India: Comparing the Digital Personal Data Protection Bill, 2022 and the GDPR
After various legislative predecessors, on 18 November 2022, the Ministry of Electronics and Information Technology ('MeitY') issued the Digital Personal Data Protection Bill, 2022 ('the Bill') for public consultation.
In this Insight article, Supratim Chakraborty, Harsh Walia, Shobhit Chandra, Sumantra Bose, Tashi Gyanee, Sanjuktha Yermal, and Shramana Dwibedi, from Khaitan & Co., discuss key differences and similarities between the Bill and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
The existing data protection regime in India consists of a patchwork of laws which may appear to be quite dated, when considered in the context of the digital revolution that the world has undergone. In recent times, India has taken major steps to launch itself as a global digital economy. However, the absence of a robust data protection law placed India at a relatively weaker footing than other jurisdictions that have an advanced legal framework. Realising this gap, the Government of India ('the Government') undertook to draft and formulate a dedicated data protection legislation that could govern and effectively regulate the nuanced aspects of personal data and technology that we see today. The aim was also to bring it at par with foreign laws, like the GDPR.
As a country, India has its own unique requirements, interests, and socio-economic constraints. Hence, drafting a law which could cater to such distinctive aspects was certainly an uphill task. This can be easily gauged from the chronology of events that have taken place ever since the Government published its intent to release a data protection legislation in 2017. We have witnessed several iterations of the draft data protection law, including the Personal Data Protection Bill, 2019 which was subsequently referred to, and reviewed by, the Joint Parliamentary Committee (constituted for the specific purpose of such review). However, it did not see the light of day. On 3 August 2022, the Ministry of Electronics and Information Technology ('MeitY') moved a motion to withdraw the Personal Data Protection Bill, 2019. The same was withdrawn to provide for a more comprehensive data protection legislation.
On 18 November 2022, the Bill was released for public consultation. The Bill is a leaner, succinct draft, and significantly departs from its previous iterations in several key aspects. It has removed express obligations to localise storage of personal data and categorisation of personal data into further subsets. Based on our review of this Bill, we understand that the approach adopted while drafting has been to strike a balance between business innovation and privacy rights of individuals.
However, the Bill deviates on several aspects from the GDPR. Below are some key differences between the Bill and the GDPR.
Categorisation of personal data
The GDPR classifies personal data into a further subset, namely special categories of personal data. Such category includes personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, genetic or biometric data processed for purpose of identification, sex life, and sexual orientation. Special categories of personal data are subject to distinct compliance requirements, especially the legal basis that can be adopted for the processing of such personal data.
However, the Bill applies to the broader set of personal data, without further categorising it into sensitive or critical personal data. Given that there is no such classification or further categorisation of personal data, there is no statutory requirement to implement separate compliance standards for different kinds of personal data collected pursuant to the Bill. The Bill prescribes the implementation of reasonable security safeguards for personal data.
Age of majority
Another significant difference is the age of majority under the GDPR. Conversely, individuals below the age of 16 years are considered as children (such age may be lowered by member states of the EU, provided it is not lowered below 13 years).
However, the Bill defines children as individuals who are yet to attain the age of 18 years.
Categorisation of data fiduciaries
The GDPR does not distinguish between classes of data controllers (equivalent to data fiduciaries under the Bill) while prescribing compliances and obligations.
On the other hand, the Bill intends to classify certain data fiduciaries as 'significant data fiduciaries' with increased compliance obligations, such as:
- the appointment of a resident data protection officer ('DPO') responsible for grievance redressal;
- the appointment of an independent data auditor;
- conducting Data Protection Impact Assessments ('DPIAs'); and
- such other compliances as may be prescribed.
The classification will be based on factors like the volume and sensitivity of personal data collected, the risk of harm to data principals, the potential impact on India's sovereignty and integrity, etc. Further, under the Bill, the Government may, having regard to the volume and nature of personal data processed, notify certain data fiduciaries, or class of data fiduciaries, to whom compliances regarding consent obligations, the obligation to ensure accuracy of personal data collected, data retention obligations, enhanced compliances while collecting children's personal data, and the obligation to give effect to data principal's requests in relation to their personal data, will not apply. The intent of the above provision appears to provide a leeway to smaller sized data fiduciaries and early-stage start-ups as they may not have adequate resources and infrastructure to implement compliance with the provisions of the Bill.
Under the GDPR, the privacy notice, which is required to be provided to data subjects (equivalent to data principals under the Bill) at the time of, or prior to, collecting personal data is more comprehensive, regardless of the legal basis for processing personal data. It has prescribed several details to be mandatorily specified as part of privacy notices, such as:
- the identity and contact details of the data controller and, where applicable, of the data controller's representative;
- categories of personal data being collected;
- purposes of processing, as well as the legal basis for processing;
- recipients, or categories of recipients, of personal data, if any;
- the right to lodge a complaint with a supervisory authority; and
- the existence of automated decision making, including profiling.
As per the Bill, privacy notices are required to be provided to data principals when the ground for processing personal data is consent. The privacy notice is required to only describe the personal data being sought from data principals and the purposes for such collection. However, there is a mandatory requirement to translate such privacy notice into local Indian languages, as specified under the Eighth Schedule to the Indian Constitution (which consists of 22 Indian languages). Such provision has been included to consider the linguistic diversity of India. Further, the Bill provides for a privacy notice to be furnished for personal data collected prior to the commencement of the Bill. The translation requirement as indicated above also extends to the consent request shared with data principals for obtaining consent.
While the GDPR and the Bill both recognise consent of individuals as one of the legal bases for processing personal data, the latter has introduced the novel concept of 'consent managers'. Consent managers are data fiduciaries who may, on behalf of the data principals, collect and manage consent provided by them. Consent managers will enable data principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. Every consent manager will be required to be registered with the Data Protection Board ('the Board') in such manner and subject to such technical, operational, financial, and other conditions as may be prescribed.
Right of data portability
In a departure from the GDPR, the Bill does not provide a right of data portability in favour of data principals. While such a right was incorporated in the Personal Data Protection Bill, 2019, it has not been incorporated in the current version of the Bill.
Deemed consent where it is reasonably expected that data principal will provide personal data
In addition to consent, both the GDPR and the Bill provide certain additional grounds for processing personal data. In this regard, a distinguishing feature between the GDPR and the Bill is that the Bill recognises that a data principal is 'deemed' to have given consent for processing in a situation where the data principal voluntarily provides personal data to the data fiduciary and it is reasonably expected that the data principal would provide such personal data. To elucidate this provision, the Bill has provided an illustration that a person who shares their name and mobile number with a restaurant for reserving a table, is deemed to have given consent to the collection of their name and mobile number by the restaurant (i.e. the data fiduciary) for the purpose of confirming the reservation.
Reporting of personal data breaches
There seems to be a major difference between the Bill and the GDPR when it comes to determining the threshold for notifying authorities and affected individuals, regarding the occurrence of a personal data breach.
While the GDPR adopts a risk-based approach for notifying personal data breaches to authorities, the Bill is silent on any such threshold. Pursuant to the GDPR, personal data breaches which are likely to result in a risk to rights and freedom of data subjects, are required to be reported to authorities. Further, personal data breaches need to be intimated to affected data subjects only when such breaches are likely to result in high risk to their rights and freedom. On the other hand, the obligation to notify personal data breaches to the Board and affected data principals (akin to data subjects under the GDPR) does not provide any specific threshold/criteria under the Bill.
As per the GDPR, in regard to data breaches suffered by data processors, the data processors' obligation is to only notify the concerned data controller of the same. The responsibility of reporting such personal data breach (if found to be meeting the necessary threshold set out under the GDPR) to the authority lies with the data controller.
Unlike the position under the GDPR, the Bill obligates both the data fiduciaries and the data processors (as the case may be) to report personal data breaches. The breach must be reported to the Board and affected data principals in all cases.
One of the most critical aspects of the Bill is its significantly high penalties for contravention. The financial penalties under the GDPR are linked to the higher of a monetary cap or a certain percentage of the erring entity's worldwide turnover (for instance, up to € 20 million, and in case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, in case of certain non-compliances, including those relating to processing special categories of personal data).
The Bill only provides capped financial penalties and does not link it to specific percentages of worldwide turnovers. The financial penalties under the Bill can go up to INR 250 crores (approx. € 29 million), and in case of significant contraventions, penalties can be as high as INR 500 crores (approx. € 58 million). Additionally, the Bill does not prescribe a payment of compensation to data principals, unlike the GDPR.
Duties of data principals
Interestingly, the Bill also sets out certain duties for data principals. Pursuant to the same, data principals have been directed to refrain from instituting any false or frivolous complaints or grievances against data fiduciaries. They have also been directed to submit verifiably authentic information. Any non-compliance with these duties will attract imposition of financial penalties up to INR 10,000 (approx. € 116 million) on data principals.
There is no such corresponding provision under the GDPR.
Cross-border transfer of personal data
In the context of transfer of personal data to other jurisdictions, the Bill has prima facie prescribed a simplified process. Personal data, under the Bill, may be transferred to jurisdictions which have been pre-approved by the Government, based on necessary factors determined by it. Additionally, the Government may prescribe conditions subsequently, which will need to be followed. At this stage, it is not clear what shape and form such conditions will take.
On the other hand, the GDPR provides various channels through which the transfer of personal data can be achieved. Under the GDPR, personal data may be transferred pursuant to an adequacy decision and certain safeguards, such as:
- legally binding and enforceable instruments between public authorities;
- Binding Corporate Rules;
- Standard Contractual Clauses ('SCCs') adopted by the European Commission and SCCs adopted by a supervising authority and approved by the Commission;
- approved codes of conduct; and
- approved certification mechanisms.
Other unique features of the Bill
The Bill enables data principals to nominate any other individual, who will, in the event of death or incapacity (i.e. the inability to exercise the prescribed rights due to unsoundness of mind or body) of such data principals, be able to exercise prescribed rights in respect of the personal data. In this context, it is notable to mention that, while the GDPR's applicability only extends to living individuals, it permits EU Member States to provide for their own rules in relation to personal data of deceased individuals.
Another unique aspect of the Bill is that it has allowed furnishing of voluntary undertakings by entities. Pursuant to the same, data fiduciaries will be able to provide an undertaking indicating that they will take/refrain from taking specified actions within a given time period. The Board reserves the right to vary the terms of the voluntary undertaking with the concurrence of the person furnishing the undertaking. Acceptance of a voluntary undertaking by the Board will act as a bar on any proceedings in relation to the subject matter of such voluntary undertaking. This provision may encourage timely admission and rectification of non-compliances by entities.
While the GDPR and the Bill have a lot in common, the approach and means taken by both legislations are different, as outlined above. The GDPR is, comparatively, more prescriptive whereas the Bill lays down certain fundamental ideas and leaves many implementation-related aspects to subordinate legislations, rules, and regulations that will be brought in force post promulgation of the law.
The Bill, undoubtedly, presents a ray of hope for counterbalancing the interests of data principals while recognising practical challenges that may be faced by businesses. It has garnered significant attention across all stakeholders and it remains to be seen what shape it will eventually take.
Supratim Chakraborty Partner
Harsh Walia Partner
Shobhit Chandra Counsel
Sumantra Bose Principal Associate
Tashi Gyanee Associate
Sanjuktha Yermal Associate
Shramana Dwibedi Associate
Khaitan & Co., Kolkata