India: An overview of the Data Protection Act
In 2019, the draft Personal Data Protection Bill, 20191 ('the Bill') was referred to a joint committee comprising of members of both houses of the Indian Parliament, called the Joint Committee on the Personal Data Protection Bill, 2019 ('the Committee'). After a number of extensions, the Committee finally laid and presented its report2 ('the Report') in front of both houses of the Parliament on 16 December 2021. The Report contains a clause-by-clause examination of the Bill and the Committee's proposed revisions to the text, embodied in the Data Protection Act, 2021 ('the Act'). Mathew Chacko, Aadya Misra, and Shambhavi Mishra, from Spice Route Legal, provide an overview of the Act in terms of its scope, key definitions, and provisions for data subject's rights.
The scope of the Act
The Act applies to:
- the processing of personal data within India, where such data has been collected, stored, disclosed, shared, or otherwise processed within India;
- the processing of personal data by any person under Indian law; and
- the processing of personal data by data fiduciaries or data processors not present within India if the processing is in connection with any:
- business carried out in India, or any systemic activity of offering goods or services to data principals within India; or
- activity that involves the profiling of data principals in India.
The Act empowers the Central Government of India ('the Government') to exempt from its applicability the processing of personal data of citizens not within India pursuant to a contract with such persons outside India.
The Committee has recommended bringing the regulation of 'non-personal data' (that is, data that is not personal data) within the ambit of the Act. Accordingly, the Act now regulates personal data, sensitive personal data, and non-personal data. While the Committee has gone on to clarify within the Report that the Act should protect the digital privacy of individuals and 'non-digitised' data ought not be included within its ambit, the provisions of the Act continue to regulate non-digitised data as well.
The main regulator for data protection
The Act empowers the Government to establish a Data Protection Authority of India ('the Authority'), which will be the umbrella authority that regulates both personal and non-personal data. The Committee recommends that the Authority should be constituted within three months of enactment and commence its activities within six months of the notification of the new law.
The Authority's overarching responsibility is to protect the interests of data principals, protect the misuse of personal data, ensure compliance with the Act, and promote awareness of data protection. Other functions include, without limitation, monitoring and enforcing the application of the Bill, taking prompt and appropriate actions in response to data breaches, monitoring cross-border data transfers, advising the Government on data protection aspects, and dealing with complaints, among other obligations.
The Committee has also underscored the Authority's obligations and responsibilities in relation to data breaches and has prescribed certain principles that the Authority ought to follow while governing data breaches.
Separately, the Committee has recommended that the Authority promote innovation, and in this regard, keep in mind interests of startups and encourage sandboxes.
Finally, the Committee has recommended that the Authority ensure that governmental interests are upheld while framing policies. This raises questions on the independence of the Authority – and we expect further debate on the segregation between the Authority and the executive.
Key definitions under the Act
Similar to a data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), a 'data fiduciary' is any person (including the state, companies, non-governmental organisations, juristic entities, and individuals) who either alone, or with others, determines the purpose and means of processing personal data.
A 'data processor' is any person (including the state, companies, non-governmental organisations, juristic entities, and individuals) who processes personal data on behalf of a data fiduciary.
Personal data, non-personal data, and sensitive personal data
'Personal data' is data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and includes any reference drawn from such data for the purpose of profiling. On the other hand, 'non-personal data' is data that is not personal data, and it includes anonymised personal data.
'Sensitive personal data' is personal data which may reveal, be related to, or constitute financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender or intersex status, caste or tribe, or religious or political beliefs or affiliations. The Government, in consultation with the Authority and applicable sectoral regulators, has the powers of classifying certain categories of personal data as sensitive personal data.
Similar to a data subject under the GDPR, a 'data principal' is the natural person to whom the personal data relates.
Legal bases for processing personal data
Consent is the primary ground for processing personal data under the Bill.
- Personal data can only be processed by a data principal providing free, informed, specific, and clear consent, that is capable of being withdrawn at the commencement of processing.
- Sensitive personal data can only be processed with the explicit consent of data principals.
- The burden of proving if consent of a data principal has been sought vests with data fiduciaries.
- Data fiduciaries can only process personal data for purposes that are consented to by the data principal or purposes which are incidental or connected to such purpose and where the data principal would reasonably expect the processing in regard to the purpose, in the context and circumstances in which the personal data was collected.
- The provision of goods or services, contractual performance, or the enjoyment of a legal right or claim cannot be:
- made conditional to the consent for the processing of any data not necessary for the purpose; and
- denied based on the exercise of choice.
The Act permits the processing of personal data without consent:
- for the performance of certain state functions;
- as required under applicable laws; and
- for compliance with a judgment or order of a court, quasi-judicial authority, or tribunal in India.
The Act permits the processing of personal data without consent:
- to respond to a medical emergency involving a threat to the life or a severe threat to the health of a data principal;
- to provide medical treatment or health services during threats to public health such as epidemics or outbreak of diseases; or
- to undertake measures to ensure the safety or provide assistance or services to any individual during a disaster or breakdown of public order.
The Act permits the processing of personal data after accounting for the legitimate interest of the data fiduciary, but only for certain reasonable purposes that may be prescribed by the Authority. Examples include whistleblowing, mergers, acquisitions, and other similar corporate restructuring or combination transactions in accordance with applicable laws, processing of publicly available personal data, and operating search engines.
The Act permits the processing of personal data (except for sensitive personal data) without consent for processing necessary for the purpose of employment such as recruitment, termination, or verification of employees.
The Act does not recognise grounds such as processing for the interests of data principals or processing in connection with contracts with data principals.
Data processing principles
The Act imposes the following obligations on data fiduciaries (as further detailed in Section 7 below) in relation to personal data processing:
- processing must only be in accordance with the Act, and data fiduciaries remain responsible for compliance;
- processing must be done in a fair and reasonable manner, and ensure the privacy of the data principal;
- processing must only be for the purpose consented to by the data principal or purposes that are incidental to or connected with such purpose (except where consent is not required) and which the data principal would reasonably expect that the personal data will be used for, having regard to the purpose, context, and circumstances in which the personal data is collected;
- personal data must be collected only to the extent that is necessary for the purposes of processing such personal data;
- data fiduciaries must provide data principals with notice of processing;
- personal data processed must be complete, accurate, not misleading, and up-to-date; and
- personal data must not be retained beyond the period necessary to satisfy the purpose for which it was collected.
Controller and processor obligations
Data processing notification
The Act requires 'significant data fiduciaries' to register themselves with the Authority, which has the power to create sub-categories of data fiduciaries called 'significant data fiduciaries', depending on the volume of personal data processed, sensitivity of such data, risk of harm posed by the processing, and the turnover of the data fiduciary.
The Committee has adopted a pro-localisation stance and recommends that the Government prepare and implement a policy on data localisation to uphold the sovereignty and integrity of India, national security, and promotion of businesses, innovation, and investments. Under the Act:
- sensitive personal data may be transferred outside India but a copy of such data must continue to be stored within India; and
- critical personal data (the categories of which are not yet notified) may only be processed in India.
Sensitive personal data may only be transferred outside India with the explicit consent of the data principal and on the basis of:
- a contract or an intra-group scheme approved by the Authority in consultation with the Government, provided that the contract or intra-group scheme will not be approved if it is against public or state policy and contains provisions governing protection of data principal rights and the data fiduciary's liability for harm caused due to non-compliance;
- the approval of the Government for transfer to a country or organisation that is approved or judged 'adequate', where the transfer would not affect the enforcement of laws. For transfers in accordance with an adequacy decision, sensitive personal data cannot be shared with a foreign government or agency unless approved by the Government; or
- an approval from the Authority (where such approval is provided in consultation with the Government).
Separately, critical personal data may only be transferred outside India if the transfer is to a:
- person or entity(s) engaged in health or emergency services or purposes; or
- country or an entity approved by the Government with respect to security and strategic interests of the State.
Data processing records
Data fiduciaries are required to maintain and make available certain information such as the categories of personal data collected, purposes of collection, existence and procedure for data principal rights, right of the data principal to file a complaint against the data fiduciary, data trust scores, information relating to cross-border transfers, and fairness of the algorithm or method used for personal data processing, among others.
Significant data fiduciaries are required to maintain additional records relating to the important operations in the data lifecycle, periodic review of security safeguards, impact assessments, and other aspects of processing.
Data Protection Impact Assessment
The Act requires significant data fiduciaries to conduct Data Protection Impact Assessments ('DPIAs') where they:
- undertake any processing using new technologies;
- undertake large scale profiling;
- use sensitive personal data; or
- the processing carries a risk of significant harm to data principals.
A DPIA must contain:
- a detailed description of the proposed processing operation, its purpose, and the nature of personal data processed;
- the assessment of any potential harm caused to the data principal; and
- measures for the management, mitigation and removal of such harm.
The data protection officer ('DPO') appointed must review the DPIA and submit their findings to the Authority. The Authority has the right to either require data fiduciaries to cease processing or direct the data fiduciary to comply with additional conditions if it finds that processing is likely to cause harm to data principals.
Only significant data fiduciaries are required to appoint DPOs, who will be required to fulfil certain qualification criteria and must be based in India.
Data breach notification
A data breach has been defined as including both a personal data breach, as well as a non-personal data breach. Regarding the notification of breaches:
- Data fiduciaries are required to mandatorily report any breach of personal data processed by them to the Authority within 72 hours of becoming aware of the breach.
- The Authority has the right to determine whether the occurrence of such breach should be notified to data principals by accounting for the personal data breach and the risk of harm to the data principal. Additionally, the Authority may direct the concerned data fiduciary to take steps to remedy the breach or mitigate the harm caused to the data principal.
- The Authority has the right to determine steps and processes in the event of a breach of non-personal data.
The Act does not prescribe any exact retention periods. However, data fiduciaries must not retain personal data beyond the period necessary to satisfy the purpose for which it was collected. The data must be deleted at the end of such period.
The Committee has observed that the Bill was unclear on consent requirements when a child attains the age of majority (which is 18 years in India). The Committee goes on to recommend that forthcoming rules issued under the Act must incorporate the following provisions:
- data fiduciaries dealing exclusively in children's data must be registered with the Authority;
- the Majority Act, 1875 should apply to a contract between data fiduciaries and data principals when they attain majority;
- the data fiduciary should, three months prior to a data principal attaining majority, inform the data principal to provide consent again on the date of attaining majority; and
- services must only be discontinued if data principal opts-out of processing.
Processing of the personal data of a child (i.e., someone below the age of 18 years) must be done in a manner that protects the rights of the child. A data fiduciary must, before processing the personal data of a child, verify the age of the child and obtain their parent's or guardian's consent in a prescribed manner.
Data fiduciaries are prohibited from profiling, undertaking the tracking or behavioural monitoring of or direct advertising directed at children, or undertaking any processing that can cause significant harm to a child.
Sensitive personal data
- explicit consent: For processing sensitive personal data, the consent of the data principal must be explicitly obtained:
- after informing them of the purpose of or information in processing, likely to cause significant harm to the data principal;
- in clear terms without recourse to inferences drawn from conduct or context; and
- after giving them the choice of separately consenting to the purpose of operations in the use of different categories of sensitive personal data relevant to the processing; and
- the Authority has the right to specify additional safeguards or restrictions for the repeated, continuous and systematic collection of sensitive personal data and the profiling based on it.
Controller and processor contracts
Data fiduciaries are required to enter into a contract with the processors they engage with for processing. A data fiduciary is responsible for compliance with the Act and for any processing undertaken by it or on its behalf, and the contract must be drafted accordingly.
Rights of data principals
The Committee recommends striking a balance between the exercise of data principal rights, which must be simplified and enable data fiduciaries to implement data principals' rights in a practical manner.
Right to be informed
Data fiduciaries are required to provide data principals with a notice, either at the time of the data collection or as soon as reasonably practicable (if such data is not collected from the data principal).
The notice must contain details relating to the purposes of processing, nature ,and categories of data being processed, the identity or contact details of the data fiduciary or data protection officer, rights of data principals, legal basis for processing, source of the data collected, third party recipients, details of cross-border transfers, the grievance redressal procedure, the right to file a complaint with the Authority, the entity's data trust score, and any other prescribed details.
Right to access
Data principals have a right to:
- seek confirmation on whether the data fiduciary is processing or has processed the personal data of such data principal;
- access all personal data being processed or a summary of such data;
- be provided with a brief summary of processing activities undertaken with respect to their data;
- access such information in a clear and concise manner easily comprehensible to a reasonable individual in a similar context; and
- access the identities of the data fiduciaries with whom personal data has been shared by any data fiduciary, together with the categories of personal data shared.
While the Bill was silent on the privacy rights of deceased individuals, the Committee has identified a need for data principals to have specific rights upon death. Accordingly, data principals have the right to nominate legal heirs or representatives as nominees who can exercise specific data principal rights on behalf of data principals upon their death.
Right to rectification
Data principals have a right to correct inaccurate or misleading personal data and otherwise complete and update their data. Data fiduciaries must take necessary and practicable steps to notify any correction, completion, or updation of any personal data to all entities to which they have disclosed such data.
Data fiduciaries have a general obligation to take steps to ensure that the personal data processed is complete, accurate, not misleading, and updated. Such steps must consider whether the personal data may be used to make a decision about the data principal, whether it will be disclosed to third parties, and whether it is kept in a form that distinguishes personal data based on facts from personal data based on opinions or assessments.
Right to erasure
Data principals have a right to the erasure of their personal data that is no longer necessary for the purpose for which it was processed. When data is erased, data fiduciaries are required to take necessary and practicable steps to notify all relevant entities and individuals to whom such data was disclosed.
Right to object/opt-out
Through the right to be forgotten, data principals have the right to restrict the continued disclosure or processing of their personal data where the disclosure or processing:
- has served the purpose for which it was collected, or is no longer necessary for the purpose;
- was done with the consent of the data principal and such consent has been withdrawn since; or
- is contrary to the Bill or any other law in force.
Right to data portability
Data principals have the right to receive data in a structured, commonly used, and machine-readable format, if the processing has been undertaken through automated means, and transfer this data to any other data fiduciary, except where:
- processing is necessary for state functions, compliance with the law, any judgment or order of any court, quasi-judicial authority, or tribunal; or
- compliance would not be technically feasible by the data fiduciary. The Authority will prescribe regulations to guide such decision making.
Right to not be subject to automated decision making
This right is not provided under the Bill.
Right to compensation
Aggrieved data principals possess the right to seek compensation from data fiduciaries or processors.
The Act prescribes different penalties depending on the nature of the contravention or offence and the type of actor involved.
A data fiduciary's breach of its obligations relating to data breaches, registering with the Authority, undertaking DPIAs, appointing DPOs, or conducting data audits may attract penalties that cannot exceed the higher of INR 50 million (approx. €586,860) or 2% of its total worldwide turnover of the preceding financial year.
A data fiduciary's breach of its obligations relating to the processing of personal data, processing of children's data, implementation of security safeguards, and cross-border data transfers may attract penalties that cannot exceed the higher of INR 150 million (approx. €1.7 million) or 4% of its total worldwide turnover of the preceding financial year.
A data fiduciary's breach of its obligation to comply with data principal rights without explanation may attract maximum penalties of INR 1 million (approx. €11,735) in case of significant data fiduciaries and INR 500,000 (approx. €5,870) otherwise.
A data fiduciary's failure to furnish any reports, returns, or information to the Authority may attract maximum penalties of INR 2 million (approx. €23,470) in case of significant data fiduciaries and INR 500,000 (approx. €5,870) otherwise.
A data fiduciary's failure to comply with the directions of the Authority may reach a maximum penalty of INR 20 million (approx. €234,700) while a data processor's failure of a similar nature may attract maximum penalties of INR 5 million (approx. €58,660).
Where the Act prescribes no penalties specifically, the residuary penalty prescribed is INR 10 million (approx. €117,360) in case of significant data fiduciaries, and INR 2.5 million (approx. €29,340) otherwise.
Aggrieved data principals have the right to seek compensation from data fiduciaries or processors, as applicable.
Persons that re-identify any data that has been de-identified by a data fiduciary or processor and process such re-identified data without the permission of the data fiduciary or processor may face imprisonment of up to three years, a fine not exceeding INR 200,000 (approx. €2,350), or both.