Contributed by: Sumit Kochar, Shivam Gera & Jaydeep Saha
Background
The Ministry of Electronics and Information Technology (MeitY) introduced the latest version of the Digital Personal Data Protection Bill, 2023 (the Bill) in the Lok Sabha (Lower House of Indian Parliament) on 3rd August, 2023.
The journey towards a data protection law in India began in 2017 after the Supreme Court’s judgment in the case of Justice KS Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 recognized privacy as a fundamental right for Indian citizens, compelling the government to enact legislation safeguarding this right.
To become law, the Bill must be passed by both houses, either with or without amendments. Once it receives the President of India’s assent, it will be enacted as the Digital Personal Data Protection (DPDP) Act, 2023.
Personal Data
The Bill takes a departure from the current data privacy legislation in India by defining ‘personal data’ as a single, comprehensive category encompassing data that can identify an individual.
The Bill permits the use of personal data of Indian citizens by entities recognized by law for the prevention, detection, or investigation of offences and cyber incidents without the individual’s knowledge. restricts the individual’s rights to access information about how their personal data is being processed by such entities for law enforcement purposes. Despite this restriction, the bill introduces several key rights for individuals, including the right to information, the right to correct and erase data, the right to seek grievance redressal, and the right to nominate a representative. These rights are aimed at providing individuals with greater control and transparency over their personal data and its usage by data fiduciaries.
The personal data can be collected in digital form or converted to digital format afterward. The Bill excludes non-digital data, data processed for personal or domestic purposes, and data publicly available due to a legal obligation from its scope. The Bill also applies to personal data outside India only if such processing is related to offering goods and services to data principals within India.
Processing
The Bill introduces a noteworthy change by allowing Data Fiduciaries to process personal data for any purpose not expressly forbidden by law, as long as it is either explicitly consented to (Clause 4). In accordance with the provisions of Clause 7 on the Bill, the concept of ‘deemed consent’ for non-consent-based processing has been replaced by ‘legitimate uses’ However, the list of legitimate uses has been narrowed since the ‘fair and reasonable purposes’ and ‘public interest’ grounds have been removed. The Data Fiduciaries can process data without explicit consent when the data principal voluntarily provides their data and does not express unwillingness to consent to its use. This provision allows entities to process data without consent in scenarios where data is shared in exchange for a service, such as providing a phone number to a pharmacy for a receipt or sharing data for rental accommodation services. Other legitimate uses include data processing for the performance of state functions or for the interest of the sovereignty, integrity, and security of the State, as well as for providing benefits, fulfilling legal obligations, complying with court orders, and assisting in healthcare services.
Consent
In Clause 6(1), the Bill defines consent as an indication from the data principal signifying their agreement to allow their data to be processed for a specific purpose. This consent must be freely given, specific, informed, unconditional, and unambiguous, demonstrated through clear affirmative action. The consent’s validity is limited to the personal data necessary to fulfill the specified purpose. Data principals have the right to withdraw their consent and may use consent managers for this purpose as mentioned in Clause 6(7). If a data principal withdraws consent as per Clause 6(6), the data fiduciary must instruct the data processor to cease processing that individual’s personal data, unless otherwise authorized. Data principals or users can access information available to them in English or any of the 22 languages specified in the Eighth Schedule of the Constitution of India. However, translating authoritative versions of dynamic documents into all these languages can be complex and may not outweigh the benefits for Data Principals, especially when the underlying application or service is only available in a few of those languages.
Data Fiduciaries (DFs)
In accordance with Clause 8 of the Bill, Data Fiduciaries bear the responsibility for complying with the legislation, even for any data processing carried out on their behalf by a data processor. They are required to establish grievance redressal mechanisms and ensure the accuracy and completeness of personal data if it affects a user’s decision or is shared with another Data Fiduciary. Data Fiduciaries must delete data, along with instructing their data processors to do so, if the user withdraws consent or if it is reasonable to assume that the specified purpose is no longer being served. For instance, if a user remains inactive for a specified period, indicating that the purpose is no longer relevant, the data must be deleted. However, data may be retained if required by law. Furthermore, Data Fiduciaries must report data breaches, to both the Data Protection Board (DPB) and affected users.
Significant Data Fiduciaries (SDFs)
In accordance with Clause 10, the Bill signifies the concept of Significant Data Fiduciaries (SDFs), determined based on specified criteria. Additionally, the power to designate SDFs has been provided to the Central Government. SDFs are subjected to additional obligations, including the appointment of a data protection officer, conducting audits, and undertake Data Protection Impact Assessments (DPIA). Given the significant implications of being designated as an SDF, it is crucial to demonstrate rational and coherent criteria for their identification to ensure transparency and accountability in the process.
Cross Border Data Transfers
Under Clause 16(1) of the Bill, data principals have the right to request information about their personal data being processed, the processing activities, and the identities of all data fiduciaries and processors with whom their data has been shared. They can also request data fiduciaries to correct or erase their personal data. Additionally, data principals have the right to nominate someone to exercise their rights on their behalf in case of their death or incapacitation. Data fiduciaries must provide easily accessible grievance redressal mechanisms to data principals. It is emphasized that data principals should exhaust these grievance redressal options before approaching the Data Protection Board (DPB).
As per Clause 16(2) the data principal has the responsibility not to impersonate someone else or withhold information while applying for any document or proof from the state. Furthermore, the data principal must provide only authentic information when exercising their right to data erasure. These measures are designed to ensure that the data protection process is transparent and that data principals act responsibly when seeking information or exercising their rights.
Children and their Data
Under the Bill, all individuals below the age of 18 are considered children, and Data Fiduciaries are required to obtain ‘verifiable’ consent from a parent or lawful guardian before processing any personal data concerning a child. However, the Bill also restricts entities from tracking or behaviorally monitoring children or targeting advertising at them. This approach poses challenges since much of the internet is geared towards teens, and numerous products and services are marketed and sold to individuals under eighteen.
Furthermore, the Bill defines parents and guardians as ‘Data Principals’ in place of their children. Although it is common for parental consent to be necessary for contracting involving minors, treating the parent as the child for data protection purposes is relatively uncommon and may warrant further consideration.
Exemptions
Under Clause 17, the Bill includes exemptions for certain data processing activities. These exemptions apply to data processing for investigating offences, implementing schemes of compromise, merger, or amalgamation, detecting financial frauds, and processing data of a data principal located outside India under a contract, among others. The government has the authority to exempt the entire application of the Bill for notified state agencies if it is in the interest of sovereignty, integrity, security of the state, friendly relations with foreign states, or maintenance of public order, among other reasons.
Furthermore, the government can provide exemptions for data processing for research, archiving, or statistical purposes, as long as the data is not used to make specific decisions affecting a data principal. Additionally, the government can notify certain data fiduciaries, including startups, for exemption from the Bill based on the volume and nature of personal data processed by them. These exemptions are aimed at providing flexibility and recognizing specific situations where the full application of the Bill may not be necessary or practical.
Enforcement and Regulation
Under the Bill, the Data Protection Board (DPB) remains an adjudicatory and enforcement body, not a regulator. The central government retains control over the composition and functioning of the DPB. The DPB’s primary responsibility is to enforce the provisions of the Bill. It has the authority to issue directions and instruct data fiduciaries to take urgent measures in case of data breaches, receive complaints from affected individuals or references from the central or state governments, and impose penalties for non-compliance. The DPB can conduct hearings, summon individuals to appear, examine witnesses under oath, and perform other functions.
The Bill grants the central government or an authorized officer the authority to order the blocking of public access to a data fiduciary’s platform based on a reference by the Board. Blocking can be ordered only if it is deemed necessary or expedient in the interests of the general public. Before issuing a blocking order, the data fiduciary should be given an opportunity to be heard. The government can also require any intermediary to assist in implementing the blocking order.
Additionally, the Bill empowers the central government to request information from the DPB, data fiduciaries, or intermediaries for the purposes of the Act. This provision is new and allows the government to access relevant information for effective implementation and enforcement of the data protection law.
Penalties
Under Clause 33 & Schedule of the Bill, the Data Protection Board (DPB) has the authority to impose monetary penalties on data fiduciaries in cases of non-compliance with the provisions of the law. These penalties are applicable only to data fiduciaries and not to other entities or individuals. The financial penalties for non-compliance range from ten thousand rupees to two hundred crore rupees, with an upper limit of two hundred fifty crore rupees.
