Digital Personal Data Protection Bill, 2023: Highlights

The Indian Government introduced the Digital Personal Data Protection Bill, 2023 ("New Bill") in the lower house of the Indian Parliament on August 3, 2023. The New Bill is the 4th and most recent version of India's proposed data protection law and is expected to be the version that is finally enacted into law.

We have summarised below the key highlights of the New Bill along with our preliminary views.

  1. No Implementation Period: The New Bill does not prescribe any timeline for coming into effect as law. However, it will become enforceable upon notification in the Official Gazette. It remains to be seen whether the Indian Government will notify all provisions of the New Bill simultaneously or in a piece-meal manner instead.

  2. Deletion of 'harm': The New Bill no longer defines the term "harm" as it was used in the 2022 version of the Digital Personal Data Protection Bill ("2022 Bill") in the context of determining loss to a Data Principal (i.e., data subjects)1 as a consequence of data breach. This led to ambiguity on the nature of losses that would be deemed to cause harm to Data Principals. The New Bill has removed this ambiguity and linked data breach to such losses that lead to (a) loss of property; (b) interruption in supply of services; or (c) loss of opportunity to gain financial advantage.

  3. No sub-categories of Personal Data: The New Bill defines personal data ("PD") as "any data about an individual who is identifiable by or in relation to such data" and does not create sub-categories of PD like the 2022 Bill, which removed sub-categories of PD such as 'Sensitive' and 'Critical' PD.

  4. Revisions to Scope and Applicability:
    1. Applies only to Digital Personal Data: The New Bill applies to digital PD, i.e., PD collected in digital form and in non-digital form and subsequently digitised. Earlier, the 2022 Bill used the term "online" instead of "digital", which created ambiguity regarding the law's applicability to data processed electronically or digitally without the internet.
    2. No concept of Profiling: The New Bill does not expressly apply to profiling of data, and references to "profiling" (including in the Applicability section) have been removed. The 2022 Bill expressly extended its obligations to offshore processing in relation to profiling of a Data Principal, i.e., analysing or predicting behaviour or other aspects of the Data Principal. This deliberate omission of "Profiling" may have interesting implications, particularly for processing activities that aren't directly in conjunction with the sale of goods or services in India.
    3. Emphasis on Automated Processing: The New Bill retains the emphasis on automated processing which was introduced by the 2022 Bill. The New Bill defines "processing" to mean "a wholly or partly automated operation or set of operations performed on digital personal data...". Therefore, the New Bill entirely excludes non-automated processing from its scope. This may be contrasted with the General Data Protection Regulation (GDPR), which extends to non-automated processing of PD in specified scenarios.
    4. Removal of Certain Exemptions: The New Bill removes certain exemptions from the scope under the 2022 Bill, including explicit exemptions provided to offline data, non-automated processing and historical records (i.e., 100+ years-old data). It also excludes PD made publicly available by the Data Principal (e.g., public social media posts) or any other person under a legal obligation to make such PD publicly available (e.g., criminal records).

  5. Grounds for Processing: The New Bill permits processing of PD only when it is for a purpose not expressly forbidden. Such purpose must either (a) be expressly consented to by the Data Principal; or (b) qualify as "Legitimate Use" of PD (as discussed below).

  6. Notice: The New Bill sets out certain requirements for notices for consent ("Notice") to be given by a Data Fiduciary (i.e., data controller)2 to a Data Principal prior to collecting and processing their PD. These inter alia include (a) the content of the Notice being inter alia in clear and plain language and specifying the nature of PD being collected, purpose of processing, mechanism of exercise of rights of the Data Principal including the process for making complaints to the Data Protection Board of India ("Board"), (b) the discretion to use itemized format for disclosure of such PD in its Notice, (c) enabling Notice viewing in English or any of 21 (twenty one) languages, (specified in the Eighth Schedule to the Constitution of India) requiring multiple translations. Further Data Fiduciary must notify Data Principal of PD collected prior to the New Bill's enactment and may continue processing PD until consent is withdrawn.

  7. Substitution of "Deemed Consent" with "Certain Legitimate Uses": The New Bill has replaced the concept of "Deemed Consent" (where consent would be "deemed" to have been given) and with the narrower concept of "Legitimate Uses". As per the New Bill, where a Data Principal voluntarily shares his/her PD for a specified purpose, and the Data Principal has not indicated that he/she does not consent to the use of such PD, the processing of such PD for this purpose is considered a legitimate use. The 2022 Bill provided businesses greater flexibility, and allowed for PD to be processed for any purpose where it could be "reasonably expected" that he/she would provide such data.

    Notably, several crucial matters for which consent was "deemed" to have been given under the 2022 Bill have been deleted in the New Bill. This includes recruitment or termination of employment, attendance verification, assessment of performance (i.e., biometric access data) and public interest matters such as credit scoring, fraud prevention, mergers, and debt recovery. That said, some of these matters have been covered elsewhere in the New Bill to a limited extent.
  8. Notable obligations of Data Fiduciary: The New Bill imposes several duties on Data Fiduciaries, including ensuring the accuracy, completeness, and consistency of Personal Data (PD) when it is likely to be used or disclosed to another Data Fiduciary. This is more demanding than the 2022 Bill, which only required reasonable efforts to ensure completeness and accuracy. The New Bill also requires Data Fiduciaries to erase PD when consent is withdrawn or when the specified purpose is complete. The 2022 Bill provided Data Fiduciaries greater flexibility by allowing it to "remove the means by which personal data can be associated with particular Data Principals", i.e., anonymisation. The Central Government is empowered under the New Bill to prescribe maximum retention periods for PD, requiring data fiduciaries to formulate data retention schedules to ensure no PD is retained for longer than the prescribed period. Data fiduciaries must report all PD breaches to the Board and each impacted Data Principal, regardless of the incident's magnitude in a prescribed format by the Central Government. The New Bill does not prescribe a specific timeline for reporting, but all entities, including Data Fiduciaries, must follow dual reporting in the event of a data breach, both to CERT-In and the Board. Bill makes it mandatory for the Data Fiduciary to follow dual reporting in the event of a data breach, both to CERTIn and the Board.

    All entities, including Data Fiduciaries, already have an obligation to report data breaches and other specified cyber incidents to a specified nodal agency, viz. CERT-In (Computer Emergency Response Team- India). The New Bill makes it mandatory for the Data Fiduciary to follow dual reporting in the event of a data breach, both to CERTIn and the Board.

  9. Primary responsibility on Data Fiduciary, not Data Processor: The 2022 Bill mandated both Data Fiduciary and Data Processor to take reasonable security safeguards to prevent data breach. The New Bill now only places this direct obligation on Data Fiduciaries. Similarly, in the event of PD breach, the 2022 Bill mandated both Data Fiduciary and Data Processor to notify the Board and affected Data Principal. The New Bill now places this obligation only on Data Fiduciaries.

  10. Use of Data Processors: The New Bill does not delve into whether "Data Processors" also include sub-processors of PD. In contrast, the 2022 Bill expressly prohibited Data Processors from using another Data Processor or a Sub-Processors unless the contract between the Data Processor and the Data Fiduciary permitted such use. The New Bill is silent on this issue.

  11. Rights of Data Principals: The New Bill provides Data Principals a bouquet of rights, including the standard (a) right to access information; (b) right to withdraw consent; (c) right to correct, erase or update PD; and (d) right to grievance redressal. Notably, the New Bill also provides each Data Principal a right to appoint a nominee to exercise his/her rights under the law upon the Data Principal's death or incapacity.

  12. Processing of Children's Data. The New Bill requires a Data Fiduciary to obtain verifiable consent of a parent or guardian in order to process the PD of a child. It also prohibits Data Fiduciaries from undertaking "tracking", "behavioural monitoring" of children or "targeted advertising" targeted at children. The New Bill has retained the previous threshold for "Child", which covers any individual below 18 (eighteen) years of age.

  13. Relaxations for Certain Processing of Children's Data: The New Bill empowers the Central Government to notify any Data Fiduciary as exempt from these additional obligations while processing PD of children above a specified age (where such age threshold may be lower than 18 (eighteen) years) in certain circumstances. Consequently, the Central Government may, for instance, allow an Ed-Tech Platform to process the PD of children above the ages of 15 (fifteen) years without verifiable parental consent, provided it satisfies the Central Government that its processing is "verifiably safe".

  14. Significant Data Fiduciaries:
    1. By notification: The New Bill allows the Central Government to notify any Data Fiduciary or a class of Data Fiduciaries as "Significant Data Fiduciaries" by assessing certain factors contained in Section 10 (1). Notably, this list of factors appears to be a limited list in the New Bill, unlike the 2022 Bill which allowed the Central Government to consider "any other factors it may consider necessary".
    2. Assessment and Audit: The New Bill requires Significant Data Fiduciaries to conduct periodic Data Protection Impact Assessment (unlike the 2022 Bill which did not indicate a periodic assessment, but a periodic audit), a periodic audit and other measures that may be prescribed by the Central Government in forthcoming rules.
    3. Data Protection Officer: The New Bill, similar to the 2022 Bill, requires the Significant Data Fiduciary to appoint a Data Protection Officer based in India, to represent the Significant Data Fiduciary and act as the point of contact for grievance redressal mechanism.

  15. Transfer of PD outside India: The 2022 Bill prohibited the transfer of PD by a Data Fiduciary outside India unless such territory was notified by the Central Government as a permitted territory. In other words, the 2022 Bill envisaged a white list approach. However, given the troubling nature of this provision, after industry advocacy, the New Bill has now revised this provision to a more palatable "black-list" approach.

    The New Bill now allows cross border transfers of PD to all countries or territories except those specifically identified by the Central Government through notifications. Consequently, a negative list of countries to which the transfer of PD will be prohibited will likely be notified by the Central Government after the New Bill is enacted.

    The New Bill also clarifies that other Indian laws which may prescribe a higher degree of protection or restrictions regarding transfer of PD outside India will continue to apply. This clarification puts to rest speculation that this data protection law would supersede or nullify existing data localisation regulations (such as the Reserve Bank of India's localisation mandate for payments data).

  16. Exemptions: The New Bill provides for certain notable exemptions, which are available to Data Fiduciaries in certain circumstances.
    1. Exemptions for business processing outsourcing companies ("BPOs"): For instance, the New Bill excludes from its purview the processing of PD belonging to offshore individuals, when such processing is carried on in India pursuant to a contract between a Data Fiduciary and a person located outside India. This exemption benefits outsourcing companies and BPOs that routinely process PD belonging to residents/citizens of other countries.
    2. Exemptions for mergers and amalgamation and Debt Recovery: The New Bill also provides certain exemptions in relation to M&A transactions and debt-recovery activities. However, these exemptions appear considerably narrower than those provided under the 2022 Bill.

  17. Power of Central Government to exclude from obligations: The New Bill expands upon the provision under the 2022 Bill which empowers the Central Government to notify certain Data Fiduciaries to whom substantive obligations of the legislation (i.e., giving Notice as per Section 5, ensuring accuracy of PD as per Section 8 (3), retention of PD as per Section 8 (7), grievance redressal as per Section 10 and rights of Data Principals as per Section 11) would not apply, and now specifically states that this includes start-ups incorporated in India.

  18. Central Government's power to call for information: The Central Government is now vested with the power to require the Board or any Data Fiduciary or intermediary to furnish any such information as it may call for, for the purposes of the New Bill.

  19. Power to block services of a Data Fiduciary: Under the New Bill, the Central Government may, on request of the Board, intimate the imposition of a monetary penalty on the Data Fiduciary on 2 (two) or more instances and in general public interest, instruct the appropriate agency/intermediary to block the services of the Data Fiduciary.

  20. Data Protection Board of India: The New Bill seeks to establish a fully digital-by-design online complaint resolution mechanism through the Board, which will function as a digital office with its entire proceedings in online mode.

  21. Appellate Forum: The Board is no longer empowered to review its own order; and modify, suspend, cancel, or withdraw such order pursuant to any review. Instead, aAll appeals from orders of the Board will lie with Telecom Disputes Settlement and Appellate Tribunal ("Appellate Tribunal"). The New Bill mandates the Appellate Tribunal to function as a digital office and dispose-off the appeals within 6 (six) months.

  22. Notable Amendment to the Information Technology Act, 2000 ("IT Act"): To ensure congruence of the IT Act with the New Bill, Section 43A of the IT Act has been omitted - which imposed damages on the Data Fiduciary for causing wrongful gain or loss to any person owing to its negligence in maintaining reasonable security procedures while handling or processing personal data. Such negligence can attract a penalty up to INR 250,00,00,000 (Indian Rupees two hundred and fifty crores) under the New Bill.

Footnotes

1. Indian law uses the term "Data Principal" to refer to data subjects.

2. Indian law uses the term "Data Fiduciary" to refer to data controllers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.