Digital Personal Data Protection Bill, 2023: Highlights
The Indian Government introduced the Digital Personal Data Protection Bill, 2023 ("New Bill") in the lower house of the Indian Parliament on August 3, 2023. The New Bill is the 4th and most recent version of India's proposed data protection law and is expected to be the version that is finally enacted into law.
We have summarised below the key highlights of the New Bill along with our preliminary views.
- No Implementation Period: The New Bill does
not prescribe any timeline for coming into effect as law. However,
it will become enforceable upon notification in the Official
Gazette. It remains to be seen whether the Indian Government will
notify all provisions of the New Bill simultaneously or in a
piece-meal manner instead.
- Deletion of 'harm': The New Bill no
longer defines the term "harm" as it was used in the 2022
version of the Digital Personal Data Protection Bill
("2022 Bill") in the context of
determining loss to a Data Principal (i.e., data
subjects)1 as a consequence of data breach. This led to
ambiguity on the nature of losses that would be deemed to cause
harm to Data Principals. The New Bill has removed this ambiguity
and linked data breach to such losses that lead to (a) loss of
property; (b) interruption in supply of services; or (c) loss of
opportunity to gain financial advantage.
- No sub-categories of Personal Data: The New
Bill defines personal data ("PD") as "any data
about an individual who is identifiable by or in relation to such
data" and does not create sub-categories of PD like the
2022 Bill, which removed sub-categories of PD such as
'Sensitive' and 'Critical' PD.
- Revisions to Scope and Applicability:
- Applies only to Digital Personal Data: The New Bill applies to digital PD, i.e., PD collected in digital form and in non-digital form and subsequently digitised. Earlier, the 2022 Bill used the term "online" instead of "digital", which created ambiguity regarding the law's applicability to data processed electronically or digitally without the internet.
- No concept of Profiling: The New Bill does not expressly apply to profiling of data, and references to "profiling" (including in the Applicability section) have been removed. The 2022 Bill expressly extended its obligations to offshore processing in relation to profiling of a Data Principal, i.e., analysing or predicting behaviour or other aspects of the Data Principal. This deliberate omission of "Profiling" may have interesting implications, particularly for processing activities that aren't directly in conjunction with the sale of goods or services in India.
- Emphasis on Automated Processing: The New Bill retains the emphasis on automated processing which was introduced by the 2022 Bill. The New Bill defines "processing" to mean "a wholly or partly automated operation or set of operations performed on digital personal data...". Therefore, the New Bill entirely excludes non-automated processing from its scope. This may be contrasted with the General Data Protection Regulation (GDPR), which extends to non-automated processing of PD in specified scenarios.
- Removal of Certain Exemptions: The New Bill
removes certain exemptions from the scope under the 2022 Bill,
including explicit exemptions provided to offline data,
non-automated processing and historical records (i.e., 100+
years-old data). It also excludes PD made publicly available by the
Data Principal (e.g., public social media posts) or any other
person under a legal obligation to make such PD publicly available
(e.g., criminal records).
- Grounds for Processing: The New Bill permits
processing of PD only when it is for a purpose not expressly
forbidden. Such purpose must either (a) be expressly consented to
by the Data Principal; or (b) qualify as "Legitimate
Use" of PD (as discussed below).
- Notice: The New Bill sets out certain
requirements for notices for consent
("Notice") to be given by a Data
Fiduciary (i.e., data controller)2 to a Data Principal
prior to collecting and processing their PD. These inter
alia include (a) the content of the Notice being inter
alia in clear and plain language and specifying the nature of
PD being collected, purpose of processing, mechanism of exercise of
rights of the Data Principal including the process for making
complaints to the Data Protection Board of India
("Board"), (b) the discretion to use
itemized format for disclosure of such PD in its Notice, (c)
enabling Notice viewing in English or any of 21 (twenty one)
languages, (specified in the Eighth Schedule to the Constitution of
India) requiring multiple translations. Further Data Fiduciary must
notify Data Principal of PD collected prior to the New Bill's
enactment and may continue processing PD until consent is
withdrawn.
- Substitution of "Deemed Consent" with
"Certain Legitimate Uses": The New Bill has
replaced the concept of "Deemed Consent" (where consent
would be "deemed" to have been given) and with the
narrower concept of "Legitimate Uses". As per the New
Bill, where a Data Principal voluntarily shares his/her PD for a
specified purpose, and the Data Principal has not indicated that
he/she does not consent to the use of such PD, the processing of
such PD for this purpose is considered a legitimate use. The 2022
Bill provided businesses greater flexibility, and allowed for PD to
be processed for any purpose where it could be "reasonably
expected" that he/she would provide such data.
Notably, several crucial matters for which consent was "deemed" to have been given under the 2022 Bill have been deleted in the New Bill. This includes recruitment or termination of employment, attendance verification, assessment of performance (i.e., biometric access data) and public interest matters such as credit scoring, fraud prevention, mergers, and debt recovery. That said, some of these matters have been covered elsewhere in the New Bill to a limited extent.
- Notable obligations of Data Fiduciary: The New
Bill imposes several duties on Data Fiduciaries, including ensuring
the accuracy, completeness, and consistency of Personal Data (PD)
when it is likely to be used or disclosed to another Data
Fiduciary. This is more demanding than the 2022 Bill, which only
required reasonable efforts to ensure completeness and accuracy.
The New Bill also requires Data Fiduciaries to erase PD when
consent is withdrawn or when the specified purpose is complete. The
2022 Bill provided Data Fiduciaries greater flexibility by allowing
it to "remove the means by which personal data can be
associated with particular Data Principals", i.e.,
anonymisation. The Central Government is empowered under the New
Bill to prescribe maximum retention periods for PD, requiring data
fiduciaries to formulate data retention schedules to ensure no PD
is retained for longer than the prescribed period. Data fiduciaries
must report all PD breaches to the Board and each impacted Data
Principal, regardless of the incident's magnitude in a
prescribed format by the Central Government. The New Bill does not
prescribe a specific timeline for reporting, but all entities,
including Data Fiduciaries, must follow dual reporting in the event
of a data breach, both to CERT-In and the Board. Bill makes it
mandatory for the Data Fiduciary to follow dual reporting in the
event of a data breach, both to CERTIn and the Board.
All entities, including Data Fiduciaries, already have an obligation to report data breaches and other specified cyber incidents to a specified nodal agency, viz. CERT-In (Computer Emergency Response Team- India). The New Bill makes it mandatory for the Data Fiduciary to follow dual reporting in the event of a data breach, both to CERTIn and the Board.
- Primary responsibility on Data Fiduciary, not Data
Processor: The 2022 Bill mandated both Data Fiduciary and
Data Processor to take reasonable security safeguards to prevent
data breach. The New Bill now only places this direct obligation on
Data Fiduciaries. Similarly, in the event of PD breach, the 2022
Bill mandated both Data Fiduciary and Data Processor to notify the
Board and affected Data Principal. The New Bill now places this
obligation only on Data Fiduciaries.
- Use of Data Processors: The New Bill does not
delve into whether "Data Processors" also include
sub-processors of PD. In contrast, the 2022 Bill expressly
prohibited Data Processors from using another Data Processor or a
Sub-Processors unless the contract between the Data Processor and
the Data Fiduciary permitted such use. The New Bill is silent on
this issue.
- Rights of Data Principals: The New Bill
provides Data Principals a bouquet of rights, including the
standard (a) right to access information; (b) right to withdraw
consent; (c) right to correct, erase or update PD; and (d) right to
grievance redressal. Notably, the New Bill also provides each Data
Principal a right to appoint a nominee to exercise his/her rights
under the law upon the Data Principal's death or
incapacity.
- Processing of Children's Data. The New
Bill requires a Data Fiduciary to obtain verifiable consent of a
parent or guardian in order to process the PD of a child. It also
prohibits Data Fiduciaries from undertaking "tracking",
"behavioural monitoring" of children or "targeted
advertising" targeted at children. The New Bill has retained
the previous threshold for "Child", which covers any
individual below 18 (eighteen) years of age.
- Relaxations for Certain Processing of Children's
Data: The New Bill empowers the Central Government to
notify any Data Fiduciary as exempt from these additional
obligations while processing PD of children above a specified age
(where such age threshold may be lower than 18 (eighteen) years) in
certain circumstances. Consequently, the Central Government may,
for instance, allow an Ed-Tech Platform to process the PD of
children above the ages of 15 (fifteen) years without verifiable
parental consent, provided it satisfies the Central Government that
its processing is "verifiably safe".
- Significant Data Fiduciaries:
- By notification: The New Bill allows the Central Government to notify any Data Fiduciary or a class of Data Fiduciaries as "Significant Data Fiduciaries" by assessing certain factors contained in Section 10 (1). Notably, this list of factors appears to be a limited list in the New Bill, unlike the 2022 Bill which allowed the Central Government to consider "any other factors it may consider necessary".
- Assessment and Audit: The New Bill requires Significant Data Fiduciaries to conduct periodic Data Protection Impact Assessment (unlike the 2022 Bill which did not indicate a periodic assessment, but a periodic audit), a periodic audit and other measures that may be prescribed by the Central Government in forthcoming rules.
- Data Protection Officer: The New Bill, similar
to the 2022 Bill, requires the Significant Data Fiduciary to
appoint a Data Protection Officer based in India, to represent the
Significant Data Fiduciary and act as the point of contact for
grievance redressal mechanism.
- Transfer of PD outside India: The 2022 Bill
prohibited the transfer of PD by a Data Fiduciary outside India
unless such territory was notified by the Central Government as a
permitted territory. In other words, the 2022 Bill envisaged a
white list approach. However, given the troubling nature of this
provision, after industry advocacy, the New Bill has now revised
this provision to a more palatable "black-list"
approach.
The New Bill now allows cross border transfers of PD to all countries or territories except those specifically identified by the Central Government through notifications. Consequently, a negative list of countries to which the transfer of PD will be prohibited will likely be notified by the Central Government after the New Bill is enacted.
The New Bill also clarifies that other Indian laws which may prescribe a higher degree of protection or restrictions regarding transfer of PD outside India will continue to apply. This clarification puts to rest speculation that this data protection law would supersede or nullify existing data localisation regulations (such as the Reserve Bank of India's localisation mandate for payments data).
- Exemptions: The New Bill provides for certain
notable exemptions, which are available to Data Fiduciaries in
certain circumstances.
- Exemptions for business processing outsourcing companies ("BPOs"): For instance, the New Bill excludes from its purview the processing of PD belonging to offshore individuals, when such processing is carried on in India pursuant to a contract between a Data Fiduciary and a person located outside India. This exemption benefits outsourcing companies and BPOs that routinely process PD belonging to residents/citizens of other countries.
- Exemptions for mergers and amalgamation and Debt
Recovery: The New Bill also provides certain exemptions in
relation to M&A transactions and debt-recovery activities.
However, these exemptions appear considerably narrower than those
provided under the 2022 Bill.
- Power of Central Government to exclude from
obligations: The New Bill expands upon the provision under
the 2022 Bill which empowers the Central Government to notify
certain Data Fiduciaries to whom substantive obligations of the
legislation (i.e., giving Notice as per Section 5, ensuring
accuracy of PD as per Section 8 (3), retention of PD as per Section
8 (7), grievance redressal as per Section 10 and rights of Data
Principals as per Section 11) would not apply, and now specifically
states that this includes start-ups incorporated in India.
- Central Government's power to call for
information: The Central Government is now vested with the
power to require the Board or any Data Fiduciary or intermediary to
furnish any such information as it may call for, for the purposes
of the New Bill.
- Power to block services of a Data Fiduciary:
Under the New Bill, the Central Government may, on request of the
Board, intimate the imposition of a monetary penalty on the Data
Fiduciary on 2 (two) or more instances and in general public
interest, instruct the appropriate agency/intermediary to block the
services of the Data Fiduciary.
- Data Protection Board of India: The New Bill
seeks to establish a fully digital-by-design online complaint
resolution mechanism through the Board, which will function as a
digital office with its entire proceedings in online mode.
- Appellate Forum: The Board is no longer
empowered to review its own order; and modify, suspend, cancel, or
withdraw such order pursuant to any review. Instead, aAll appeals
from orders of the Board will lie with Telecom Disputes Settlement
and Appellate Tribunal ("Appellate Tribunal"). The New
Bill mandates the Appellate Tribunal to function as a digital
office and dispose-off the appeals within 6 (six) months.
- Notable Amendment to the Information Technology Act, 2000 ("IT Act"): To ensure congruence of the IT Act with the New Bill, Section 43A of the IT Act has been omitted - which imposed damages on the Data Fiduciary for causing wrongful gain or loss to any person owing to its negligence in maintaining reasonable security procedures while handling or processing personal data. Such negligence can attract a penalty up to INR 250,00,00,000 (Indian Rupees two hundred and fifty crores) under the New Bill.
Footnotes
1. Indian law uses the term "Data Principal" to refer to data subjects.
2. Indian law uses the term "Data Fiduciary" to refer to data controllers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.