The Ministry of Electronics and Information Technology (MeitY) has introduced the fourth restatement of the Digital Personal Data Protection Bill, 2022 (Bill) on 18 November 2022, for public comments. The Bill replaces the erstwhile Personal Data Protection Bill introduced in 2019 (and withdrawn in August 2022). The new Bill aims to serve as a guide for digital data protection in India, with special focus on protection of personal data. It inter alia lays down the rights and duties of the individual to whom the personal data belongs (Data Principal), and the obligations of the person(s) determining the purpose and means of processing personal data (Data Fiduciaries). The Bill also prescribes for substantial penalties for breach of data protection measures prescribed therein.
Applicability: The Bill concerns with processing of personal data which is collected within India (either online or digitized after collecting offline); and processing of personal data outside India, if the processing is in connection with profiling of, or offering goods and services, to the people in India.
Prior Consent Requirement: The Bill provides for seeking prior consent of the Data Principal by way of an ‘itemized notice’, which should disclose the description of personal data sought and the purpose of processing it. The Bill also allows the Data Principal to withdraw their consent at any time.
Cross Border Sharing of Data: The Bill allows for cross border data flow to identified territories, in respect of which terms and conditions may be specified by the government. This is a departure from the approach undertaken under the bill proposed in 2019, which provided for a specific categorization to restrict the flow of sensitive and critical personal data in this regard.
Obligations of Data Fiduciaries: The Bill imposes certain obligations on Data Fiduciaries while processing personal data, including (a) processing such data only for lawful purposes; (b) maintaining data accuracy; (c) preventing and notifying data breaches; (d) appointing a data protection officer; (e) having a grievance redressal mechanism; and (f) seeking parental consent for processing data of persons below the age of 18 years.
The Bill additionally recognizes ‘significant data fiduciaries’ as well, that are identified on the basis of inter alia the volume and sensitivity of personal data processed, risk of harm to the Data Principal, and the potential impact to the sovereignty and integrity of India. Such significant fiduciaries are additionally required to appoint a data protection officer and an independent data auditor, and undertake periodic assessments in respect of processing personal data. In this regard, the government has power to exempt certain Data Fiduciaries from compliance requirements, presumably keeping in view the large number of tech and data processing start-ups coming up in India.
Rights of Data Principals: The Bill provides certain rights to Data Principals including the right to receive information on whether their personal data is being processed, to seek erasure or correction of their personal data, and to have grievances redressed.
Data Protection Board: The Bill provides for setting up of an independent body by the name and style of a ‘data protection board’, which will oversee compliance by the Data Fiduciaries and Data Principals with the provisions of the proposed act. Provisions around composition of such a board have not yet been set out in the Bill. The functionalities of the board would be ‘digital by design’. The powers of the board may be exercised upon complaints received or on references made by governments (however, the Bill does not yet prescribe any suo moto powers to this board).
Penalties: Substantial penalties (which are standalone in nature, as opposed to being linked to a fixed factor, such as revenue generated by companies) have been proposed in the Bill for non-compliances in the nature of (a) failure of the data processor or Data Fiduciary to take reasonable security safeguards, (b) failure to notify the board of breaches, (c) non-fulfilment of additional obligations in relation to children, and (d) non-fulfilment of additional obligations by a significant data fiduciary. These penalties range from Rupees Fifty Crores to Rupees Two Hundred and Fifty Crores. The Bill however provides for an overall cap on these penalties, being Rupees Five Hundred Crores. Further, Data Principals would also be liable to penalties up to Rupees Ten Thousand for non-compliance with their prescribed duties.
While the intent of the Bill may have been to set out the provisions succinctly, it appears to not have addressed certain key aspects in respect of data privacy. These include (a) the concept of sensitive personal data (biometric, health, genetic data etc.), (b) the right of data portability (which under the previous iterations of the bill, allowed the Data Principal to receive all the personal data they had provided and data that the Data Fiduciary generated on the Data Principal in a structured format), and (c) the right to be forgotten, which appears to have been garbed by way of the right to erasure. The Bill also does not define in much detail the timelines for fulfilling the prescribed obligations, does not provide a specific definition of ‘public interest’, and sets out wide-ranging exceptions, especially for the government. These exceptions may be extended on the grounds of “…interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence…”.
Some of the revisions prescribed by the Bill are a welcome change, especially for industries that thrive on data-driven business models.
However, businesses that engage in data collection and processing may find themselves being required to enhance security measures and to align their customer data privacy policies with the latest regulatory requirements. This may lead to some overlap in compliance with the requirements prescribed by different regulatory bodies. Additionally, there is also lack of clarity on some interpretational aspects in the Bill, such as, its applicability to cloud servers (that is, whether they will be considered as Data Fiduciaries, or data processors only) under this proposed regime. Further, while the Bill seeks to protect individual privacy while ensuring ease of business, a significant proportion of power has been delegated to the Central Government (especially, to frame procedural rules and guidelines). Further clarity from the authorities on some of these aspects would be helpful.