On November 18, 2022, the Indian government released a new draft Digital Personal Data Protection Bill, 2022 (the “Draft Bill”). The Draft Bill has been released for public comments (which can be sent on or before December 17, 2022). The previous iterations of the bill, namely the Personal Data Protection Bill, 2019 (the “2019 Bill”) and the Data Protection Bill, 2021 (the “2021 Bill”) were withdrawn after several issues were raised by stakeholders. The Draft Bill is expected to be placed before the Indian parliament during the winter session. This article analyses the Draft Bill and assesses the notable changes as compared to the 2019 Bill and the 2021 Bill.
Applicability and scope of the law
Unlike the 2021 Bill, the Draft Bill is chiefly focused on regulating the use of digital personal data of data principals. The Draft Bill covers: (i) the processing of digital personal data of data principals within India; and (ii) the processing of digital personal data outside India, if this involves the collection of data that relates to the behavior or interests of data principals within India, or data emanating from goods or services offered for sale to data principals within India. The Draft Bill does not apply to any non-personal data, any data in a non-digital format or personal data about an individual that is contained in a record that has been in existence for at least one hundred years. Further, it does not apply in cases of non-automated processing of personal data or processing of personal data by an individual for any personal or domestic purpose. Furthermore, the Draft Bill has removed the classification of personal data in various categories, such as sensitive personal data and critical personal data.
Under the 2019 Bill and the 2021 Bill, there existed the concept of processing data without consent in certain instances. The Draft Bill brings in the concept of “deemed consent” which is consent that is deemed to have been given by the data principal for specified reasons including, a medical emergency, for employment purposes, to comply with any judgment or order issued under any law, or in public interest.
However, the Draft Bill empowers the government to prescribe additional categories of deemed consent for any fair and reasonable purpose if the legitimate interests of the data fiduciary in processing a data principal’s data for a specific purpose outweigh any adverse effect on the rights of the data principal, but after taking into consideration any public interest issues in processing the data or reasonable expectations of the data principal. Such a broad power can result in government overreach on an individual’s personal data and right to privacy.
Besides, while consent for a specific purpose (which is not classified as “deemed consent”) may be withdrawn by the data principal, the Draft Bill fails to address immediate or future withdrawal of deemed consent and the question arises whether it is even possible for a data principal to specifically withdraw consent in a situation where there is deemed consent.
The right to data portability that was prescribed in the 2019 Bill and the 2021 Bill is absent in the Draft Bill. In the 2019 Bill and the 2021 Bill, it was proposed that the data principal shall have the right to receive his/her personal data in a structured, commonly used, and machine-readable format. This included any personal data provided to the data fiduciary, data generated by a data fiduciary on a data principal by virtue of the data principal using services or purchasing goods online, or the profiled data of the data principal. Further, data principals were entitled to transfer their personal data to any other data fiduciary. Such data portability rights would have been beneficial to data principals and would allow them to better monitor and manage their data.
Right to be forgotten
The 2019 Bill as well as the 2021 Bill empowered data principals with the right to be forgotten (which is the right to restrict or prevent the continuing disclosure of personal data by a data fiduciary) as well as the right to correction and erasure of personal data. The Draft Bill is silent on the data principal’s right to be forgotten, although it retains the right to correction and erasure of personal data. In our view, these two concepts cannot be conflated and should have been kept independent.
As regards the 2019 Bill, the Joint Parliamentary Committee had emphasized the importance of data localization and had proposed measures to restrict cross-border data flow. The Draft Bill does not contain any restrictions on the transfer of personal data outside India as was specified in the 2019 Bill.
However, the Draft Bill gives the government the right to impose restrictions on the transfer of personal data outside India and notify jurisdictions to which a data fiduciary may not transfer personal data (or otherwise prescribe terms and conditions for such transfer). Although no blanket restrictions on cross-border data transfer have been prescribed, lack of clarity on the jurisdictions to which data may or may not be transferred, or the criteria for assessing to which jurisdictions data may or may not be transferred, leaves a lot of ambiguity for businesses. Upfront clarity on this issue is necessary, so that technology companies can plan their data processing in countries where this will be permissible.
Data protection authority
Chapter 5 of the Draft Bill seeks to establish a Data Protection Board of India (the “Board”). The functions of the Board will include the handling of complaints, formation of groups for hearing of complaints, and passing decisions. Unlike the 2019 Bill, the Board cannot frame its own regulations or codes of practice. Details on the structure, functions, and mode of establishment of the Board have also been enumerated.
Orders passed by the Board will be subject to review by a larger group. Further, the Board’s orders will be subject to an appeal before the High Court to be preferred within a period of sixty (60) days from the date of the order appealed against. Otherwise, civil courts have been barred from entertaining any issue that may arise in connection with the provisions of the Draft Bill. The Board is also free to direct parties to mediation or any other dispute resolution mechanism as it deems fit.
The 2019 Bill proposed a penalty not exceeding an amount of INR 15 crores (US$ 1.83 million approx.) or 4 per cent of the defaulting entity’s global turnover for non-compliance of the proposed provisions. Section 25 of the Draft Bill has raised the applicable penalty limit to INR 500 crores (US$ 61 million approx.).
In addition, the Schedule of the Draft Bill imposes the following six (6) types of penalties on data processors and/or data fiduciaries for non-compliance.
- failure of data processor or data fiduciary to take reasonable security safeguards to prevent personal data breach will attract a penalty up to INR 250 crores (US$ 30.5 million approx.);
- failure to notify the Board and affected data principals in the event of a personal data breach, or non-fulfilment of the additional obligations in relation to processing of personal data of children (Section 10 of the Draft Bill) will attract a penalty up to INR 200 crores (US$ 24.4 million approx.);
- non-fulfilment of additional obligations of a significant data fiduciary (Section 11 of the Draft Bill) will attract a penalty up to INR 150 crores (US$ 18.3 million approx.);
- non-compliance with the duties of data principals (Section 16 of the Draft Bill) will attract a penalty up to INR 10,000 (US$123 approx.); and
- in addition, the Schedule to the Draft Bill specifies a default penalty up to INR 50 crores (US$ 6.1 million approx.) for contravention of the provisions for which fines have not been specified.
While the 2019 Bill allowed compensation to be given to an aggrieved data principal for misuse of the individual’s personal data, the Draft Bill has excluded such compensation requirements. In contrast, the Draft Bill makes the data principal liable up to an amount of INR 10,000 for not complying with the duties specified under the Draft Bill. This includes, furnishing unverifiable information, registering false and frivolous complaints, or furnishing any false information while applying for any document, service, unique identifier, proof of identity, or proof of address.
In our view, some of the changes proposed in the Draft Bill grant wide discretionary powers to the government. The provisions on exemption under Section 18 of the Draft Bill loosely enable the government to exempt the application of laws in relation to the processing of personal data proposed in the Draft Bill. Moreover, the lack of clarity on cross-border transfers of data makes things very ambiguous for the outsourcing industry as a whole, which has been a big exporter of services from India. Be that as it may, in comparison to its previous iterations, the Draft Bill has been appreciably simplified in terms of governance, interpretation, and its application.