I. Background
On August 3, 2023, the Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) was introduced by the Central Government in the Indian Parliament. The DPDP Bill is the fifth iteration of the personal data protection legislation and appears to be based on the draft Bill released by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which was open for public consultations. The DPDP Bill focuses on digital personal data and does not apply to non-personal data. Once enacted, the DPDP Bill will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”).
II. Key Highlights
1.1 Applicability –
- Only applies to digital personal data – The DPDP Bill only applies to personal data, which is collected in digital form or non-digital data, which is digitized subsequently.
- Overseas applicability – The DPDP Bill applies to digital personal data that is processed outside India, only if such processing is in connection with any activity related to offering of goods or services to data principals (data subjects) in India.
- Exclusions – The DPDP Bill does not apply to: (i) personal data processed by an individual for any personal or domestic purpose; or (ii) personal data made publicly available by the data principal herself or any other person under a legal obligation.
1.2 Data Protection Principles – The DPDP Bill encapsulates the following essential principles: –
- Purpose limitation – Personal data should only be processed for a lawful purpose for which the data principal has given her consent and in accordance with the DPDP Bill; and
- Collection limitation – Only such personal data should be collected which is necessary.
1.3 No sub-classification of personal data – The provisions of the DPDP Bill apply to all kinds of personal data and does not envisage sub-categories of personal data, such as sensitive personal data or critical personal data. Accordingly, the requirements of the DPDP Bill will be applicable equally to all forms of personal data agnostic of the nature or type of the personal data. This approach deviates from the current Indian data protection law contained under the SPDI Rules, which make a distinction between ‘personal information‘ and ‘sensitive personal data or information‘ and prescribes incremental compliance requirements for processing of sensitive personal data or information.
1.4 Consent & Notice –
- Affirmative Consent – Consent is the underlying basis for processing personal data and needs to be free, specific, informed, unconditional and unambiguous. Such consent has to be provided by a clear affirmative action, and signify the data principal’s agreement for processing of her personal data for the specified purpose.
- Withdrawal of Consent – The data principal has the right to withdraw consent at any time with same level of ease with which she gave her consent. Such withdrawal of consent will not affect the legality of processing of the personal data based on consent before its withdrawal.
- Notice – A notice needs to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of processing; and the manner in which she may exercise her rights to withdraw consent, avail the grievance redressal mechanism and make a complaint to the DPB (defined below). Where the data principal has given consent for processing her personal data before the law comes into force, a similar notice needs to be provided to her, as soon as it is reasonably practicable.
- Notice & Consent in multiple languages – The data principal should have the option to view the notice and consent form in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.).
- Legitimate Uses (for processing without consent) – The DPDP Bill has rechristened the concept of ‘deemed consent’, which was envisaged in the draft bill released in 2022 for processing of personal data for certain special use cases without the consent of the data principal and now termed it as ‘legitimate uses’. The legitimate uses for which a data fiduciary may process personal data of a data principal without obtaining her consent include processing for purposes of employment, for responding to medical emergencies, for performing any function under law or the State providing any service or benefit to the data principal, for compliance with any judgment or order issued under any law, etc. Grounds such as processing for performance of contract and legitimate interests available under the EU GDPR are not contained in the DPDP Bill.
1.5 Obligations of Data Fiduciary – Data fiduciaries are responsible for compliance with the DPDP Bill, including for processing of personal data undertaken by a data processor on their behalf. Where the data fiduciaries are processing personal data that is likely to be used to make a decision that affects the data principal or is to be shared with another data fiduciary, they are required ensure accuracy and completeness of such personal data. Data fiduciaries are also required to delete personal data, if the data principal withdraws her consent or if it is reasonable to assume that the specified purpose is no longer being served, unless such retention is necessary for compliance with law.
1.6 Notification of personal data breach – Personal data breaches need to be intimated by the data fiduciary to the DPB and each affected data principal in such manner as may be prescribed.
1.7 Cross-border transfer of personal data – Personal data can be transferred by a data fiduciary to any other country or territory for processing, unless the Central Government restricts such transfer to any notified countries. In other words, the DPDP Bill adopts a blacklisting approach which implies that personal data is freely transferable unless the transfer is proposed to be made to a territory or a country which is ‘blacklisted’ by the Central Government. That said, the DPDP Bill clarifies that if there is any other law or sectoral regulation, which provides for a higher degree of protection for, or restriction on, transfer of personal data outside India, whether it is in relation to certain personal data or a class of data fiduciaries, such law or regulation will apply.
1.8 Significant data fiduciaries – The Central Government may notify any or a class of data fiduciaries as significant data fiduciaries taking into account multiple factors (such as volume and sensitivity of personal data processed, risk to the rights of the data principal, security of state, etc.). Significant data fiduciaries need to comply with additional requirements such as – appoint an individual as a data protection officer based in India, appoint an independent data auditor for evaluating compliance with the DPDP Bill, conducting periodic audit and data protection impact assessment, and undertake other measures including periodic data protection impact assessments.
1.9 Data of Children and Persons with Disability – Verifiable consent of parent/ lawful guardian is required to process personal data of children and persons with disabilities. The DPDP Bill prohibits tracking or behavioral monitoring of, and targeted advertising directed at, children, and processing of children’s data that is likely to cause any detrimental effect on the well-being of a child. Notably, the DPDP Bill provides an enablement for the Central Government to exempt classes of data fiduciaries and processing for certain purposes from the requirement of obtaining parental consent and prohibiting behavioral monitoring. It also empowers the Central Government to exempt data fiduciaries for processing data of children above a certain age but under 18 years in certain situations without the specific obligations attached to processing children’s data.
1.10 Rights of data principals – The DPDP Bill provides certain rights to data principals, which include right to access information about personal data including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. As per the DPDP Bill, the data fiduciaries need to offer readily available grievance redressal mechanisms to data principals. In this regard the data principal must exhaust all options for grievance redressal before approaching the DPB
1.11 Data Protection Board of India – The DPDP Bill contemplates the establishment of a Data Protection Board (“DPB”), as an enforcement body, which will have powers, inter alia, to direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach, inquire into such breach, impose penalties for non-compliances, inspect any document, summon and enforce attendance of any person etc. An appeal may be preferred against an order of the DPB before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) established under the Telecom Regulatory Authority of India Act, 1997 within specified timelines, and in the prescribed manner. An appeal against the order of the TDSAT may be preferred before the Supreme Court of India.
1.12 Power to call for information and block access – The DPDP Bill empowers the Central Government to call for any information from the DPB, the data fiduciary or any intermediary. Where the Central Government receives a reference from the DPB that it has imposed monetary penalties on a data fiduciary in two or more instances and advises blocking of access by public to any information transmitted on any computer resource, direct blocking of access by public to such information on the grounds of public interest. This order has to be passed in writing and after giving the data fiduciary an opportunity to be heard.
1.13 Penalties –
- Monetary penalties for breach – Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, etc.
- No Compensation – The DPDP Bill does not provide for payment of compensation to data principals whose personal data has been compromised. This is a deviation from the IT Act which allows affected data principals to claim compensation from a data fiduciary who failed to implement reasonable security safeguards and as a consequence, have caused wrongful loss or gain. That said, the DPDP Bill casts certain duties on the data principals, amongst others, to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB, etc. For any breach in observance of such duties, the data principals may be penalized up to INR 10,000.
1.14 Voluntary Undertaking – The DPDP Bill also allows the DPB to accept from a person facing action for non-observance under the law a voluntary undertaking, which may include a commitment – (a) to take action within a time frame as determined by the DPB, or (b) to refrain from taking specified action, and/ or (c) to publicize the voluntary undertaking. Once such voluntary undertaking is accepted by the DPB, it will constitute a bar on proceedings under the law as far as it relates to the contents of the voluntary undertaking.
1.15 Exemptions – The DPDP Bill exempts from applicability, (a) all of its provisions, in case of processing by certain notified instrumentalities of State, in the interests of sovereignty and integrity of India, maintenance of public order, etc., and (b) some of its provisions, in case processing is necessary for enforcement of a legal right or claim, merger or amalgamation, investigation or prosecution of an offence, etc. The DPDP Bill also provides an enablement for the Central Government to exempt by notification certain data fiduciaries including startups from specified obligations such as notice and retention requirements, those applicable to significant data fiduciaries, etc.
III. Current Status
The DPDP Bill has been tabled before the Lok Sabha (Lower House of the Parliament) and is pending its consideration. Once it is cleared by the Lok Sabha, it will be forwarded to the Rajya Sabha (Upper House of the Parliament) for its concurrence. After the DPDP Bill is passed by both the Houses of the Parliament (with or without any amendments), it will be sent to the President of India for her assent, after which it will be published in the official gazette and enacted as the law.