On November 18, 2022, the Ministry of Electronics and Information Technology ("MeitY") released a new version of India's data protection bill. Titled the Digital Personal Data Protection Bill, 2022 ("DPDPB"), the document is a fourth iteration in a long series of draft laws. After considerable debate and apprehension over the last few versions, the DPDPB adopts a more business friendly and simple approach, while largely upholding the spirit of its predecessors. We provide a short summary of some of the standout provisions of the draft law.
Scope and Applicability
- Material Applicability: The DPDPB adopts a no fuss definition of personal data. Earlier drafts categorised personal data into "sensitive" and "critical" personal data, the processing of which attracted more enhanced compliance obligations. By doing away with these categories, the DPDPB has adopted a one-stop approach to processing activities. Further, the DBDPB removes 'non-personal data' from the applicability of law, thereby correcting a largely controversial input in the last version of the law.
- Territorial Applicability: The DBDPB applies to the processing of personal data within India if such personal data is collected from data principals (which is the term the law uses for individuals to whom personal data relates) online or if such data is collected offline but is subsequently digitised. The provisions of the DBDPB also apply to the processing of personal data outside India if the processing is in connection with any profiling of, or activity of offering goods or services to, data principals in India.
Grounds for Processing of Personal Data
Consent is – and, in line with previous iterations, continues to remain – the primary ground for processing personal data. However, the DPDPB now includes the concept of "deemed consent", a broad concept that includes other grounds for processing personal data. Effectively, a data principal is deemed to have given consent for the processing of their personal data if (a) such data has been shared voluntarily, (b) the processing activity is necessary for the provision of any service or benefit by the State, (c) the processing is necessary for compliance with any law or judgment, (d) the processing is necessary for responding to a medical emergency or for providing medical treatment, (e) the processing is in connection with employment purposes, or (f) if the processing is necessary for ensuring public safety and public interest. In our view, "other grounds of processing personal data" may be a more appropriate term than "deemed consent". In addition, the government has the right to prescribe additional grounds for processing, after considering whether the legitimate interests of businesses outweigh an adverse impact to data principals, public interest in the processing activity, and reasonable expectations of data principals in the context of the processing activity.
Languages and Translations
Data fiduciaries – that is, persons who alone or in conjunction with others determine the purposes and means of processing personal data – are obliged to provide data principals with information notices about processing activities. Significantly, such notices must be made available in English as well the 22 Indian languages listed in the Eighth Schedule of the Indian Constitution. While a welcome move in respect of India's diverse internet user base, this will have an impact on the way businesses operate, increase operational costs for translations, and raise interesting questions on addressing conflicts that may arise between different versions of notices.
Controversially, previous iterations of the law required varying degrees of localisation. Mildly reassuring for businesses in India, the DPDPB does not contain a localisation requirement. However, with a few exceptions for public interest, enforcement actions, and law order, cross border transfers may now only occur on the basis of adequacy decisions issued by the Indian government, with no concepts of contractual measures or other safeguards. There are presently no indications on the jurisdictions that may fall within the scope of adequacy.
Data Protection Board of India
The Data Protection Board of India ("Board") is a new authority that will be responsible for enforcing the provisions of DPDPB. The composition of the Board will be specified at a later stage. It will operate as an independent body and function in a manner that is "digital by design". The Board is tasked with enforcement: it will act upon complaints made by affected individuals, references made by the Central or any State Government, directions issued by courts, or a failure by data principal to comply with their obligations under the law. Appeals against the decision of the Board will lie with High Courts. The Board also has the power to refer complaints to mediation or other dispute resolution mechanisms.
The Board has the power to impose financial penalties of up to INR 500 crores in each instance if it determines that non-compliance by an individual or entity is significant in nature. Notably, penalties may also be imposed on data principals for a breach of their obligations under the DPDPB.
The Way Forward
The language of and the obligations imposed by the DPDPB are simpler than those of its predecessors. MeitY has, no doubt, carefully considered the concerns surrounding the enactment of this long-awaited law, including those on localisation, a consent-heavy architecture, and enhanced compliance obligations that could potentially raise barriers to entry for smaller and mid-size businesses. This is a welcome move for businesses, but raises questions on safeguards available to data principals, especially in the context of non-digital data and the risk of being subject to penalties. Feedback on the draft law may be submitted to MeitY by December 17, 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.