Technology Law Analysis
November 24, 2022
Digital Personal Data Protection Bill, 2022: Analysis and Potential Impact on Businesses
The Ministry of Electronics and Information Technology has published the draft Digital Personal Data Protection Bill, 2022 (“Proposed Law”) (accessible here) on November 18, 2022 for public consultation. The last date of submission of stakeholder comments is December 17, 2022.
The Indian Government has been in the process of introducing an extensive data protection law since 2018. Three drafts were issued prior to the current draft of the Proposed Law. The current draft of the Proposed Law is a significant change from its predecessor drafts and is more open – ended, leaving much to be prescribed by the Central Government. It does away with different categories of datasets (like critical or sensitive data). It also omits several onerous compliances including data localization, enhanced consent requirements for sensitive personal data, penalties on worldwide turnover, and also excludes governance of non-personal data The Data Protection Board of India (“Board”) is proposed to be the adjudicatory body for enforcement of the Proposed Law.
Our analysis of key provisions of the Proposed Law, their impact on businesses, and our recommendations are below.
The Proposed Law applies to the processing of digital personal data in India, where the personal data is (i) collected from the data principal online; and (ii) collected offline and subsequently digitized.1 While the Proposed Law uses the word “and” between (i) and (ii), the intent appears to be to make these “or” conditions so that the Proposed Law applies in either of the situations.
The Proposed Law is also designed to have extra territorial application, i.e. it applies to the processing of personal data outside India when such processing is in connection with any profiling of, or activity of offering goods or services to data principals located within the territory of India.2 Thus, the Proposed Law will apply to foreign entities as well, when this condition is satisfied.
“Profiling” has been defined broadly to mean any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal.3
The Proposed Law defines “personal data” broadly to include any data about an individual who is identifiable by or in relation to such data.4 It is not clear what is the level of identification required e.g. is it by name or any other attribute e.g. identification of a person staying at X place.
Notably, the Proposed Law, unlike the earlier versions, does not distinguish between different types of data and all obligations and limitations (e.g. cross border transfer) under the Proposed Law apply to all “personal data” sets. However, some provisions suggest that the Central Government may make such a distinction for certain compliances.
The provisions of the Proposed Law do not apply to, inter alia, (i) non-automated processing of personal data5, and (ii) offline personal data.6 7 The fact that non-automated processing is not covered is also clear from the definition of “processing” (an automated operation or set of operations performed on digital personal data). With these exclusions, several non-digital businesses (which do not convert personal data into digital form subsequently), and businesses which manually collect and process personal data are excluded from the scope of the Proposed Law.
2. Data Fiduciary, Principal and Processor
The key definitions under the Proposed Law are as follows:
3. Notice and Consent
The Proposed Law imposes the obligation upon the data fiduciary to provide itemized notice11 of the data sets sought to be collected and purpose of processing; and obtain consent12 from the data principal on or before processing personal data. The languages of the notice should be clear and plain.13
The consent should be free, specific, informed and unambiguous.14
The Proposed Law states that “notice” can be a separate document or part of the same document through which the personal data is sought to be collected, or in such other form as may be prescribed. The Proposed Law could additionally add that the notice can be provided in the same document through which consent is being sought.15
Where a data principal has given consent to processing of her personal data prior to the commencement of the Proposed Law, the data fiduciary is required to provide an itemised notice in clear and plain language containing a description of the personal data collected and the purpose for which such data has been processed, as soon as it is reasonably practicable.16 This requirement should apply only prospectively since data fiduciaries may not have maintained records of the purpose of processing of personal data in the past in the absence of a law requiring this.
The data fiduciary is required to give an option to the data principal to access the request for consent in English OR any language specified in the Eighth Schedule to the Constitution of India.17 This requirement may be difficult for some entities, such as online platforms which only support the English language. It is advisable that platforms should be required to provide consent only in the languages supported by the platform.
Additionally, like the previous drafts, the Proposed Law recognizes the role of ‘consent managers.’ The consent manager has been defined as a data fiduciary which enables a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.18 However, since content managers are merely collecting consent on behalf of the data fiduciary, they should not be termed as “data fiduciaries” since unlike consent managers, data fiduciaries determine the purpose and means of processing of personal data and are therefore subject to strict compliances.
The Proposed Law introduces the concept of ‘deemed consent’ where the data principal is deemed to have given consent for the processing of their personal data. under the following instances:
The implication of the inclusion of the concept of ‘deemed consent’ is that entities need not obtain consent from the data principal for the above-mentioned purposes of collection and processing. This is along the lines of the concept of alternate grounds of processing of data under the GDPR. In our view, the instances specified at 3, and 5-9 above should not be treated as consent- based grounds for processing. Treating such instances as consent-based grounds for processing would imply that consent may be withdrawn by the data principal, which cannot be the intent of the Proposed Law. To illustrate: Consent may be deemed for compliance with any judgment or order issued under any law. A data principal cannot be permitted to withdraw their consent in case of such legal obligations.
It would be more appropriate for processing on such grounds to be categorized as “other grounds of processing”, or “lawful grounds for processing” which are not consent-based. Further, in some instances the exact purposes for which deemed consent is being given is not clear .
Other contemporaneous legislations such as the GDPR have multiple grounds for lawful processing of personal data apart from ‘consent’, which the Proposed Law appears to have clubbed under the single head of ‘deemed consent.’ The GDPR permits processing of personal data in case of (1) contractual necessity, (2) legitimate interests, (3) legal obligations, (4) public interest, and (5) vital interest (i.e., in matters of life or death).
The term “public interest” is used in Sections 8(9) and 30(2) other than Section 8(8) discussed in point 8 above. It needs to be clarified whether the guidance provided under Section 8(8) applies in relation to Sections 8(9) and Section 30(2) as well. .Additionally, several inclusions under Section 8(8) such as credit scoring, recovery of debt, etc. cannot be termed as “public interest”.
4. Data Principal Rights and Duties
The data principals may exercise certain rights with respect to their personal data. While the Proposed Law enumerates the rights, it does not set out the procedure/manner in which such rights may be exercised:
Notably, a data principal does not appear to have any rights against the data processor. The above-mentioned rights are only applicable with respect to a data fiduciary.
There are also several duties of data principals under the Proposed Law. Data principals are prohibited from (i) registering a false or frivolous grievance or complaint with a data fiduciary and (ii) from providing false information or suppressing material information, or impersonate another person, including while applying for any document, service, proof of identity, or proof of address. It is unclear if this obligation only relates to data provided to the government or also to private bodies. The Proposed Law imposes a penalty of up to INR 10,000 for non-compliance by the data principal of its duties.35
Moreover, the prohibition on providing false information seems to overlap with the prohibition under the Indian Penal Code, 186036 (“IPC”) which prohibits the furnishing of false information to any public servant.
5. Data Fiduciary Obligations
The Proposed Law imposes certain obligations on the data fiduciaries to ensure security of personal data by taking reasonable security safeguards to prevent personal data breach. The Proposed Law does not prescribe or recommend the standards that should be implemented. Additionally, data fiduciaries should see to it that personal data processed by or on behalf of it is accurate and complete. A snapshot of the data fiduciary obligations are provided below:
With respect to ensuring accuracy of personal data where it affects the data principal,the scope of the word “affect” is unclear. It should be clarified that the obligation triggers when it affects the ability of the data principals to avail of some benefits (e.g. goods or services) For instance, a decision on whether to provide a loan to a data principal.
Further , the requirement to ensure accuracy at the time of disclosure to other data fiduciaries44 should also exist only in cases where it affects the data principal. Otherwise this requirement is onerous as data fiduciaries may simply be transferring/sharing data sets to group entities that are data fiduciaries as well.
The Proposed Law does not clearly distinguish between the role of a DPO (see Significant Data Fiduciaries below) and grievance officer unlike the previous drafts and the Intermediary Guidelines which contain similar grievance redressal obligations. Instead, the Proposed Law requires the DPO to ensure compliance as well as redress data principal grievances. We recommend that the roles of the DPO and grievance officer be delineated for clarity and independence of grievance redressal mechanism.
The Proposed Law also does not specify the technical and organizational measures/security safeguards required to be implemented which is a welcome move. Industry specific standards can develop over time basis factors such as sensitivity of the data, risk involved, nature of the industry etc. These standards can be adhered to by entities in the industry.
6. Data Processor Obligations
The Proposed Law does not prohibit contractual arrangements between the data fiduciary and the data processor in respect of inter-se liability for obligations.
7. Significant Data Fiduciaries
The Central Government may classify a Data Fiduciary or a class of Data Fiduciary as a Significant Data Fiduciary (“SDF”) based on the volume and sensitivity of the data processed by them, the risk of harm to the data principal, potential impact on the sovereignty and integrity of India and other such factors.48 A SDF would have certain additional obligations such as having to appoint a DPO in India49 and an independent Data Auditor50, along with undertaking certain additional measures such as data protection impact assessments.51 In this Section, “such other measures” is open ended. Guidance should be provided in the Act itself as to what type of measures could be imposed on SDFs.
The Proposed Law exempts certain compliances including data fiduciary obligations, notice and consent requirements for certain specified circumstances including processing of personal data is necessary for enforcing any legal right or claim; performance of any judicial or quasi-judicial function; personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law; and where the personal data of data principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.52
Additionally, Proposed Law also enables the Central Government to exempt the applicability of the Proposed Law by way of notification under the following circumstances:
Additionally, the Proposed Law states that the Central Government, by notification, notify certain data fiduciaries or class of data fiduciaries to whom the provisions of Section 6, Section 9(2), Section 9(6) and Sections 10, 11 and 12 of the Proposed Law will not apply. The reason for selection of these specific provisions is not clear in the Proposed Law. Additionally, it is unclear currently what types of data fiduciaries may be excluded by way of this provision.
It should also be clarified that the exemption for processing of personal data by courts/tribunals also applies to judicial bodies outside India. Litigation proceedings involving Indian multinational companies may take place globally. Disputes involving Indian parties are also increasingly referred to foreign institutional arbitrations.
The Proposed Law contemplates an exemption to outsourcing activities55 i.e. where personal data of individuals outside India is processed in India basis a contract. However, the cross-border transfer restriction continues to apply in respect of such data as well.56 The continuance of applicability of the cross-border transfer restrictions to personal data of data principals outside India is inefficient and contradictory to the intent behind providing the exemption for outsourcing activities. Further, we also note that the State and its instrumentalities have been absolved from the requirement to erase data at the end of processing and when the purpose of collection of the personal data has been fulfilled57 (see Data Retention below). This may lead to arbitrary retention of data for extended periods of time without reasonable justification.
9. Retention of Personal Data
Personal data should not be retained if the (i) retention is no longer necessary for legal or business purposes58 and (ii) the purpose for which such personal data was collected is no longer being served by its retention.59
The term “business purpose” is not defined. Thus, data fiduciaries may have flexibility in defining business purpose at the time of taking consent. The retention period can be determined basis factors relevant to a specific industry since retention of data for longer periods of time may be significant for some industries. For instance, longer retention periods of medical records is an industry practice in certain jurisdictions since it is beneficial to the data principal.
10. Transfer and Cross-border Transfers of Data
Data may be transferred between data fiduciaries, or data fiduciary and data processor only upon the data principal consenting to such transfer.60
Personal data can be transferred to only those countries which are notified by the Central Government in accordance with terms and conditions as may be prescribed.61 At present, there is no sight on the countries likely to be notified, nor factors basis which countries may be notified. It is possible that this determination by the Central Government will be based on political considerations and geo-political issues, in the absence of the Proposed Law identifying the basis on which countries will be white-listed.
Further, since “personal data” is broadly defined, this Section will apply to all types of data, irrespective of whether it is sensitive or not. A better approach may be an adequacy test, i.e., transfers permitted to countries having an adequate level of data protection.
11. Children’s Data
Under the Proposed Law, ‘child’ is an individual below eighteen years.62 However, the Proposed Law (unlike its predecessor drafts) does not require data fiduciaries to undertake KYC to determine if a user is in fact a child. Accordingly, it is unclear whether the obligations in relation to processing of personal data of children apply only upon users disclosing they are children.
Data fiduciaries processing personal data of children have to comply with additional obligations:
Further, there appears to be a drafting error in the wording of the prohibition on tracking and targeted advertising, which is not linked to processing of personal data of a child, unlike the previous sub-section.
In any case, the Guidelines for the Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022 (“Misleading Ads Guidelines”) issued by the Central Consumer Protection Authority, already contain exhaustive provisions regulating advertisements that address or target children. The Misleading Ads Guidelines apply to all forms, format, or mediums of advertisements. The provisions under the Misleading Ad Guidelines, being a special law dealing with such advertisements, should be the sole regulations for such advertisements, and the prohibition under the Proposed Law should be deleted.
12. Data Protection Board of India
An adjudicatory body - the Board is proposed to be established under the Proposed Law . The Board will function digitally, and will be digital by design in terms of receipt of complaints, hearings, pronouncement of decisions, and other functions.66
The functions of the Board appear to be mainly adjudicatory in nature, and would include determination of non-compliance; and adoption of urgent remedial measures in cases of personal data breaches.
13. Voluntary Undertaking
The Proposed Law also introduces the concept of ‘voluntary undertaking.’67 The Board may accept a voluntary undertaking in respect of any matter related to compliance with provisions of Proposed Law from any person at any stage.68 Such voluntary undertaking may be publicized,69 However, the language of the provision is unclear on the aspect of whether every instance of voluntary undertaking has to be publicized or whether the Board may require specific instances of voluntary undertaking to be published.
14. Personal Data Breaches
“Personal Data Breach” has been defined as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.70
The Proposed Law obligates the data fiduciary or the data processor to notify the Board and the affected data principals in the event of a personal data breach.71 The obligation to notify data principals does not exist under Indian law currently. It is unclear why both the Board as well as the data principal must be informed in the first instance. Ideally, the obligation should be limited to informing the Board, and upon the Board requiring notification to the data principal depending on the severity of the issue or the likely impact upon the data principal, they may be informed. Even if data principals are to be informed at the first instance, this should be limited to situations where certain action is required on part of the data principal for security, such as changing of password.
It appears from the wording of the provision that the data fiduciary and data processor can contractually determine which of the two will be responsible for breach notification.
Currently, reporting obligations in case of “cyber security incidents” exists under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“2013 Rules”) and the recently introduced direction relating to “information security practices, procedures, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet” issued by the Indian Computer Emergency Response Team (“CERT-In”). Under the Information Technology Act, 2000 (“IT Act”), CERT-In, which is a statutory body empowered to deal with cyber security issues, has the powers to issue guidelines, directions, etc. to entities in response to cyber security incidents. On a similar note, the Proposed Law also empowers the Board to direct data fiduciaries to adopt urgent measures to remedy personal data breaches or mitigate harm caused to data principals. Therefore, in cases of incidents reportable under both laws, an entity may need to not only report the breach to two statutory bodies but may also need to comply with directions issued by two separate bodies. Additionally, the question arises if the Board will have the expertise to understand the complexity of data breaches to be able to issue measures that will help remedy a breach or mitigate harm.
Upon the conduct of an inquiry, if the Board finds non-compliance by an individual to be significant, it may impose a financial penalty for up to INR 500 crore.72 The Proposed Law also prescribes specific penalties of INR 50 crore – INR 250 crore for failure to take reasonable security safeguards to prevent personal data breach; failure to notify the Board and affected data principals of data breaches; non-compliance with additional obligations for SDFs.73 The most significant penalties under the Proposed Law are for failure to comply with the data-breach obligations under the Proposed Law.
Unlike the previous drafts, the Proposed Law does not enable affected data principals to seek compensation for breaches by data fiduciaries. This may disincentivize individuals from pursuing costly adjudication before the Board.
The Act should provide that the Board should publish a guidance for determination of the quantum of penalties (to bring in transparency). Additionally, the decisions of the Board should be made publicly available.
16. Delegated Legislation
In total, at 18 places, the Proposed Law contains the term “as may be prescribed” meaning that the scope of obligations and restrictions remains open ended for now . These aspects include form and manner of personal data breach notifications; registration and functions of consent manager; parental consent for processing of personal data of children; composition of the Board; conduct of data protection impact assessments and audits etc. It is recommended that appropriate legislative guidance be provided for each rule making power. .
17. Timelines for Compliance and Other Existing Laws
Unlike its predecessor drafts, there are no specific timelines for compliance prescribed for the implementation of the Proposed Law. This should be clearly indicated, so that businesses can plan their compliances accordingly. It should also be clarified that the Proposed Law will only apply prospectively.
The Proposed Law states that in the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict. There are sectoral laws where there may be provisions contrary to the Proposed Law. E.g. RBI has mandated payments data localization but under Section 17 of the Proposed Law cross border data transfer may be permissible. This may create confusion in terms of compliance. Hence, clarity is required in this regard.
Once the Proposed Law is enacted, Section 43A of the IT Act (this provision provides for the compensation for failure to protect data and specifically, the SPDI Rules has been enacted for this purpose) will be omitted.74 The Proposed Law does not explicitly repeal Section 72A of the IT Act, which prescribes a penalty (including imprisonment and fines) for service providers disclosing personal information about a person without their consent, or in breach of contract, with intent to cause, or knowledge that such breach is likely to cause wrongful loss to the person, or wrongful gain to the service provider. The Government may consider repealing this provision as well, and consolidating all prohibitions under the Proposed Law.
The Proposed Law seeks to amend the Right to Information Act, 2005 to bar the disclosure of personal data if its disclosure has no relationship to any public activity or interest or if it would cause unwarranted invasion of the privacy of the individual. However, a Public Information Officer can direct the disclosure of such personal information if the authority is satisfied that "the larger public interest.”75
You can direct your queries or comments to the authors
1 Section 4(1), Proposed Law.
2 Section 4(2), Proposed Law.
3 Section 4(2), Proposed Law.
4 Section 2(13), Proposed Law.
5 Section 4(3)(a), Proposed Law.
6 Section 4(3)(b), Proposed Law.
7 Additionally the Proposed Law also provides an exemption for (i) personal data processed by an individual for any personal or domestic purpose; and (ii) personal data about an individual that is contained in a record that has been in existence for at least 100 years.
8 Section 2(5), Proposed Law.
9 Section 2(6), Proposed Law.
10 Section 2(7), Proposed Law.
11 Section 6, Proposed Law.
12 Section 7, Proposed Law.
13 Section 6(1), Proposed Law.
14 Section 7(1), Proposed Law.
15 Explanation (a) to Section 6(2), Proposed Law.
16 Section 6(2), Proposed Law.
17 Section 6(3), Proposed Law.
18 Section 7(6), Proposed Law.
19 Section 8(1), Proposed Law.
20 Section 8(2), Proposed Law.
21 Section 8(3), Proposed Law.
22 Section 8(4), Proposed Law.
23 Section 8(5), Proposed Law.
24 Section 8(6), Proposed Law.
25 Section 8(7), Proposed Law.
26 Section 8(8), Proposed Law.
27 As per Section 8(8) of the Proposed Law, ‘public interest’ includes “(a) prevention and detection of fraud; (b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws; (c) network and information security; (d) credit scoring; (e) operation of search engines for processing of publicly available personal data; (f) processing of publicly available personal data; and (g) recovery of debt.”
28 Section 8(9)(a), Proposed Law.
29 Section 8(9)(c), Proposed Law.
30 Section 12, Proposed Law.
31 Section 13, Proposed Law.
32 Section 14, Proposed Law.
33 Section 14, Proposed Law.
34 Section 15, Proposed Law.
35 Section 16, Proposed Law.
36 Section 177, IPC.
37 Section 9(1), Proposed Law.
38 Section 9(2), Proposed Law.
39 Section 9(3), Proposed Law.
40 Section 9(4), Proposed Law.
41 Section 9(5), Proposed Law.
42 Section 9(7), Proposed Law.
43 Section 9(9), Proposed Law.
44 Section 9(2)(a), Proposed Law.
45 Section 9(4), Proposed Law.
46 Section 9(5), Proposed Law.
47 Section 9(9), Proposed Law.
48 Section 11(1), Proposed Law.
49 Section 11(2)(a), Proposed Law.
50 Section 11(2)(b), Proposed Law.
51 Section 11(2)(c), Proposed Law.
52 Section 18(1), Proposed Law.
53 Section 18 2(a), Proposed Law.
54 Section 18 2(b), Proposed Law.
55 Section 18(1)(d), Proposed Law.
56 Section 17, Proposed Law.
57 Section 9(6), Proposed Law.
58 Section 9(6)(b), Proposed Law.
59 Section 9(6)(a), Proposed Law.
60 Section 9(9), Proposed Law.
61 Section 17, Proposed Law.
62 Section 2(3), Proposed Law.
63 Section 10(1), Proposed Law.
64 Section 10(2), Proposed Law.
65 Section 10(3), Proposed Law.
66 Section 19, Proposed Law.
67 Section 24, Proposed Law.
68 Section 24(1), Proposed Law.
69 Section 24(2), Proposed Law.
70 Section 2(14), Proposed Law.
71 Section 9(5), Proposed Law.
72 Section 25(1), Proposed Law.
73 Schedule 1, Proposed Law.
74 Section 30(1)(a), Proposed Law.
75 Section 30(2)(a), Proposed Law.
The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.