By Arya Tripathy on November 24, 2022
Introduction
On November 18, 2022, the Ministry of Electronics & Information Technology (MeitY) issued the draft Digital Personal Data Protection Bill, 2022 (DPDB), which is open for public consultation till December 17, 2022. Earlier on August 4, 2022, MeitY withdrew the Data Protection Bill, 2021 on the premise that the Joint Committee had recommended substantial amendments to the original draft,[1] highlighting the need for developing a “comprehensive” legal framework that is aligned with contemporary privacy laws and constantly evolving nuances of the digital ecosystem.
DPDB restores and limits the proposed law’s focus to digital personal data,[2] with the aim to prescribe processing norms that balance an individual’s rights in their personal data, and the economic need to process personal data for lawful purposes. DPDB comes with an explanatory note to aid interpretation of the proposed clauses, with the disclaimer that such note shall not form part of DPDB. Structured into 6 chapters and 1 Schedule, DPDB proposes 30 clauses for the regulation of digital personal data processing, incorporates illustrations to explain the purport of certain clauses, and is a significantly condensed version when compared with the earlier bills.
In this blog, we identify the key features of DPDB with the objective to analyse the core constituents of what India’s data protection law could look like, if DPDB were to enacted as a law in its current form.
1. Application and scope: DPDB will apply to (i) the processing of digital personal data subject to exemptions (material scope), (ii) undertaken within India, and in certain cases, those carried outside of India (territorial scope).
To fully evaluate the material scope, it is important to understand what is considered as personal data and processing under DPDB, what are the exemptions, and who are the key stakeholders in processing lifecycle.
- Personal data is defined widely to mean any data[3] concerning an individual who is identifiable by, or in relation to such data, and will include opinions. However, DPDB will cover only digital personal data i.e., when it is collected online, or if collected offline, is digitized later.[4]
- Processing means automated operations performed on digital personal data through its lifecycle, like collection, recording, organizing, structuring, storing, altering, sharing, transfer, erasure, etc. Automated processing operations will include any digital process capable of operating automatically pursuant to instructions given or otherwise.
- Reading the above two defined terms together, DPDB will apply to automated processing of digital personal data. To this effect, DPDB states that it will not apply to (i) non-automated processing, and (ii) offline personal data. Thus, manual data processing such as structured filing systems are outside the purview. It is unclear if DPDB will apply to mechanical and semi-automated data processing. Further, DPDB will not apply to personal data processed by an individual for personal or domestic purpose, and those that have been recorded for 100 years or more.
- There is no provision for special categories of sensitive personal data or critical data, and consequently, there are no specific requirements that would apply to the processing of sensitive data sets like health, financial, biometrics, etc. MeitY is of the view that all kinds of personal data come with inherent expectation of informational privacy, and hence, there is no need to distinguish. This approach is a departure from the extant Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules), as well as data protection laws in other jurisdictions. It does not take into account the possibility that certain datasets owing to their sensitive nature may require more rigorous standards for processing, and leaves window for sector specific regulators like the Reserve Bank of India and the Securities and Exchange Board of India to come up with additional requirements.
- DPDB will apply to 3 key stakeholders in the data processing cycle: (i) data fiduciary (akin to controller) – any person[5] who alone or with others determines the purpose and means of processing, (ii) data processor – any person who processes personal data on behalf of data fiduciary, and (iii) data principal (akin to data subject) – individual to whom the personal data relates, and in context of children (e., 18 years or below), will include their parents and legal guardian.
In terms of the territorial scope, DPDB will apply to data fiduciaries and processors who process in India, irrespective whether they are foreign persons or not. DPDB will also apply extraterritorially where digital personal data is processed outside India, if such processing is for profiling[6] a data principal in India, or for offering goods or services to such data principal. Resultant effect – territorial scope has been simplified to link it with location where processing is undertaken and physical presence of data principal in India.
2. Consent and Deemed Consent: Digital personal data processing must be for a lawful purpose with Consent or Deemed Consent of the data principal. Penalty for violation with Consent or Deemed Consent requirements can be up to INR 500 million (about USD 6.1 million).[7]
Consent continues to be the primary basis for processing, but with diluted parameters. DPDB requires consent to be free, specific, informed and unambiguous. It must be signified through an affirmative action by the data principal and limited to the specific purposes. On or before obtaining Consent, data fiduciary must provide an itemised notice (i.e., presented as a list of individual items) containing description of personal data sought to be processed and the purpose of processing, in clear and plain language. Data fiduciary must also provide contact details of its authorised person who would respond to data principal’s communications and right requests.
Thus, only limited information disclosure is contemplated for seeking consent, and additional details such as types of processing, infosec measures deployed to safeguard personal data, available rights of data principals, privacy practices followed, and cross-border transfer related specifics need not form part of the consent notice. The language of the notice and Consent can be in English, or any of the regional languages specified in the 8th Schedule of the Indian Constitution, depending on data principal’s preference.[8] Further, Consent can be withdrawn by the data principal at any time, provided that consequences of such withdrawal shall be borne by the data principal. Burden of proof that processing has been carried out with Consent will be on the data fiduciary, and under the contemplated scheme, it would be a relatively low burden to discharge, where a fiduciary has provided the bare minimum information in the notice seeking Consent, and there is an affirmative action from data principal signifying Consent.
In 9 scenarios, DPDB presumes data principal’s consent for processing i.e., Deemed Consent as the basis for processing. These are:
- where personal data is voluntarily provided by the data principal and it is reasonable to expect that they would provide such personal data like those provided for entering into, or for performance of a contract;
- processing by state for the performance of any function under law, or provision of any service or benefit to the data principal (like providing benefits under social welfare schemes), or issuance of any certificate/license/permit to the data principal (like collection of biometric for issue of AADHAAR unique identifier);
- compliance with any judgment or order;
- response to medical emergency involving threat to life or health of the data principal or other individual;
- providing medical treatment or health services to any individual during epidemic, disease outbreak, or public health crisis like contact tracing;
- disaster management or public disorder;
- employment related purposes;
- in public interest => DPDB explains “public interest” as interest in India’s sovereignty and integrity, state security, friendly relations with foreign states, maintenance of public order, preventing incitement to commission of any cognizable offence in relation to the previously mentioned interests, and preventing dissemination of false statements or fact; and
- for any fair and reasonable purpose as may be prescribed subsequently => while notifying other “fair and reasonable processing grounds”, central government will consider the legitimate interests of data fiduciary in processing and whether such interests outweigh any adverse effect on data principal, public interest, and reasonable expectations of data principal having regard to the context of processing.
Essentially, the Deemed Consent alternatives are wide and include processing grounds as recognised in other jurisdictions, such as processing by state or judicial bodies, for lawful contract, legitimate interest, benefit of data principal, and repurposing. It is also possible that new grounds are notified in future. However, in these alternatives, there is no need to provide prior or post-facto notice to the data principal. Consequently, data principal may not have any information on what, why, how and when their personal data was processed, and this dilutes the transparency and accountability principle which are fundamental for safeguarding informational privacy.
3. Obligations of data fiduciary: The underlying principle is that data fiduciary shall be primarily responsible for compliance with DPDB, notwithstanding any contract to the contrary, or any action on part of the data principal. This is prevalent practice under the IT Rules and data protection laws of other jurisdictions. The obligations applicable to all data fiduciaries are:
- make reasonable efforts to maintain accuracy and completeness of processed personal data, where personal data is likely to be used for decision-making that affects the data principal, or subsequently disclosed to another data fiduciary;
- implement appropriate technical and organisational measures for compliance with DPDB;
- take reasonable security safeguards to protect personal data and prevent data breach; penalty for non-compliance could be up to INR 2,500 million (about USD 30.5 million);
- notify data breach incidents to regulatory body proposed under DPDB i.e., Data Protection Board of India (DPBI) and affected data principal; penalty for non-compliance could be up to INR 2,000 million (about USD 24.5 million) => this is a welcome move as the earlier bill did not obligate fiduciary to notify data principal about breach without necessarily undertaking a harm and risk analysis;[9]
- cease to retain personal data, or remove identification means of the personal data as soon as retention purpose is completed, or not required for any other business purposes (opt for pseudonymisation or anonymisation techniques) => business purpose is wide and can be loosely used to permit retention even where processing and legal purposes have been achieved;
- publish business contact information of its authorised person who would respond to data principal’s queries;
- put in place procedure and effective mechanism for grievance redressal; and
- with consent of data principal and only under a contract, engage a data processor, or transfer personal data to another fiduciary => specific to this obligation, it appears that the obligation will not apply where processing is carried out on Deemed Consent basis.
Except as specifically stated above for certain obligations, penalty for non-compliance with other fiduciary obligations could be up to INR 500 million (about USD 6.1 million). DPDB imposes a limited set of obligations on data fiduciaries compared to the earlier bills. Perhaps, the spirit is to enable self-regulation, and this will ease the compliance burden and costs for businesses. At the same time, this could impact implemented privacy governance models.
At this juncture, it is important to refer to the explanatory note which does not form part of DPDB’s main text. It states that DPDB has been prepared keeping in mind the 7 core principles for data processing namely, lawful, fair and transparent processing; purpose limitation; data minimisation; accuracy of personal data; storage limitation; integrity and confidentiality; and accountability. But these do not find explicit mention in DPDB, and only some derivations are added as statutory obligations. Ideally, these should have been included as overarching principle-based obligations on data fiduciary, so that in absence of a specific obligation, determination could be based on the core principles and specific facts. This approach is not unique and has been adopted in adjudication of various landmark decisions under EU GDPR. In absence of these, the limited set of obligations may result in lowered checks and balances that could adversely impact data principal’s privacy expectations.
4. Significant data fiduciaries: Central government may notify any data fiduciary or class thereof as Significant Data Fiduciary (SDF). While determining them, it will assess factors such as volume and sensitivity of personal data processed, risk of harm to data principal, potential impact on sovereignty and integrity of India and state security, risk to electoral democracy, public order and other matrices as it may deem necessary. The earlier versions contained more details on the criteria and sought to include certain social media intermediaries within the ambit of SDFs, and now, this has been left open-ended. In addition to the obligations at #3 above, a SDF will be required to (i) appoint a person based in India to act as its Data Protection Officer (DPO) who shall report to the governing body of the data fiduciary (like board of directors of a company) and act as SPOC for grievance redressal mechanism, (ii) appoint an independent Data Auditor who will evaluate compliances, and (iii) undertake other measures such as data protection impact assessments and periodic audits to adhere to objective of the Act.
Hence, who will qualify as SDFs, additional obligations that they must comply with, and details regarding the manner of compliance have been left to rule-making process, and it will be important to wait for those to fully evaluate the scope of additional obligations. Penalty for non-compliance with SDF specific obligations could be up to INR 1,500 million (about USD 18.3 million).
5. Rights and duties of data principal: DPDB has limited the scope of data principal’s rights in relation to their personal data, and seeks to impose certain duties on them. A data principal shall have a right to:
- confirmation on processing undertaken;
- access summary of processed personal data, processing activities undertaken, identities of all data fiduciaries with whom personal data has been shared, and other information as may be prescribed;
- correction of inaccurate or misleading personal data;
- completion of incomplete personal data;
- updation of personal data;
- erasure of personal data that is no longer necessary for the processing purpose or any legal purpose => note that fiduciary is permitted to retain personal data if the same is needed for business purpose, and it is thus, unclear if right to erasure will supersede such right of the fiduciary, and there is need for necessary clarity;
- register a grievance with data fiduciary;
- complain to DPBI where they receive unsatisfactory response or no response from data fiduciary for their registered grievances; and
- nominate other individual who shall act on their behalf in event of death or incapacity.
Data principal shall not have a right to be forgotten, right to object certain kinds of processing (automated data processing being the key area of regulation cannot be objected by the principal), or right to data portability, which have been contentious issues globally. The manner, timeline, format, and other details on how rights can be exercised have been left to rule-making.
Nevertheless, for exercising these rights, data principal is obligated to comply certain duties. One them requires data principal to comply with provisions of all applicable law. This is ambiguous as it can be interpreted to mean that any breach of any applicable law could negate data principal’s rights, even in situations where there may not be a nexus between the right sought to be exercised and the non-compliance involved. For instance, literal interpretation would suggest that a convicted criminal has no data principal’s rights under DPDB. It is also unclear as to who would determine and verify if the data principal has been and is compliant with applicable law.
Further, data principal shall not falsely or frivolously register grievances with data fiduciary, or complain to DPBI. It appears that flexibility to determine whether a grievance or complain is false or frivolous is left to data fiduciary and DPBI, respectively. Furthermore, data principal shall be obligated to furnish true and material information, while applying for any document, services, unique identifier, proof of identity, or proof of address; and all furnished information for exercise of right to correction or erasure must be verifiably authentic. Penalty on data principal for breach of their duties could be up to INR 10,000 (about USD 122). At the same time and where data fiduciary fails to honour validly exercised data principal’s rights could entail penalty up to INR 500 million (about USD 6.1 million).
6. Cross-border data transfer: The contours of cross-border data transfer under earlier bills have been debated extensively by stakeholders, with major pushback to soft and hard data localisation norms. DPDB does away with such localisation norms and this is a welcome move. It states that the central government after an assessment of factors as it may deem necessary, notify such jurisdictions to which personal data can be transferred, on such terms and conditions as may be specified. This indicates that central government will have a free hand to determine jurisdictions (either as adequate or inadequate) and come up with conditions for data transfers. There is no mention of alternative options for cross-border transfer such as binding corporate rules, standard contract clauses, and occasional cases of data transfer.
At present, IT Rules require data transferor to evaluate whether similar degree of data protection will be afforded to the personal data by the data transferee, and permits cross-border transfer only when there is consent, or when such transfer is essential for performance of the contract executed with the data principal. Thus, DPDB tends to further relax the existing restrictions, and it appears that until such time transfer related rules are made, data fiduciaries and processors can freely transfer personal data outside India as long as there is Consent or a Deemed Consent basis for such transfer.
7. Exemptions: DPDB contemplates sweeping exemptions from substantial provisions for state, and certain kinds of processing. Any restriction on cross-border transfer as may be notified subsequently + none of the data fiduciary or SDF obligations (except the requirement to take reasonable security measures for protection of personal data) will apply to processing of personal data (i) which is for enforcing legal rights or claims, (ii) by judicial, quasi-judicial or other body while performing judicial or quasi-judicial functions, (iii) which is in interest of prevention, detection or prosecution of any offence or contravention of any law, or (iv) that belongs to individuals outside India, when processed pursuant to a contract entered between a foreigner and an Indian person.
Apart from this, DPDB states that retention and storage limitation shall not apply to state or its instrumentalities, which means that they can retain personal data as long as they deem fit. Further, central government is vested with the power to take into account volume and nature of data processed and then, exempt certain data fiduciaries from complying with requirements around notice, data accuracy, retention limitation, and access plus confirmation rights. It also has the power to grant exemption from any or all parts of DPDB (i) to any state body on grounds of public interest => there is no criteria that has been laid out, leaving scope for arbitrariness; and (ii) for research, archiving or statistical purposes, provided that such processing does not result in decision-making regarding the data principal and is undertaken in accordance with standards as may be specified by DPBI.
Owing to the far-reaching powers vested with central government, there is increased scepticism that the purport and intent of DPDB when it applies to state can be significantly diluted through exemption notifications.
8. Data Protection Board of India: For purposes of determining non-compliance with DPDB, imposing penalty, issuing directions, and performing other such functions as the central government may prescribe, DPDB contemplates establishment of DPBI. DPBI’s functions are aimed to be digital by design and will act as an independent regulator. DPBI will be vested with the power to conduct inquiry, summon witnesses, inspect evidence, conduct proceedings relating to complaints, and impose penalties. Thus, it is important that its composition has a right balance, so that it can function independently of the different wings of state. But DPDB is silent on these aspects. It empowers the central government to stipulate DPBI’s strength, composition, process of member selection, terms and conditions of appointment and removal. This is a departure from the approach that was contemplated under earlier bills. In absence of any insights on how DPBI will be constituted, there is speculation that DPBI may not be truly independent in discharge of its functions.
Conclusion
Once enacted as law, DPDB is proposed to be implemented in phases, and it will be relevant for the government to provide adequate window for organisations to gear-up existing data protection practices. The underlying approach for DPDB is to provide overarching principles for data protection and in the process, MeitY has lifted elements from data protection laws of jurisdictions like Australia, Singapore and EU nations. The government believes that in its current form, the proposed law leaves sufficient window for adaptation as the digital ecosystems evolve. While businesses and the start-up community have expressed optimism with proposed clauses, critiques have voiced reservations regarding the lack of adequate checks and balances on executive powers and exemptions. But devil is in the detail, and that has been left to delegated legislation and ultimately, the true efficacy and impact of DPDB will have to be time-tested.
[1] In Justice K.S. Puttaswamy (retd.) v. Union of India (2017), the Supreme Court upheld privacy as a fundamental right and highlighted the need for a dedicated privacy and data protection law. Thereafter, Justice Srikrishna Committee prepared a draft Personal Data Protection Bill, 2019, which was referred to a Joint Committee for review. In 2021, Joint Committee completed its review process and proposed the Data Protection Bill, 2021. In an earlier post, we provided our analysis on this bill, and the post can be accessed here – https://www.psalegal.com/indias-new-data-protection-bill-2021-overview-and-analysis-of-jpc-draft/
[2] Data Protection Bill, 2021 had a very wide scope and contained proposals for regulating all kinds of data including non-personal and anonymized data.
[3] Data is defined as representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or automated means.
[4] In the subsequent paragraphs of this post, digital personal data and personal data have been used interchangeably.
[5] Person will include natural and legal persons, as well as state.
[6] Profiling is defined to mean any form of processing of personal data that analyzes or predicts aspects concerning the behavior, attributes or interests of a data principal.
[7] USD 1 = about INR 82
[8] 8th Schedule lists 22 official languages used in different parts of India such as Assamese, Bengali, Hindi, Tamil, Urdu etc. The list can be accessed here – https://rajbhasha.gov.in/en/languages-included-eighth-schedule-indian-constitution
[9] The form and manner for such breach notice will be prescribed under rules.