On 18 November 2022, the Ministry of Electronics and Information Technology (‘MeitY’) released a draft of the Digital Personal Data Protection Bill, 2022 (‘the 2022 Bill’). The 2022 Bill is the fourth iteration of India’s proposed personal data protection framework and is a considerably leaner version compared to the erstwhile versions, including its predecessor, the Data Protection Bill, 2021 (‘the 2021 Bill’), introduced by the Joint Parliamentary Committee of the Indian Parliament.
Rachit Bahl, Rohan Bagai, and Archana Iyer, from AZB & Partners, draw comparisons between the 2022 Bill and the 2021 Bill, highlighting key similarities and differences and touching on issues surrounding consent, data transfers, data breach notifications, and the role of the supervisory authority, among others.
Background
Akin to the 2021 Bill, the 2022 Bill provides for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights, and the need to process personal data for lawful purposes. The 2022 Bill also establishes a fiduciary relationship between data subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing of personal data) and classifies them as ‘data principals’ and ‘data fiduciaries’ respectively, under the 2022 Bill.
As per the explanatory note published along with the 2022 Bill by the MeitY, the 2022 Bill frames out the rights and duties of the citizens (digital nagriks) on the one hand, and the obligations of the data fiduciary to use the collected data lawfully on the other hand. The 2022 Bill avoids legalese to a large extent and incorporates illustrations and contextual definitions so that its intent and meaning are easily understandable even by a layperson. Unlike the erstwhile bills, the 2022 Bill is not heavy on compliance and aims to promote ease of doing business especially for start-ups, whilst, at the same time, balancing individual rights. All in all, the 2022 Bill appears to be a business-friendly legislation.
Once enacted, the 2022 Bill will replace the existing data protection framework under Section 43A of the Information Technology Act, 2000 (‘the IT Act’), and the rules framed thereunder, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the SPDI Rules’).
Applicability of the 2022 Bill
Digital personal data and online data
The 2022 Bill applies to the processing of digital personal data within the territory of India, where such personal data is collected from data principals online or offline, and subsequently digitised. The 2022 Bill does not apply to offline personal data – it only governs the processing of personal data that is collected online or is in digital form.
Processing of personal data by offshore businesses
The 2022 Bill also applies to the processing of digital personal data outside the territory of India, where such processing is connected with any profiling of, or activity of offering goods or services to, data principals within the territory of India. The 2022 Bill has done away with the ‘systematic activity’ determination for entities engaged in offering goods or services to data principals in India, which was found in the 2021 Bill.
Personal vs. non-personal data
The 2022 Bill focuses on personal data and does not apply to non-personal data, which was envisaged under the 2021 Bill. The Government of India (‘the Government’) may introduce a separate legislation that exclusively deals with non-personal data.
Other exclusions
The 2022 Bill excludes from its applicability the non-automated processing of personal data and personal data processed by an individual for any personal or domestic purpose. While the domestic use exemption was present under the 2021 Bill, the additional exclusion of the non-automated processing of personal data will mean that activities of manual processing or entry of data will be outside the purview of the 2022 Bill.
No sub-categorisation of personal data
One of the most significant changes under the 2022 Bill is the absence of any sub-categorisation of personal data. The existing regime under the SPDI Rules provides a higher protection to personal data that falls within the classification of sensitive personal data or information (‘SPDI’), which includes passwords, financial information, medical information, and biometric information. The 2021 Bill went one step further and characterised personal data into three buckets: personal data, sensitive personal data, and critical personal data, with differential compliance requirements for each of the datasets. However, under the 2022 Bill, there is no such sub-categorisation as it treats all personal data at par, regardless of its sensitivity or type.
Consent
Consent is the underlying basis for processing personal data even under the 2022 Bill. That said, unlike the 2021 Bill, given that there is no sub-classification of personal data into sensitive personal data and critical personal data, the norm under the 2022 Bill is to obtain consent by a clear affirmative action that is freely given, specific, informed, and unambiguous indication of the data principal’s wishes for the processing of all forms of personal data.
Deemed consent
On the other hand, the 2022 Bill introduces a new variant of consent coined as ‘deemed consent’ where the data principal is deemed to have given consent to the processing of their personal data in certain circumstances, where such processing is considered necessary. Some of these instances of deemed consent include a situation where a data principal voluntarily provides their personal data to the data fiduciary, for the performance of any function under the law, or the provision of benefits or services to the data principal by the State, compliance with any judgment or order issued under the law, responding to a medical emergency, purposes relating to employment, and in the public interest, including for the prevention and detection of fraud, mergers and acquisitions, and credit scoring.
This is not a completely new concept and was present under the 2021 Bill in the form of ‘grounds for processing of personal data without consent’. However, classifying the above grounds as ‘deemed consent’ could create ambiguity in terms of whether the data principal can exercise their right to withdraw consent or not.
Consent manager
Like the 2021 Bill, the 2022 Bill retains the concept of a consent manager registered with the Data Protection Board of India (‘the Board’) who will act on behalf of the data principal and enable such data principal to give, manage, review, and withdraw their consent.
Notice
The 2022 Bill requires the data fiduciary to give the data principal an itemised notice containing the description of personal data collected and the purpose of processing of such personal data. Such notice needs to be provided, in clear and plain language, and in English or any language specified under the Constitution of India (‘the Constitution’) (such as Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, or Kashmiri), of the data principal’s choice.
The notice requirement under the 2021 Bill was broader as it required the data principal to be informed about not just the description of personal data and the purpose of processing of personal data (as contained in the 2022 Bill), but also identify the basis of processing, details of parties with whom such data may be shared, information regarding any cross-border transfer contemplated, the period of retention, rights of the data principals, and the procedure for grievance redressal, among others.
While the 2021 Bill required the notice to be available in multiple languages to the extent necessary and practicable, the 2022 Bill requires an option to be mandatorily provided to the data principal to choose any language specified under the Constitution while providing notice, as well as requesting consent.
Cross-border data transfers
For the transfer of personal data outside India, the 2022 Bill empowers the Government to notify, after assessment of necessary factors, countries or territories outside India to which a data fiduciary may transfer personal data, based on terms and conditions as it may prescribe. Under the 2021 Bill, there were differential and specific requirements for the transfer of different categories of personal data. For instance, there was a hard localisation requirement for cross-border transfers of critical personal data with limited healthcare and state security-related exemptions and soft localisation requirements for the transfer of sensitive personal data subject to the satisfaction of other conditions, such as explicit consent of the data principal, contract or intra-group schemes approved by the data protection authority, transfers to countries based on data protection adequacy principle, etc.
While removal of data localisation requirements under the 2022 Bill is a welcome move to allow the free flow of data, it is not clear whether the proposed legislation will allow cross-border transfers to countries not whitelisted by the Government as it offers no exceptions or alternative mechanisms for transfers to such jurisdictions, such as Standard Contractual Clauses (‘SCCs’) or intra-group schemes.
Children’s data
Similar to the obligations under the 2021 Bill, the 2022 Bill also provides that children’s personal data (persons below the age of 18) can be processed only after obtaining verifiable parental consent or of a lawful guardian. Also, children’s data cannot be processed by the data fiduciary where it is likely to cause harm to a child, or used for tracking, or for behavioural monitoring or targeted advertising. Interestingly, the restrictions on profiling and requirements to process data in the best interests of the child, under the 2021 Bill, are absent from the 2022 Bill.
The 2021 Bill provided certain level of guidance on the manner of verification of the age of child, such as by taking into account the volume of data processed or the possibility of harm. However, the 2022 Bill provides no such direction. Accordingly, it may be incumbent on the data fiduciary to put in place processes to verify if the data principal providing personal data is a child or not, which may be onerous, especially in today’s times where teenagers are avid users of social media platforms and the metaverse.
Data Protection Board vs. Authority
The 2022 Bill contemplates the establishment of the Board, which will be responsible for determining non-compliance with the 2022 Bill, imposing penalties, and other functions. Under the 2021 Bill, the domain of the Data Protection Authority of India (‘the Authority’) was wider, which included oversight over cross-border data transfers, audits, or the issuance of codes of practice. However, the 2022 Bill modifies the position where most of the aspects related to the implementation of the law are proposed to be prescribed by the Government through rules.
Data breach notifications
The 2022 Bill requires the data fiduciary or the data processor to notify the Board and each affected data principal in the event of a personal data breach. However, under the 2021 Bill, the obligation to notify the Authority of a data breach was only imposed on the data fiduciary. Additionally, the timeline for reporting a data breach within 72 hours of becoming aware of such breach under the 2021 Bill has been done away with under the 2022 Bill.
Under the 2021 Bill, the Authority had the discretion to direct data fiduciaries to provide notification to data principal(s) based on severity of harm caused to such data principals. The requirement under the 2022 Bill to notify the affected data principal of any breach without considering the seriousness of the situation or similar threshold could likely compromise the trust of the data principal on the data fiduciary.
Obligations of the data fiduciary
The obligations of a data fiduciary under the 2022 Bill are largely similar to those contemplated under the 2021 Bill. However, some key requirements of ensuring transparency in the processing by way of publishing on its website information relating to the fairness of the algorithm or method used for processing personal data or specific requirements to implement security safeguards, including the use of methods, such as de-identification and encryption, are not contemplated under the 2022 Bill.
Under the 2021 Bill, there was a requirement for the data fiduciary to resolve the grievances of a data principal within 30 days of receipt of complaint. Under the 2022 Bill, this timeline has been reduced to seven days for the data fiduciary to respond to a complaint failing which the data principal can register a complaint with the Board.
SDFs
Similar to the prescription under the 2021 Bill, under the 2022 Bill, the Government may notify any data fiduciary or class of data fiduciaries as a Significant Data Fiduciary (‘SDF’) after considering factors, such as the volume and sensitivity of the data processed, the risk of harm to a data principal, public order, and security of the State. Such SDF needs to appoint a data protection officer (‘DPO’) based in India, appoint an independent data auditor to evaluate the compliance of the SDF with the provisions of the 2022 Bill, and undertake other measures, such as Data Protection Impact Assessments (‘DPIAs’) and periodic audits (as prescribed by the Government).
Unlike the 2021 Bill, under the 2022 Bill, SDFs have no separate registration requirement and social media platforms crossing certain thresholds are not automatically considered SDFs.
Rights and duties of data principals
Similar to the 2021 Bill, the 2022 Bill provides certain rights to data principals, which include the right to receive a summary of personal data being processed along with underlying processing activities, the right to correction and erasure of personal data, and the right to get grievances redressed. However, certain data principal rights, such as data portability and the right to be forgotten, which were available to data principals in the 2021 Bill, are absent in the 2022 Bill. Additionally, the 2022 Bill prescribes certain duties of the data principals which were not present in the 2021 Bill, such as compliance with provisions of all applicable laws while exercising their rights or not registering false or frivolous complaints or grievances.
Notably, the 2021 Bill specified certain grounds for refusal of a request by a data fiduciary (such as in case where such compliance will harm the rights of any other data principal), which is not envisioned in the 2022 Bill. This could mean that a data fiduciary may not be able to refuse any request of the data principal, regardless of the consequences of complying with such request.
Exemptions
Special use cases
Like the 2021 Bill, the 2022 Bill provides exemptions from applicability of certain provisions while processing personal data for certain purposes, such as the processing of personal data by a court for the performance of any judicial function or where it is necessary to enforce any legal right or claim. There is also an exemption available to processing personal data of data principals, not within the territory of India, by persons based in India within a contract with persons outside India. This enables Indian entities to process personal data of foreign residents in the capacity of data processors of offshore data fiduciaries. That said, such data processors in India will need to adhere to any SCCs or obligations imposed by foreign data fiduciaries or data controllers.
Government exemptions
The 2022 Bill gives wide powers to the Government to exempt from the application of the provisions of the 2022 Bill, certain government agencies, and instrumentalities of the State. The legal grounds for such exemption include:
- in the interest of sovereignty and integrity of India;
- the security of the State;
- friendly relations with foreign states; and
- the maintenance of public order.
Voluntary undertakings
The 2022 Bill introduces a new concept of ‘voluntary undertaking’ that allows the Board to accept certain commitments from a person facing action for non-compliance under the law which may include:
- taking specified actions within a specified time;
- refraining from taking specified actions; and
- publicising the voluntary undertaking.
Once such voluntary undertaking is accepted by the Board, proceedings under the 2022 Bill as far as it relates to the contents of the voluntary undertaking fall away.
Penalties
Under the 2022 Bill, depending on the nature of contravention, financial penalties up to INR 500 crore (approx. €59 million) for each instance of non-compliance may be levied. Factors, such as nature, gravity, and duration of non-compliance, type of personal data affected, or repetitive nature of non-compliance, may be taken into account to determine the quantum of penalties. On the other hand, under the 2021 Bill, some of the penalties were linked to the turnover of an entity (say, 4% of the annual turnover) depending on the gravity of the contravention, such as in cases of failure to adhere to prescribed security safeguards.
The data principal’s right to seek compensation from the data fiduciary or the data processor in case any harm has been suffered by such data principal does not find place in the 2022 Bill.
Way forward
The stakeholder comments on the 2022 Bill have been invited until 2 January 2023. Based on such feedback, the Government is likely to finalise the draft and table the same in next year’s budget session of the Parliament.