THE MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY RELEASES THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022

CORPORATE LAW UPDATE

25th November 2022

Issue No.15/22-23

THE MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY RELEASES THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022

On 18th November 2022, the Indian government published India’s latest legislation for data protection law, The Digital Data Protection Bill, 2022 (“2022 Bill”) for public consultation. The Government has invited comments on the 2022 Bill until 17 December 2022. The 2022 Bill is different from previous legislations that were proposed i.e., the Personal Data Protection Bill, 2019 (“2019 Bill”) and the Joint Parliamentary Committee’s Data Protection Bill, 2021 (“JPC Bill”). The 2022 Bill applies only to ‘digitised’ personal data and removes any references to non-personal data. It does away with the categorization of personal data into sensitive personal data and critical personal data, along with provisions on non-personal data, algorithmic accountability, data portability, and a governing framework for hardware/software certification. The 2022 Bill follows the recognised principles of data protection, which are, (a) Lawfulness, Fairness & Transparency; (b) Purpose Limitation; (c) Data Minimization; (d) Accuracy; (e) Storage Limitation; (f) Integrity & Confidentiality; and (g) Accountability (collectively, “Principles“). The purpose of the Bill is to follow these Principles in relation to all data that is related to identifiable individuals that may be collected, recorded, organised, structured, adapted, altered, retrieved, used, aligned, combined, indexed, shared, disclosed, disseminated, erased, destructed, made available or restricted through automated means. Furthermore, references of data localization have been deleted, while the central government has been empowered to approve cross-border data transfers to whitelisted countries. The 2022 Bill introduces a list of situations where consent may be ‘deemed’ and need not be explicit, with the aim of providing flexibility in data processing. But it also requires the government to notify reasonable purposes, the residuary processing ground.

Some of the key highlights of the 2022 Bill have been summarised below:

  1. APPLICABILITY AND SCOPE:

 a. SCOPE OF DATA: The 2022 Bill applies to the processing of “digital personal data”. Processing of both non-personal data and data in non-digital formats have been excluded. The 2022 Bill has also done away with categorization of personal data i.e. Sensitive Personal Data (“SPD”) and Critical Personal Data (“CPD”).

b. TERRITORIAL APPLICATION: The 2022 Bill not only applies to processing digital personal data within the territory of India but also to the processing of digital personal data outside India if such processing is in connection with any profiling or offering goods or services to data principals within India.

c. PROCESSING ACTIVITIES: The 2022 Bill does not apply to non-automated processing, processing for domestic or personal purposes by individuals and personal data about individuals contained in records that have been in existence for at least 100 years.

The JPC Bill sought to regulate both personal and non-personal data (“NPD”) within the same legislation. Even the 2019 Bill included provisions on sharing of NPD with the central government. The exclusion of NPD from the scope of the personal data protection bill was a key demand from various stakeholders. Similarly, stakeholders had demanded that the types of SPD should be limited to ensure legal certainty and the concept of CPD should be removed – this has largely been accepted in the 2022 Bill. However, the Bill retains the broad territorial scope of past versions and may apply to the incidental processing of personal data of people in India by foreign businesses.

  1. CONSENT:

 ‘Consent’ means an indication by the data principal signifying his/her assent for their data to be processed for a specified purpose. The consent has to be free, specific, informed, and unambiguous. It should be through a clear affirmative action. The ‘specified purpose’ has to be mentioned in the notice given by the data fiduciary. This notice should be clear, itemized, and in simple language. Data principals also have the right to withdraw their consent and also utilize services of consent managers. If a data principal withdraws their consent, the data fiduciary will have to stop processing that data principal’s personal data, unless it is otherwise authorized under the 2022 Bill or it is necessary to process that principal’s data without their consent. Data principals are entitled to access information made available to them in English, or choose any language specified in the Eighth Schedule of the Constitution of India. This is a new requirement. In tune with this, government officials, in the past, indicated that the 2022 Bill would be simplex and accessible and inclusive to everyone, including citizens in rural areas.

Provisions on consent remains the primary ground for processing personal data. However, according to the 2022 Bill, data fiduciaries may only have to provide notice to data principals when they process personal data based on consent, and not when they process based on deemed consent. The requirement for the data fiduciary to cease the processing of data when the data principal withdraws their consent is new. As a result, data processors may have to cease processing once instructed by their data fiduciaries, if the data principal withdraws consent.

  1. DEEMED CONSENT:

 The 2022 Bill introduces the concept of ‘deemed consent’. It refers to circumstances where consent is not expressly needed and includes situations where the data principal voluntarily provides their data or can be reasonably expected to do so, and for performance of functions under law, among others. The 2022 Bill also recognizes deemed consent for public interest – such as for preventing fraud, to ensure network and information security, and for fair and reasonable purposes.

Industry stakeholders requested the codification of certain grounds mentioned in the 2019 Bill – like fraud, network and information security, and others which have now been included as ‘public interest’ grounds under the 2022 Bill. However, the 2022 Bill does not explicitly include ‘legitimate interests’ and ‘performance of a contract’ as grounds to process personal data without consent. The power to specify fair and reasonable purposes now vests with the central government as compared to the earlier 2019 Bill, where the data protection authority could prescribe them through regulations.

  1. DATA TRANSERS:

 The 2022 Bill does not include references to local storage or localization requirements. However, it introduces new conditions for cross border data transfers. Now, the central government can notify the countries or territories where personal data may be transferred. While notifying these territories, the central government can assess any factors that it may consider necessary. Details on these factors are awaited. The 2022 Bill limits cross-border transfers of personal data to jurisdictions that the government notifies. This restriction applies to all personal data, not just SPD and CPD unlike earlier 2019 Bill. This appears to be similar to the mechanism under the General Data protection Regulation (“GDPR”). The GDPR is a regulation on data protection and privacy in the European Union and the European Economic Area. Unlike the GDPR, the Bill does not recognize other grounds for overseas transfers, such as standard contract clauses, certifications, and others.

  1. PERSONAL DATA BREACH:

A ‘personal data breach’ includes both unauthorized processing and accidental disclosure, use, sharing, acquisition, etc. of personal data. The 2022 Bill states that data fiduciaries and data processors can be penalized upto INR 250 crores for failure to ensure reasonable security safeguards. They can also be penalized upto INR 200 crores if they fail to report a personal data breach to the proposed Data Protection Board (“DPA”) and affected data principals. The earlier timeline of 72 hours for data fiduciaries to report data breaches has now been removed. The obligation to report data breaches has also been extended to data processors.

  1. SIGNIFICANT DATA FIDUCIARIES:

 The government can notify ‘Significant Data Fiduciaries’ (“SDF”) based on the volume and sensitivity of the personal data they process, the risk of harm to the data principal, their potential impact on the sovereignty and integrity of India, risk to electoral democracy, and other factors. SDF’s are subject to additional obligations like appointment of an independent data auditor to assess their compliance with the 2022 Bill and conducting data protection impact assessments. They must also appoint a data protection officer based in India. A notable change is that the 2022 Bill does not automatically consider social media platforms that meet a specified user threshold to be SDF’s. Also, earlier SDFs had to mandatorily conduct data protection impact assessments only for data processing involving the use of new technologies, large scale profiling, use of SPD, or any other processing which risk of significant harm to a data principal. Now, the 2022 Bill mandates data protection impact assessments for all SDFs.

  1. OBLIGATIONS OF DATA FIDUCIARIES:

Data fiduciaries must take reasonable efforts to ensure accuracy and completeness of the data they process, remove or cease to retain data for which the purpose of processing is complete, and establish grievance redressal mechanisms. They must publish the details of a data protection officer (for SDFs) or appoint a person who can answer the data principal’s questions about processing of their personal data and publish their details. Data fiduciaries are also ultimately responsible for complying with provisions of the 2022 Bill. Obligation on data fiduciaries under the 2022 Bill are more or less similar to those under the JPC Bill and the 2019 Bill.

  1. OBLIGATIONS OF DATA PROCESSORS:

The 2022 Bill clarifies that most obligations apply to data fiduciaries – but it extends some obligations to both fiduciaries and processors. For example, the obligation to take reasonable security measures to protect personal data and to report personal data breaches to the Data Protection Board and affected data principals applies to fiduciaries as well as processors. Under the 2022 Bill, data fiduciaries can engage data processors through a valid contract and sub-processing is allowed if the data processors’ contract with the data fiduciary allows it.

  1. DATA PROTECTION BOARD:

The government will establish a DPB which will operate as an independent body and function as a digital office. The government can prescribe the composition, qualifications and experience, process of selection, terms of appointment, removal, salary, allowances and other matters through rules. The DPB will enforce the provisions of the 2022 Bill and impose penalties for non-compliance. It can conduct hearings, summon and enforce attendance, examine persons on oath, among other functions. Notably, however, the DPB cannot prevent access to a premises or take custody of any equipment or item that may disrupt the day-to-day functioning of any entity during its inquiries. The DPB can also accept voluntary undertakings  i.e. an entity subject to proceedings for non-compliance can undertake to perform or abstain from certain action, in which case the enforcement proceeding will stop.

The JPC Bill and the 2019 Bill specified the composition of the proposed data protection authority. However, the 2022 Bill states that the government can appoint the chief executive of the DPB, and prescribe the terms and conditions and functions. The 2022 Bill also specifically calls out the independence of the DPB which was absent in the JPC Bill and the 2019 Bill. But notably, the central government retains control over several aspects of the DPB’s functioning. The role of the DPB has also been reduced as it has been made to focus on enforcement and adjudication, when earlier the 2019 Bill the data protection authority had a larger role, which would be manifested through regulations it was empowered to issue. Now the DPB cannot issue regulations, only the central government can frame rules.

  1. PENALTIES:

The 2022 Bill prescribes the maximum penalties to be INR 5 billion in each instance. Both the data processors and data fiduciaries can be penalized up to INR 2.5 billion if they fail to put in place reasonable security safeguards to prevent personal data breaches. The government may amend penalties, but newly proposed penalties cannot be more than double of what is prescribed in the 2022 Bill. The JPC Bill had recommended that the government retain flexibility to determine penalties by considering rapidly evolving technologies. While the 2022 Bill also allows the government to amend penalties, it prescribes an upper limit.

  1. RIGHTS OF DATA PRINCIPALS:

Data principals have the right to (a) obtain information on the personal data being processed, the processing activities, and identities of all the data fiduciaries their data has been shared with; (b) correction and erasure of their data, (c) nominate an individual to exercise rights on their behalf in the event of their death or incapacitation; (d) grievance redressal, among others.

They can exercise these rights through the data fiduciary. The JPC Bill and the 2019 Bill provided the right to data portability i.e., the right to move their personal data across different service providers, which has now been removed from the 2022 Bill. The 2022 Bill also introduces duties for data principals – these include (a) complying with the provisions of the 2022 Bill and other applicable laws while exercising their rights, (b) refraining from registering false or frivolous grievances with the data fiduciaries, (c) refraining from furnishing false particulars or suppressing material information, and (d) furnishing information that is verifiably authentic. None of the earlier legislations provided for any duties of the data principals.

  1. CHILDREN’S DATA:

The 2022 Bill defines a ‘child’ as a person below 18 years of age. Data fiduciaries must obtain parental consent to process children’s’ data, and cannot track or target advertisement to children. However, the central government can prescribe exemptions to these prohibitions. In the previous versions, data fiduciaries processing children’s data were deemed to be SDF – this is no longer the case.

  1. POWERS OF THE GOVERNMENT:

The government can frame rules on various issues like fair and reasonable purposes for processing personal data without consent, form and manner of reporting data breaches and the composition, qualifications and selection of members of the DPB. The JPC Bill and the 2019 Bill allowed the proposed data protection authority to frame regulations, these powers have now been given entirely to the government.

  1. EXEMPTIONS:

 The government may exempt state agencies from the application of the 2022 Bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to a cognizable offence related to these. The 2022 Bill also exempts processing if the data is not used to make decisions specific to a data principal. The central government can exempt certain classes or types of data fiduciaries from obligations in the 2022 Bill. Processing for a few purposes like enforcing a right or claim, performance of judicial functions, preventing contravention of laws, and others are exempted. The government’s power to exempt state agencies and exercise discretion has been expanded. The exemption for processing personal data of foreign data principals has also been clarified to apply to all entities processing such data.

  1. OVERRIDING EFFECT OF THE 2022 BILL:

The 2022 Bill, if enacted, will have an overriding effect over other laws in case of conflicting provisions. Once the 2022 Bill comes into effect, Section 43A of the Information Technology Act, 2000 shall be omitted. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which has been framed under Section 43A of the Information Technology Act, 2000, will also cease to be effective. Furthermore, the 2022 Bill amends Section 8(1)(j) Right to Information Act, 2005 (“RTI Act“) in order to exempt “any information which relates to personal information” from disclosure under the RTI Act, without any qualifiers or conditions.

Section 8 of RTI Act, as it exists now, does not permit disclosure of “information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information”. The 2022 Bill amends Section 8(1)(j) of the RTI Act, by deleting the portion in quotes, to bar any disclosure of personal information.

A copy of the 2022 Bill may be accessed here.

Disclaimer: This newsletter is for general information only and not intended for any solicitation. Views expressed in this newsletter are as on date and not necessarily of V Law Partners (“VLaw”). While reasonable efforts have been taken to provide correct information, VLaw cannot and does not warrant or guarantee the accuracy of the information provided in the newsletter. Readers are advised not to rely solely on this information when making any decision.

Suggestions: If you do not wish to receive our newsletters or have any comments or suggestions for us, please write to us at – admin@vlawpartners.com