The Indian Government has published a new, simplified draft of its Digital Personal Data Protection Bill. What does it say?
On 18 November 2022, the Government of India released the long awaited fourth draft of India's proposed privacy law, now renamed as the Digital Personal Data Protection Bill ('Bill'). The Government has sought for feedback on the draft Bill by 17 December 2022.
At first glance, the Bill is quite a surprise. It is a completely new draft and not a redraft of previous versions and is much shorter and simpler. It departs substantially from the GDPR model of privacy laws that is quite commonplace today.
The law applies only to personal data that is collected online or which is collected offline, but which is digitised. The law will apply to processing of personal data outside India if this processing is in connection with any profiling of principals in India or any activity of offering goods or services within India. The law also exempts processing of data in India of individuals located outside India under a cross-border contractual arrangement: this essentially covers the offshore/outsourcing industry.
The Bill uses similar terminology as the previous versions. A data subject is referred to as a 'data principal' and a data controller is referred to as a 'data fiduciary'. There is no concept or definition of sensitive personal data. The DPA is referred to as the Data Protection Board of India ('DPBI').
Grounds for collection and processing
Consent continues to be the main ground for processing of personal data. It must be 'freely given', ''specific', 'informed' and an 'unambiguous indication of consent' through a 'clear affirmative action'.
It seems clear that explicit consent would be required. Consent can also be withdrawn, the consequences of which would be borne by the data subject. The draft Bill also includes obvious grounds for processing personal data, such as compliance with laws and court orders, actions dealing with epidemics or law and order situations.
The concept of legitimate interest appears to be captured in different ways. Several situations are mentioned where consent is deemed to have been given. These include processing of personal data 'in public interest' including to prevent or detect fraud, for network and information security, credit scoring, processing of publicly available personal data and for recovery of debt.
It seems unclear though whether private enterprises can use these grounds, given that the processing needs to be 'in public interest'. There is also the ground of 'fair and reasonable purpose' but in this case, the government has to notify what is a fair and reasonable purpose. In doing so, the government can consider the data fiduciary's legitimate interests.
One key ground is where processing of personal data is 'necessary' and where personal data is provided voluntarily and 'it is reasonably expected that the data subject would provide such personal data'. One would have to show that the processing is 'necessary' and the personal data was provided 'voluntarily' and the data principal would reasonably be expected to provide such data.
Possibly this provision could have been drafted better, assuming this is intended to be a legitimate interest type of ground. It is likely to become the most important provision of the new statute for businesses that do not wish to go down the consent route.
There is a separate ground for processing of personal data related to employment that covers prevention of espionage, maintenance of confidentiality of trade secrets and IP, recruitment, termination of employment, provision of services or benefits to an employee, verification of attendance and assessment of performance. Personal data may be collected on these grounds as long as the processing is 'necessary'.
The previous versions of the Bill provided for extensive information to be provided as part of notice to data principals. That was excessive. This version covers only two things: the types of personal data to be processed and the purposes of processing. This information has to be provided in an itemised manner.
The draft Bill keeps the threshold for children at 18 years. This will be seen as a disappointment for the online world, as global standards tend to be closer to 16 years.
Verifiable parental consent is required for collection of children's personal data. The Bill also prohibits profiling of children or behavioural monitoring or targeted advertising to children. However, the Government has the power to exempt these requirements through notification.
Rights and duties of data principals
Data principals (data subjects) have several rights. They include the right to know what personal data is being processed and the right to have inaccurate personal data corrected. A data principal can also ask for personal data to be deleted on the ground that its storage no longer serves the purpose for which it was collected.
Interestingly, the Bill includes duties of data principals; essentially to a duty not to provide false information and not to lodge frivolous or false grievances
Storage of personal data
The draft law requires the data fiduciary (data controller) to ensure that personal data maintained is accurate and to use appropriate organisational and technical measures to comply with the law. Data fiduciaries must also use reasonable security measures to prevent data breaches. A data fiduciary may maintain personal data only as long as it serves the purpose for which it was collected or for a legal or business purpose. After that, the personal data needs to be deleted.
Personal data breach
The draft Bill defines a 'personal data breach' to mean any unauthorised processing or accidental disclosure, use, alteration, or destruction of personal data, that compromises its confidentiality, integrity, or availability.
In the event of a personal data breach, the data fiduciary or data principal must inform both the DPBI and the affected data principal, in a manner prescribed by the government. The broad definition of a personal data breach would cover small instances of data breaches for which notification to the government and data principals seems quite onerous.
'Significant data fiduciary'
The draft law retains the concept of a Significant Data Fiduciary ('SDF'). This is a data fiduciary (controller) that fulfills the criteria established by the government. In determining who would be an SDF, the government would consider factors such as the volume of data and risk of harm.
Interestingly, these factors also include 'potential impact on the integrity and sovereignty of India' and 'risk to electoral democracy'. SDF's are required to appoint Data Protection Officers, who must report to the Board of the organisation. They must also appoint an independent data auditor to audit compliance with the privacy law. The Government can also notify when SDF's have to conduct privacy impact assessments.
Data protection officer
Only SDFs are required to appoint a Data Protection Officer. However, every data fiduciary must appoint a person to act as the point of contact for anyone who wants to file a grievance. The contact details of the grievance officer must be published.
Data localisation and transfers
The draft Bill does not directly include provisions on data localisation. The requirement in previous drafts that critical personal data needs to be stored only in India or that sensitive personal data can be transferred outside India but a copy must be retained in India has been removed.
The Bill states that the Government would notify countries to which personal data can be transferred. It would appear that until the Government notifies these countries, personal data can be freely transferred outside India, though perhaps the notification will be issued at the time the law comes into force. The law does not cover other means of allowing data transfers such as through standard contractual clauses (this is after all the method by which personal data is currently transferred from the EU to India).
The Bill grants the power to the Government to exempt itself and its agencies from any requirement of the Bill. The grounds mentioned, such as sovereignty and integrity of India, security of state, etc., are taken from the Constitution of India and also cited by the Supreme Court of India as grounds on which privacy rights can be restricted. These grounds are, however, quite broad and proportionality and reasonableness are not essential ingredients.
The draft new law prescribes penalties for non-compliance. There is a schedule which mentions penalty caps for specific violations. For example, failure to take reasonable security safeguards to prevent personal data breach would involve a penalty of up to INR 25 million (approximately USD 30 million).
Penalties in general can go up to INR 50 million (approx. USD 60 million). Interestingly, there is no provision for awarding compensation to affected data subjects.
The Government has taken a decidedly Indian approach to drafting this legislation. It is far simpler than past versions and goes against the current trend of the GDPR model of privacy legislation. This type of legislation is quite appropriate for India given its huge, unorganised SME sector and given that standards of privacy compliance are quite low in India.
It probably does mean though that the legislation will fail to obtain an adequacy ruling from the EU. In any case, due to not having independent oversight over government surveillance, Indian law does not fully comply with Schrems II.
There are however a host of issues that need to be dealt with in the law. Most important is to clarify the language surrounding the legitimate interest type of ground which we believe is at the heart of privacy legislation. Is the concept of 'necessity' sufficient to deal with legitimate situations of collection and processing of personal data?
It would also appear that notice requirements apply only when consent is being obtained. This means that when personal data is being processed under other grounds, that fall under deemed consent provisions, no notice is required. The need to prescribe consent is itself debatable. Consent has been found to not really be a means of protection to data subjects especially since in most cases, data subjects have no choice but to give consent.
All along, my recommended approach has been to have a light touch legislation and to allow the DPA to build further regulation slowly through delegated legislation. This draft legislation partially follows that approach. While the DPBI does have powers to pass regulations, they relate only to carrying out the provisions of the law. It is debatable whether it has powers to pass regulation on matters not mentioned in the law. For example, issues such as data portability, privacy by design, etc., find no place in the Bill. It would have been better for the powers given to the DPBI to have been spelled out in greater detail.
The blanket ban on tracking of children's activity on the internet and behavioural advertising seems somewhat unreasonable. How would an online video or music channel for example recommend movies or music to children based on their tastes without tracking their activity?
The Bill also gives the government the power to exempt any of its agencies from any of the provisions of the law. There is no reasonableness or proportionality threshold mentioned. Perhaps, however, this can be read into the law given pronouncements already made by the Supreme Court of India. The blanket exemption for the Government on the need to delete data that no longer serves the purpose for which it was collected is also unfortunate.
It is also unfortunate that the composition of the DPBI has not been prescribed in the law thereby leaving it to the Government to appoint whoever they want. A tech savvy and nimble DPA is very much required in order to manage data privacy regulation in India, especially given that some of the requirements of the law will be 'as may be prescribed' later.
Overall, the approach adopted makes sense given the Indian environment and can provide a launching pad for more extensive privacy-related regulation in the future. There are obviously gaps and drafting errors, but that must be expected in simpler legislation that also strikes a new path and is drafted by people who are not privacy experts. It is hoped that the Government will work with the privacy community to iron out these issues and take this document to enactment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.