On November 18, 2022, the Ministry of Electronics and Information Technology released a new draft of the proposed personal data protection legislation called the Digital Personal Data Protection Bill, 2022 (“Bill”). The Bill is the fourth iteration of proposed data protection framework and compared to the previous versions (“Erstwhile Versions”) appears to be a significantly trimmed down version from 99 sections in the last version to 30 sections in this one. The Bill focuses on personal data and does not apply to non-personal data. Once enacted, the Bill will replace Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”).
II. Key Highlights
1.1 Applicability –
- Only to online personal data – The Bill only applies to personal data, which is collected online or such offline data which is digitized. Akin to the SPDI Rules, the requirements of the Bill do not apply to personal data, which is collected / processed offline.
- Overseas applicability – The Bill applies to personal data that is processed outside India, if such processing is in connection with profiling of individuals within India or offering goods or services to individuals in India. Unlike the Erstwhile Versions, the Bill does not specifically state that it will only apply to overseas entities, which are engaged in a systematic activity of offering goods or services to individuals in India. In other words, the Bill has done away with the ‘systematic activity’ determination.
1.2 Data Protection Principles – The Bill encapsulates the following essential principles: –
- Purpose limitation – Personal data should only be processed for a lawful purpose for which the data principal has given or is deemed to have given her consent;
- Collection limitation – Only such personal data should be collected which is necessary. Performance of contract already concluded should not be conditional on provision of personal data which is not necessary for such purpose; and
1.3 No sub-classification of personal data – The provisions of the Bill apply to all kinds of personal data. Unlike the Erstwhile Versions, the Bill does not categorize personal data into – personal data, sensitive personal data and critical personal data. Accordingly, no incremental / specific requirements need to be met for processing a particular nature / type of personal data and requirements of the Bill will be applicable equally to processing of all forms of personal data. This approach also deviates from the existing SPDI Rules, which make a distinction between ‘personal information‘ and ‘sensitive personal data or information‘ and prescribe incremental compliance requirements for processing of sensitive personal data or information.
1.4 Notice and Consent –
- Itemised notice – Itemised notice in clear and plain language needs to be provided to the data principal identifying the description of personal data that will be collected and the purpose of processing. Unlike the Erstwhile Versions, there is no specific provision under the Bill, which indicates that standard formats may be prescribed in which notice is to be provided.
With respect to personal data collected and processed before the Bill comes into force, an itemised notice needs to be provided which will identify the personal data collected and the purpose for which the data has already been processed.
- Affirmative or deemed consent – Consent is the underlying basis for processing personal data. The consent may be: –i.) Provided by a clear affirmative action. Unlike the Erstwhile Versions, the Bill does not specifically state that the manner in which consent needs to be obtained will be separately prescribed; or
ii.) A deemed consent. The Bill identifies scenarios where a data principal is deemed to have given consent to process her personal data. These envisage instances where processing is necessary – for purposes related to employment, for performing any function under law or the provision of any service or benefit to the data principal, for compliance with any judgment or order issued under any law, in public interest including for mergers & acquisitions, credit scoring, processing publicly available personal data, etc.
- Notice & Consent in multiple languages – The data principal should have the option to view the notice and consent form in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.). This is an incremental mandatory compliance requirement contemplated under the Bill.
1.5 Cross-border transfer of personal data – The Central Government, after an assessment of such factors as it may consider necessary, will notify countries to which and terms & conditions based on which personal data may be transferred outside India. Unlike the Erstwhile Versions, the Bill does not impose any data localization requirements. The Bill also does not contemplate transfer of personal data outside India on the basis of contractual safeguards, intra-group schemes or other approved contractual clauses.
1.6 Significant data fiduciaries – Akin to Erstwhile Versions, the Central Government may notify any or a class of data fiduciaries as significant data fiduciaries taking into account multiple factors (such as volume of personal data processed, risk of harm, security of state, etc.). Significant data fiduciaries need to comply with additional requirements such as – appointing a data protection officer based in India, appointing an independent data auditor for evaluating compliance with the Bill, and undertaking such other measures as may be prescribed. Unlike the Erstwhile Versions, the Bill does not require significant data fiduciaries to obtain any separate registration.
1.7 Data Protection Board of India – The Bill contemplates the establishment of a Data Protection Board (“DPB”), which will be responsible for, inter alia, determining non-compliance with the Bill, imposing penalties, etc. Under the Erstwhile Versions, the remit of the Data Protection Authority was wider, which included oversight over cross-border data transfers, audits, issuance of codes of practice etc. However, under the Bill, most of the aspects related to implementation of the law are proposed to be prescribed by the Government through Rules.
1.8 Notification of personal data breach – Personal data breaches need to be notified to the DPB and each affected data principal in such manner as may be prescribed.
1.9 Penalties –
- Financial penalties for non-compliance – Depending on the nature of contravention, financial penalties up to INR 500 crores for each instance of non-compliance may be levied. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of non-compliance, type of personal data affected, repetitive nature of non-compliance, etc.
- No Compensation – Unlike the Erstwhile Versions, the Bill does not provide for payment of compensation to data principals whose personal data has been compromised. That said, the Bill imposes an obligation on the data principals not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB and not to furnish any false particulars or suppress any material information, while applying for any document, service, unique identifier, proof of identity or proof of address, etc. For any such non-compliances, the data principals may be penalized up to INR 10,000.
1.10 Rights of data principals – The Bill provides certain rights to data principals, which include – right to receive a summary of personal data being processed along with underlying processing activities, right to correction and erasure of personal data, right to get grievance redressed, etc. The right to portability available to data principals under the Erstwhile Versions does not find a place in the Bill.
1.11 Voluntary Undertaking – The Bill also allows the DPB to accept from a person facing action for non-compliance under the law a voluntary undertaking, which may include a commitment – (a) to take specified action within a specified time, (b) to refrain from taking specified action, and (c) to publicize the voluntary undertaking. Once such voluntary undertaking is accepted by the DPB, it will constitute a bar on proceedings under the Bill as far as it relates to the contents of the voluntary undertaking.
III. Concluding Remarks
The Bill is presently open for stakeholder feedback until December 17, 2022. Based on such feedback, the Government is likely to finalize the Bill and table the same in next year’s Budget session of the Parliament.