Data Protection & Privacy
This insight piece has been prepared by colleagues Sumeet Lall (Partner) and Nikhil Lal (Senior Associate) in our New Delhi associated office, CSL Chambers, discussing the key takeaways from the recent Digital Personal Data Protection Bill 2022, which outlines the framework of India’s envisaged data protection law.
Internet users in India are growing at a staggering pace. Recent estimates suggest that there are approximately 700 million active internet users in India.
Unfortunately, despite a passage of over five years since the seminal judgment of the Supreme Court of India titled “Justice K.S. Puttaswamy and Ors v. Union of India (UOI) and Ors.” which held privacy to be a fundamental right and acknowledged the requirement for a robust regime for the protection of data, till date, no comprehensive data protection legislation has been passed.
On 18 November 2022, the Ministry of Electronics and Information Technology released its fourth iteration of its proposed data protection law, the draft Digital Personal Data Protection Bill, 2022 (“Bill”). The Bill offers a legal framework to govern collection, usage, processing, and storage of digital personal data.
As compared to its predecessors, the Bill has been drafted as a shorter and more reader friendly legislation. The Bill broadly sets out the roles and responsibilities of various stakeholders and the specifics of the proposed legislation will be laid out in “Rules” which will be issued subsequently.
We seek to highlight the broad features of the Bill in its present form.
Unlike the existing law, i.e., the Information Technology Act, 2000 which incorporates a vague criterion on its extra territorial applicability, the Bill specifies that its provisions would apply to the processing of digital personal data outside India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India.
Further, the Bill only applies to personal data, which is collected online or such offline data which is digitized.
First Notice Then Consent
As an added obligation on Data Fiduciaries, it is proposed that prior to or at the time of requesting a Data Principal for their consent to the processing of personal data, an itemised notice be given to them, setting out a description of the personal data sought to be collected and the purpose for processing such data.
Interestingly, Data Fiduciaries are also required to give Data Principals the option to access the contents of such a notice in English or any of the 22 languages set out in the Eighth Schedule to the Constitution of India.
Consent remains the foundation for processing of personal data. Consent is meant to be freely given, specific, informed, and unambiguous.
The Bill also proposes that Data Fiduciaries appoint a person for the purpose of addressing communications from Data Principals in relation to their rights over their digital personal data.
Akin to the erstwhile iteration, a concept of “Consent Managers” has been retained. These Consent Managers are Data Fiduciaries who enable a Data Principal to manage their consent. This entity is accountable to the Data Principal and acts on its behalf.
Data Transfer - No Mandatory Data Localization Requirements
The Bill in its present form no longer requires data fiduciaries to store critical personal data in India as envisaged under the previous iteration of the data protection bill. This was a contentious point between the various stakeholders and the present draft evinces the government’s flexibility towards commercial interests.
Rather, under the proposed regime, the Central Government after an assessment of “factors” as it may consider necessary will notify countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
However, owing to complete exemptions granted to Central and State Governments in India from the application of the Bill in the interest of sovereignty, there may be adverse effects on transfer of data to India from foreign countries, especially those governed by the General Data Protection Regulation considering the Schrems II decision.
Data Protection Officers and Significant Data Fiduciary
Like the previous iteration, the Central Government will notify any or a class of data fiduciaries as Significant Data Fiduciaries considering relevant factors.
These Significant Data Fiduciaries need to comply with additional requirements including appointing a data protection officer, independent data auditor and other measures to be prescribed.
There is still ambiguity over the appointments of Significant Data Fiduciaries in absence of a prescribed definition, however, it is likely that these entities will be responsible for processing sensitive and/or voluminous amounts of personal data.
Data Protection Board
The Bill envisages the constitution of a Data Protection Board of India. The Data Protection Board will be responsible for conducting inquiries, issuing interim orders, determine non-compliance with the provisions of the Bill and impose penalties.
The Data Protection Board may if it concludes that there has been a significant non-compliance by any entity to which the Bill applies, impose harsh financial penalties upon them. Broadly, these penalties will be determined based on a set criterion and the nature of the offence. While the Data Protection Board is empowered to impose financial penalties for up to INR 500 crores (GBP 51,400,000 approximately) the penalties prescribed for non-compliances under the current version of the Bill do not exceed INR 250 crores (GBP 25,700,000 approximately).
Data Principals and their Obligations
Curiously, apart from the rights of Data Principals including but not limited to the right to information, correction and erasure, this version of the Bill has also imposed duties that Data Principals must adhere to. Non-compliance with such duties may attract the scrutiny of the Data Protection Board. Penalties of up to INR 10,000 (GBP 100 approximately) may be attracted if Data Principals are found to be non-compliant with their obligations under the proposed legislation.
A few instances when Data Principals may come under the scanner by the Data Protection Board include:
Processing Children’s Data
The Bill defines a ‘child’ as a person below 18 years of age. This has remained a contentious issue with stakeholders pressing for the age to be reduced. Further, Data fiduciaries must obtain parental consent to process children’s data and cannot track or target advertisement to children.
However, these prohibitions are subject to exemptions prescribed by the Central Government.
Cyber Security & Breach
Like the requirements under the Information Technology Act, 2000, under the Bill, a Data Fiduciary is obligated to adopt “reasonable security safeguards” in order to prevent or mitigate the risk of a breach.
In the event of a breach, the Data Fiduciary, or the Data Processor, who processes data on behalf of the Data Fiduciary must notify the Data Protection Board. The Data Protection Board may thereafter suggest adoption of urgent measures to be undertaken to remedy such a breach. The Bill prescribes notification requirements for Data Principals as well in the event of a data breach.
The form and manner of notifying the Data Protection Board is yet to be prescribed and is likely going to be released in the form of rules issued under the proposed legislation.
A significant departure from the previous iteration, the present Bill is drafted in a simple and concise manner. A large part of the digital personal data framework will be set out in the Rules which will be tabled before Parliament from time to time.
The Bill in its present form appears amenable towards commercial interests, having done away with the requirements for Data Localisation and given an indication of how data transfers to other countries may be taken up in the future. However, at the same time, both foreign and domestic companies to whom the Bill will apply may have to undertake significant compliances in relation to their obligations for giving notice, seeking consent from Data Principals, data breach response, appointment of authorised individuals to communicate with Data Principals, etc.
The Central Government has invited comments from various stakeholders on the Bill by 17 December 2022.
Authored by CSL Chambers, New Delhi: Sumeet Lall (Partner - Sumeet.Lall@cslchambers.com), Nikhil Lal (Senior Associate – email@example.com) – should you have any queries relating to the content of this insight piece or require further information, please don’t hesitate to contact us.
Partner, CSL Chambers
Senior Associate, CSL Chambers
**CSL Chambers, is an associated firm of Clyde & Co LLP, a Full Service Global Law Firm.
For any inquiries, please feel free to contact the authors.