On 18 November 2022, the Ministry of Electronics and Information Technology introduced the fourth restatement of the Digital Personal Data Protection Bill 2022 (“Draft”), for public comments and consultation with industry-wide stakeholders. We have analyzed here the key takeaways of the Draft, which was aimed at serving as a guide for digital data protection in India. After extensive stakeholder consultation, the Digital Personal Data Protection Bill, 2023 (“Bill”) was passed by the Lok Sabha on 7 August 2023 and subsequently by the Rajya Sabha on 9 August 2023. The Bill received Presidential assent on 11 August 2023 and has become the ‘Digital Personal Data Protection Act, 2023’ (“Act”) after publication in the Official Gazette. However, the provisions of the Act are not yet in force, and they will come into force once notified in the Official Gazette.
SOME OF THE KEY PROVISIONS OF THE ACT
Objective: The primary objective of the Act is to establish a comprehensive framework for the protection and processing of digital “Personal Data,” i.e., data in digital form about any individual who is identifiable by such data (the individual to whom such Personal Data relates being the “Data Principal”).
Applicability: The Act applies to processing of all digital Personal Data within India, whether it is collected in digital form or digitized subsequently. It also applies to processing of digital Personal Data outside India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within India. “Processing” includes collection, recording, storage, use, sharing, disclosure etc. of data.
Restriction: Personal Data can be processed only for:
(a) a lawful purpose (i.e., purpose not expressly prohibited by law) for which the Data Principal has given her consent. Such consent should be free, specific, informed, unconditional, unambiguous with a clear affirmative action; or
(b) certain “legitimate uses” (which include the specified purpose for which the Data Principal has voluntarily provided her personal data, or for fulfilling any obligation under Indian law, or for the purposes of employment or for safeguarding the employer from loss or liability, etc.). No separate consent is required for “legitimate uses” recognized under the Act.
Data Principal has the right to give, manage, review, or withdraw her consent:
(i) directly to a “Data Fiduciary” i.e., a person who alone or in conjunction with other persons determines the purpose and means of processing of Personal Data; or
(ii) to a Data Fiduciary through a “Consent Manager,” i.e., a person registered with the Data Protection Board of India (“Board”), who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. Note that the Board has not been constituted yet.
Some of the key duties of Data Fiduciary: (i) Process the Personal Data in accordance with the ‘Restriction’ mentioned above. This obligation applies to the Data Fiduciary irrespective of whether the processing of Personal Data is undertaken by itself or by a “Data Processor” (i.e., a person who processes Personal Data on behalf of a Data Fiduciary).
(ii) Implement appropriate measures to protect Personal Data in its or its Data Processor’s possession or control by taking reasonable security safeguards.
(iii) Notify the Data Principal and Board of any Personal Data breach.
(iv) Erase (or cause its Data Processor to erase) any Personal Data upon the Data Principal withdrawing her consent, unless retention is necessary for compliance with applicable laws.
(v) Establish an effective grievance redressal mechanism for Data Principals and nominate a person who will address all questions raised by Data Principals about processing of their Personal Data.
Powers and Functions of the Board: The role of the Board is to protect the interests of Data Principals, prevent misuse of Personal Data, ensure compliance with the provisions of the Act, and promote awareness about data protection. Some of the powers and functions of the Board are to direct any urgent remedial or mitigation measures in the event of a Personal Data breach; to impose penalties provided in the Act; to inquire into the contravention of any provision of the Act by the Data Fiduciary or the Consent Manager.
Cross Border Transfer: The Act allows extraterritorial processing and transfer of Personal Data, except to such countries restricted by the Central Government through notification (again, this notification is yet to be published, so it is not known which countries will be covered within this restriction).
Penalties: The Act provides for various penalties for contravention of its provisions, and most of the penalties are very substantial. For instance, a penalty of up to INR 250 crores (approximately USD 30.22 million) may be imposed on a Data Fiduciary for breach in observing its obligation to take reasonable security safeguards to prevent personal data breach.
Exemptions: Exemptions from the application of the Act include processing of Personal Data by the Government; for the purpose of legal proceedings; for enforcing any right or claim; for investigation or prosecution of any offence; where personal data of any Data Principals outside India is processed by a person in India pursuant to any contract with any person outside India etc.
While the Act attempts to address major concerns of the industry-wide stakeholders specially in the context of increasing internet users, data generation, and cross-border trade, most of the finer details of how it will be implemented in practice are likely to be the subject matter of subordinate legislation which are yet to be promulgated.
The industry will need to work closely with the Government for effective implementation of the Act with proactive adherence to its various compliance requirements. For businesses, it will be worthwhile to start developing systems and processes to help identify and segregate data which may be the subject matter of the Act, and build frameworks within which appropriate consent and other requirements under the Act can be integrated into various interfaces with customers, clients, vendors, IT service providers etc.