India: Digital Personal Data Protection Bill, 2022 - What you need to know
Following the withdrawal, in August 2022, of the Personal Data Protection Bill, 2019, the Ministry of Electronics and Information Technology ('MeitY') issued, on 18 November 2022, a new Digital Personal Data Protection Bill, 20221 ('the Bill') marking a new landmark in India's journey towards the adoption of a comprehensive privacy framework.
OneTrust DataGuidance Research provides an overview of the newly presented Bill, which is open for public consultation until 17 December 2022.
According to its Explanatory Note to the Bill2 ('the Explanatory Note'), the Bill seeks to lay down a framework that applies horizontally across sectors, establishing, on the one hand, rights and duties of citizens, and, on the other hand, obligations of data fiduciaries to process data lawfully. Moreover, the Explanatory Note details that the Bill is predicated on the same principles that have served as the foundation for personal data protection legislation in many jurisdictions around the world, namely:
- lawfulness, fairness, and transparency;
- purpose limitation;
- data minimisation;
- storage limitation;
- security; and
Further to the above, the Explanatory Note clarifies that the Bill carries forward the consensus reached by stakeholders during the consultations that took place throughout the drafting process of the Personal Data Protection Bill, 2019.
While the Bill aims to establish a comprehensive legal framework governing digital personal data protection in India, it should be noted that its provisions may be further carried out by the Government of India ('the Government'), who is expressly given the power to issues rules in accordance with the Bill (Article 26 of the Bill).
Scope of the Bill
The Bill applies to (Articles 4(1) and 4(2) of the Bill):
- the processing of digital personal data within the territory of India where:
- such personal data is collected from data principals online; or
- such personal data collected offline, is digitised; and
- the processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of, offering goods or services to data principals within the territory of India.
Notably, the Bill expressly excludes from its scope of application (Article 4(3) of the Bill):
- non-automated processing of personal data;
- offline personal data;
- personal data processed by an individual for any personal or domestic purpose; and
- personal data about an individual that is contained in a record that has been in existence for at least 100 years.
The Bill provides, under Article 2, definitions of key terms, some of which are illustrated below.
Under the Bill, 'data principal' indicates an individual to whom the personal data relates. Where such individual is a child, their parents or lawful guardians would be considered data principal.
Notably, the Bill sets the age limit for a child at 18 years of age.
Data fiduciary and data processor
'Data fiduciary' signifies any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. The Explanatory Note states that the choice of the word 'fiduciary' underlines that the relationship between the data principal and data fiduciary is expected to be one based on mutual trust.
Further, the person who processes personal data on behalf of a data fiduciary is qualified as a 'data processor'.
Personal data refers to any data about an individual who is identifiable by or in relation to such data. As the Explanatory Note points out, the term 'personal data' is worded under the Bill in a direct and simple manner, to mean any data by which. or in relation to which, an individual can be identified, where 'data' is also further defined to signify 'a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means'.
Obligations of data fiduciaries
Grounds for processing
Consent is the main basis for the processing of personal data under the Bill. Specifically, Article 5 of the Bill provides that data fiduciaries may process the personal data of a data principal only for a lawful purpose for which the data principal has, or is deemed to have, given in certain limited circumstances their consent.
Further to the above, the Bill encompasses detailed provisions on consent, including (Article 7 of the Bill):
- consent means a freely, given, specific, informed, and unambiguous indication of the data principal's wishes by which they, by a clear and affirmative action, signify agreement to the data processing;
- request for consent shall be presented to the data principal in a clear and plain language; and
- data principals shall have the right to withdraw consent at any time, and the ease of such withdrawal shall be comparable to the ease with which consent may be given.
Most notably, the data principal may give, manage, review, or withdraw consent to the data fiduciary through a consent manager, which is an entity, accountable to the data principal, that enables the same to manage their consent through an accessible, transparent, and interoperable platform. In this regard, the Explanatory Note details that since it may not always be possible to keep track of the instances in which an individual consents to the processing of their personal data, the Bill recognises the role of consent managers, who allow data principals to have a comprehensive view of their interactions with data fiduciaries and the declarations of consent given to them.
Furthermore, while consent should, in general, be the basis for personal data processing, the Bill considers that, in some situations, seeking consent may be impracticable or inadvisable, and defines the situations wherein insisting on consent would be counterproductive. Specifically, Article 8 of the Bill states that a data principal is deemed to have given consent to the processing of their personal data if such processing is necessary:
- in a situation where the data principal voluntarily provides their personal data to the data fiduciary and it is reasonably expected that they would provide such personal data;
- for the performance of any function under any law, or the provision of any service or benefit to the data principal, or the issuance of any certificate, license, or permit by the State or other state body;
- for compliance with any judgment or order issued under any law;
- for responding to a medical emergency;
- for taking measures to provide medical treatment or health services to any individual during a period of threat to public health;
- for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order;
- for the purposes related to employment; or
- in the public interest, such as the prevention and detection of fraud, credit scoring, and processing of publicly available personal data.
The Explanatory Note recognises that the protection of personal data begins with knowledge about processing. As such, the Bill requires that data fiduciaries should give to the data principals a notice, on or before requesting consent, containing a description of personal data sought to be collected by the data fiduciary and the purpose of processing of such personal data. The notice should be given in clear and plain language.
Further to the above, Article 9 of the Bill lays down additional obligations on data fiduciaries. In particular, data fiduciaries must, among other duties:
- make reasonable efforts to ensure that the personal data they process is accurate and complete;
- implement appropriate technical and organisational measure to ensure compliance with the Bill;
- take reasonable security safeguards to prevent personal data breaches;
- notify the Data Protection Board ('the Board') and each affected data principal in the event of a personal data breach (please see the section 'Compliance framework' below for further detail);
- retain personal data only so long as it is required for the purpose for which it was collected;
- publish the business contact information of the data protection officer ('DPO'), if applicable, or another point of contact for data principals;
- ensure that data principals are able to seek effective redressal of their grievances; and
- enter into a valid contact before sharing or transferring personal data to any other data fiduciary or before appointing a data processor.
Moreover, specific obligations are defined under Articles 10 of the Bill in relation to processing of personal data of children. Similar to international standards, the Bill requires the data fiduciary to, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed.
Notably, data fiduciaries that the Government deems as 'significant' are required to comply with additional obligations, such as appointing a DPO or undertaking a Data Protection Impact Assessment ('DPIA') (Article 11 of the Bill).
Rights and duties of data principals
Right to information about personal data
Recognising that every individual should be able to obtain certain basic information about their personal data, Article 12 of the Bill grants data principals the right to obtain from the data fiduciary confirmation about the processing, a summary of the personal data being processed, and the identities of all the data fiduciaries with whom the data has been shared, as well as the categories of data shared.
Right to correction and erasure of personal data
To enable correction, update, completion, and erasure of personal data where it is no longer needed, data principals are recognised the right to correction and erasure of personal data (Article 13 of the Bill).
Right of grievance redressal
Article 15 of the Bill gives data principals the right to register a grievance with the data fiduciary and to escalate the complaint to the Board, in case of lack of response or unsatisfactory response from the data fiduciary (please see the section 'Compliance framework' below for further detail).
Right to nominate
A data principal shall have the right to nominate any other individual, so that, in the event of death or incapacity of the data principal, the nominees may exercise the rights of the data principal on their behalf (Article 16 of the Bill). In relation to the right in question, the Explanatory Note outlines that the right to nomination has been borrowed from other sectors, where it is a basic practice and a right available to individuals.
Duties of data principals
Interestingly, the Bill also lists various duties that data principals are expected to abide by. The Explanatory Note explains that the inclusion of duties for data principals aims at ensuring that there is no misuse of rights and that the exercise of rights does not lead to adverse effect on others' rights. For example, Article 16(2) of the Bill prohibits data principals from registering a false or frivolous grievance or complaint with a data fiduciary or the Board.
International data transfers
Notably, Article 17 of the Bill permits the transfer of personal data outside of India, to certain notified countries and territories; however, an assessment of relevant factors by the Government would precede such a notification.
Notably, the Bill outlines a number of exemptions including:
- the processing of personal data is necessary for enforcing any legal right or claim;
- the processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function;
- personal data is processed in the interest of prevention, detection, investigation, or prosecution of any offence or contravention of any law; and
- personal data of data principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
The Bill tasks the Board with the power of enforcing its provisions. According to Articles 19 and 21(1) of the Bill, the Board would be established, by means of a notification, by the Government, and would function as an independent body operating as a digital office.
In regard to its functions, the Board would be tasked, among other things, with the responsibility to determine non-compliance with the provisions of the Bill and impose penalties accordingly. In the event of a data breach, the Board may direct the data fiduciary to adopt urgent measures to remedy the incident.
Moreover, Article 21 of the Bill lays down the processes to be followed by the Board in enforcing compliance with the Bill. As highlighted by the Explanatory Note, the bill stipulates an obligation for the Board to adhere to the principles of natural justice in every step of the process of inquiry.
Alternative dispute resolution and voluntary undertaking
Interestingly, resolution of complaints by the Board is not the only option under the Bill. In fact, if the Board deems that a complaint may be more appropriately resolved by mediation or similar dispute resolution process, it may direct the parties concerned to attempt resolution in such alternative avenues.
Moreover, the Board may accept a voluntary undertaking in any matter related to compliance with the Bill. As the Explanatory Note highlights, the Bill includes voluntary undertaking as a measure to promote timely admission of wrongdoing and correction of lapses.
In any case, the Bill gives the Board the power to prescribe financial penalties in case of non-compliance. In detail, the Bill stipulates, under Article 25, that in case of significant non-compliance with its provisions, the Board may impose financial penalties not exceeding INR 500 crore (approx. €59 million). Financial penalties are further specified under Schedule 1 of the Bill.
Importantly, the Explanatory Note clarifies that the criminalisation of lapses and non-compliance has been avoided.
Amendments to other laws and consistency
Article 30 of the Bill seeks to amend the provisions set out in other laws. Specifically, Article 30(1) of the Bill would amend the Information Technology Act, 2000, as amended3 ('the IT Act'), as follows:
- Section 43A of the IT Act shall be omitted;
- in Section 81 of the IT Act, after the words and figures 'the Patents Act, 1970', the words 'or the Digital Personal Data Protection Act, 2022' shall be inserted; and
- Section 87(2)(ob) of IT Act shall be omitted.
In addition, Article 30(2) of the Bill would amend Section 8(1)(j) of the Right to Information Act, 20054, omitting part of the provision set out therein.
In any case, Article 29(2) of the Bill provides that, in case of conflicts between the Bill and other laws, the provisions of the Bill shall prevail.
Upon issuing the Bill, the MeitY invited feedback from the public on the same. The period of public consultation is set to terminate on 17 December 2022.
Anna Baldin Senior Privacy Analyst
1. Available at: https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill,%202022.pdf
2. Available at: https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill,%202022.pdf
3. Available at: https://www.dataguidance.com/sites/default/files/information_technology_act_2000_as_amended_in_2008.pdf
4. Available at: https://rti.gov.in/rti-act.pdf