,

  • notifying entities as SDFs,

  • taking steps as may be prescribed for data breaches, including personal data and NPD breaches; and

  • undertake monitoring, testing and certification through a Government-verified agency to ensure ensure “integrity and trustworthiness” of hardware and software on computing devices in order to prevent any malicious insertion that may cause data breach

The DPA also has the power to undertake actions that are crucial for a majority multinational corporate groups, such as the power to approve a contract or intra-group scheme by laying down conditions for cross-border transfer of SPD and CPD.

These functions are multi-faceted as they include powers and duties which are administrative, rule-making and quasi-judicial in nature. The wide range and extent of delegation of legislative powers to the DPA appears to be excessive delegation of legislative powers to the DPA, which should be adequately addressed. The Parliamentary Committee Report recommends that the DPA should handle both personal data and NPD, which appears to be inappropriate and may lead to overlaps in jurisdiction. Moreover, there appear to be inherent conflicts in the regulatory mandate vested upon the DPA. A review of the recommendations of the NPD Committee would suggest that the primary purpose of regulating NPD is to promote sharing of high-value NPD (including anonymised personal data) for the purposes of accelerating the growth of the digital economy. Should the DPA be vested with such a mandate by way of subordinate legislation, it would be in direct conflict with the DPA’s mandate to ensure the security of personal data, and prevent re-identification of anonymised personal data - since greater sharing of NPD is likely to increase the risks of re-identification and subsequent misuse of anonymised personal data. The independence of the DPA is also debatable considering the proximity the DPA’s composition has to the executive i.e. the Central Government. Further, many functions that were previously autonomous to the DPA has now been made subject to the view of the Central Government (e.g. approving intra-group schemes for cross-border transfer of SPD must be done in consultation with the Central Government). The Central Government also has been empowered to issue binding directions to the DPA (see section XVII below). This issue of lack of autonomy has also been raised by a few dissent notes submitted by members of the Parliamentary Committee.

XV. Codes of Practice

The DPB contemplates codes of practice (similar to a self-regulatory mechanism) also to be issued by the DPA or approved by the DPA if submitted by an industry or trade association, an association representing the interests of Data Principals, any sectoral regulator / statutory authority or any departments of the Central or State Government.

These codes of practice should address more granular points of implementation including related to various compliances under the DPB, such as on notice requirements, retention of personal data, conditions for valid consent, purpose limitation, exercise of various rights by users, transparency and accountability measures, methods of destruction / deletion / erasure of personal data, breach notification requirements, cross-border data transfers, etc.

XVI. Privacy by design

Similar to the GDPR, the DPB stipulates that Data Fiduciaries implement a policy along the lines of a “Privacy by Design” principle.14 Further, subject to regulations made by the DPB, Data Fiduciaries may submit their privacy by design policy to the DPB for certification, which upon examination / evaluation by the DPB or its authorized officer shall be certified to be in compliance with the requirements under the DPB. Such a certified policy has to be published on the website of both the Data Fiduciary and the DPA.

Hence, industry players would have to include privacy and its related principals as a part of their systems / architecture at the time of launching their business / operations itself, and not as an afterthought. However, the fact that the certification requirement from the DPA is not mandatory may ease the compliance burden overall.

XVII. Power of the Government to issue directions to the DPA

The Government is empowered under the DPB to issue directions to the DPA in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States or public order. The DPA is bound to abide by these directions but would be given an opportunity to express its views beforehand, as far as practicable.

The power to issue binding directions by the Government to the DPA was limited to questions of policy in the PDP Bill. This power of the Government has now been expanded widely allowing it to issue binding directions beyond just policy questions subject to certain grounds.

XVIII. Exemptions

The DPB also has provisions that exempt certain kinds of data processing from its application.

Outsourcing

In what may be a welcome provision for the Outsourcing industry, the Central Government can exempt the processing of personal data of Data Principals that are not within the territory of India. This can be done in respect of processing by data processors who are contracting with foreign entities. Indian outsourcing entities processing foreign individuals’ data therefore may be exempt from the provisions of the DPB.

Indian captive units of foreign multinationals may look forward to availing this exemption as far as foreign individuals are concerned.

Government and public interest

With respect to the Government’s own processing of information, the Central Government has the power, on various grounds of public interest,15 to direct the inapplicability of any or all provisions of the Bill to any agencies of the Government, subject to safeguards which are to be prescribed by rules.

Notably, the grounds of discretion are fairly broad and allow the government significant leeway to provide exemptions from the application of the DPB, whereas civil society had expressed the hope that the DPB would ensure that Government’s use of personal data would be restricted to necessary and proportionate instances. The dissent notes expressed by a number of the members of the Parliamentary Committee have also highlighted the liberal exemptions provided to the Government as a point of concern. Individuals will hence observe keenly whether the safeguards to be prescribed by rules under the DPB will meet the principles laid down by the Supreme Court in its 2017 Right to Privacy judgment.

The retention of this provision by the Parliamentary Committee has been objected to in separate dissent notes provided by 8 members of the Parliamentary Committee. The grounds for triggering the exemption are relatable to the reasonable restrictions on the freedom of speech and expression, as listed under Article 19(2) of the Indian Constitution. However, the possibility of an absolute exemption from all obligations of the DPB, may not fulfil the constitutional requirement for narrow tailoring of restrictions. While the revised provision clarifies that the exemption so granted would be subject to just, fair, reasonable and proportionate procedures, it is unclear whether this alone would remedy the widely worded scope of the exemption.

Processing of personal data in the interests of criminal investigation and prosecution, including “prevention”, is also exempt from most provisions of the DPB. Unlike the above provision, this exemption has not been conditioned with safeguards to be prescribed by rules. With law enforcement agencies gaining en masse access to biometric and facial recognition information, often cited to be in the interests of prevention of crime, civil society will have a significant concern on whether all such data is exempt from the safeguards in the DPB.

Small businesses; personal/domestic purposes

Certain provisions, such as the requirement to provide notice, transparency and accountability, and rights of the Data Principal, are also inapplicable in the case of personal data processed by a ‘small entity’ where such processing is not automated. A small entity may be defined by the DPA after considering the turnover of the Data Fiduciary, the purpose of collecting personal data and the volume of personal data processed. This provision appears intended to cover small brick-and-mortar businesses.

Other exemptions

Exemptions from many provisions of the Bill are also granted in other circumstances in connection with judicial functions, legal proceedings, and research, archiving, and journalistic purposes.

XIX. Penalties, Offences and Compensation

The DPB contemplates various streams of enforcement: penalties to be paid to the Government, compensation to the Data Principal, as well as criminal liability in certain cases.

  1. Financial Penalties

    The DPB follows the GDPR route in terms of financial penalties by not only proposing the imposition of financial penalties that may be prescribed, with the ceiling of INR 5 crore (approx. USD 655,982) or to 2% of the ‘total worldwide turnover’ of the Data Fiduciary in the preceding financial year for certain offences, and with the ceiling of INR 15 crore (USD 1,967,947) or 4% of the ‘total worldwide turnover’. Penalties arise in a variety of cases: violation of processing obligations, failure to implement security safeguards, cross-border data transfers, and not taking prompt and appropriate action in case of a data security breach, among others. The term ‘total worldwide turnover’ not only includes the total worldwide turnover of the Data Fiduciary but also that of its group entities, if such turnover of the group entity arises as a result of processing activities of the Data Fiduciary.

  2. Criminal Penalties

    The DPB prescribes criminal penalties for re-identifying de-identified data without appropriate consent. These criminal penalties are not limited to Data Fiduciaries or Data Processors, but ‘any person’, who knowingly, or intentionally reidentifies and processes personal data, and extend to imprisonment for a term not exceeding three years or a fine which may extend to INR 2,00,000 (approx. USD 2,624).

  3. Compensation

    The DPB allows the Data Principal to seek compensation either from the Data Processor or the Data Fiduciary, for harm suffered as a result of any infringement of any provision in the law. Given some of the subjective provisions in the DPB and a specialized forum for redress, this may lead to a stream of data protection litigation.

  4. Class action

    The DPB also appears to allow for the institution of class action by Data Principals who have suffered harm by the same Data Fiduciary or Data Processor. These Data Principals or an identifiable class of Data Principals can institute a representative application on behalf of all such Data Principals for seeking compensation for harm suffered as a result of any infringement of any provision of the DPB. These actions can be filed before the DPA which may then forward them to a designated officer.

XX. Implementation Period

Elaborating on the recommended phased approach for implementation, the Parliamentary Committee suggested that the Chairperson and Members of DPA should be appointed within three months, the DPA commences its activities within six months from the date of notification of the Act, the registration of data fiduciaries should start not later than nine months and be completed within a timeline, and adjudicators and appellate tribunal should commence their work not later than twelve months, and the provisions of the Act shall be deemed to be effective not later than 24 months from the date of notification of this Act. However, the DPB does not include provision in this regard. It simply allows the Government to implement different provisions of the DPB at different times by way of notification.

XXI. Road Ahead

As next steps, we will need to wait and watch as to how the parliamentary proceedings unfold, and it is a possibility that the DPB may go through further changes before it is passed as law. Given that the Parliamentary Committee has deliberated this for about 2 years and provided more than 90 recommendations, it would not be amiss to open the DPB for public consultation and invite stakeholder comments.

In any event, irrespective of the course of legislative review adopted, the industry should start to focus on the development of Codes of Practice pertaining to subjects covered under the DPB. Given that the DPB continues to omit specific references to timelines for phased implementation, proactive engagement at this stage is likely to enhance the industry’s preparedness for complying with the DPB as and when enacted.



NDA Privacy and Data Protection Practice

You can direct your queries or comments to the authors

1 Section 43A: Compensation for failure to protect data

“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected. (Change vide ITAA 2008) Explanation: For the purposes of this section (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”

2 As per Section 39 of the DPB, the provisions that are not applicable to non-automated processing by small entities are Section 7, 8, 9, 17(1)(c), and Sections 19 -32.

3 The DPB specifically bars the processing of biometric data, unless such processing is “permitted by law”. Notably, the provision is quite wide and the scope of which biometric data may not be processed seems to be unclear.

4 The only entities exempted from the parental consent requirement are those guardian data fiduciaries who provide exclusive counseling or child protection services.

5 The determination of technical feasibility has also been made subject to rules prescribed by the Central Government.

6 X vs. Https://www.youtube.com/watch?v=iq6k5z3zys0 and ors. [Delhi HC - CS(OS) 392/2021]; Jaideep Mirchandani and Ors. vs. Union of India and Ors. [Delhi HC - W.P. (C) 8557/2021]; and Jorawer Singh Mundy vs. Union of India and Ors. [Delhi HC - W.P. (C) 3918/2021].

7 Judgment issued by the Supreme Court in Writ Petition (civil) No 494 of 2012, dated August 24, 2017.

8 The Authority may only approve standard contractual clauses or intra-group schemes that effectively protect the Data Principal’s rights, including in relation to further transfers from the transferee of the personal data, and is not against public policy or State policy.

An act is deemed to be against public policy or State policy, if it promotes breaches any law, is against the relevant public policy or State policy, or has a tendency to harm the interest of the State or its citizens.

9 This would be subject to the Indian Government finding that the other country or section within a country or international organization shall provide for an adequate level of data protection for the personal data, as well as effectiveness of enforcement by authorities. Where SPD is being further shared to a third foreign government or agency, such sharing must be approved by the Indian Government.

10 The Data Protection Authority may from time to time notify certain Data Fiduciaries (or class of Data Fiduciaries) as SDFs based on:

  1. volume of personal data processed;

  2. sensitivity of personal data processed;

  3. turnover of the data fiduciary;

  4. risk of harm by processing undertaken by the fiduciary;

  5. use of new technologies for processing;

  6. any social media platform with users above a certain threshold number as may be prescribed by the Government in consultation with the DPA, whose actions are likely to have a significant impact on the sovereignty and integrity of India, electoral democracy, security of the State or public order;

  7. processing of children’s data or providing services to them; or

  8. any other factor causing harm to any data principal from such processing.

11 Key managerial personnel under the DPB may be the Chief Executive Officer or the managing director or the manager, the company secretary, the whole-time director, the Chief Financial Officer, or any other personnel as prescribed.

12 A ‘social media platform’ is defined as “a platform who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”.

 13 The expression "Sandbox" has been defined to mean such live testing of new products or services in a controlled or test regulatory environment for the limited purpose of the testing. The DPA may also permit certain regulatory relaxations for a specified period of time.

14 The policy needs to contain/ specify (a) the organizational / business practices and technical systems in place to prevent harm to the Data Principal; (b) their obligations under the PDP Bill; (c) certification that the technology used to process personal data is in accordance with commercially accepted / certified standards; (d) that legitimate business interests, including innovation are achieved without compromising privacy interests; (e) protection of privacy is ensured throughout the life cycle of processing of personal data (from point of collection to deletion); (f) personal data is processed in a transparent manner; and (f) the Data Principal’s interests are accounted for at each stage of processing of personal data.

15 This may be done when the Central Government is satisfied that it is necessary to do so either (a) in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, public order; or (b) to prevent incitement to the commission of any cognizable offence relating to any of the grounds in (a) above.

Benchmark Litigation Asia-Pacific:Tier 1 for Government & Regulatory and Tax
2020, 2019, 2018

Legal500 Asia-Pacific:Tier 1 for Tax, Investment Funds, Labour & Employment and TMT
20a20, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012

Chambers and Partners Asia-Pacific:Band 1 for Employment, Lifesciences, Tax and TMT
2020, 2019, 2018, 2017, 2016, 2015

IFLR1000:Tier 1 for Private Equity and Project Development: Telecommunications Networks.
2020, 2019, 2018, 2017, 2014

AsiaLaw Asia-Pacific Guide 2020:Ranked ‘Outstanding’ for TMT, Labour & Employment, Private Equity, Regulatory and Tax

FT Innovative Lawyers Asia Pacific 2019 Awards: NDA ranked 2nd in the Most Innovative Law Firm category (Asia-Pacific Headquartered)

RSG-Financial Times: India’s Most Innovative Law Firm
2019, 2017, 2016, 2015, 2014

Who’s Who Legal 2020:
• Nishith Desai- Thought leader (Corporate Tax 2020, India 2020), Global leaders
  (Private Funds 2020)
• Vikram Shroff-Global Leaders (Labour & Employment 2020, Pensions & Benefits 2020)
• Milind Antani- Pharma & Healthcare – only Indian Lawyer to be recognized for
  ‘Life sciences - Regulatory,’ for 5 years consecutively

Disclaimer

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender's contact information, which this mail does. In case this mail doesn't concern you, please unsubscribe from mailing list.