The Digital Personal Data Protection Bill, 2022

Ever since the introduction of the European Union’s General Data Protection Regulations (“GDPR”) in 2018, India has endeavored to implement a comprehensive legal framework governing data protection in the country. After almost five years, three draft bills and numerous intensified debates later, on November 18, 2022 a draft “the Digital Personal Data Protection Bill, 2022”¹ (“Bill”) was released which aims to preserve a balance between framework to use personal data for lawful purposes and rights as well as duties of the citizens.

The draft Bill is at the consultation stage and is expected to be tabled in the monsoon session of 2023. Key highlights of the draft Bill is as follows:-

1. 1. Scope: The draft Bill applies to processing of personal data of data principal within India where data is collected (i) online (ii) collected offline and then digitized as well as to the personal data processed outside the territory of India if it relates to profiling of or offering goods and services to data principal in India. However, processing of data which is non—automated, offline, personal use or contained in a record for at least 100 years is excluded from the scope of the draft Bill. Further, the draft Bill exempts Indian data fiduciaries that collect and process the personal data of data principals outside India.
   2. Prior notice: Unlike the predecessor versions, the draft Bill has done away with the categories of data ie. personal data and sensitive personal data.The draft Bill mandates the data fiduciaries to give a clear notice to the data principals laying out the description of personal data sought to be collected and the purpose of processing such personal data. This requirement is retrospective in nature and requires the data fiduciaries to furnish a notice to all data fiduciaries “as soon as it is reasonably practicable”.
   3. Consent: The draft Bill specifies that data principal shall provide an informed consent by a clear affirmative action signifying agreement to the processing of data and its specified purpose. The concept of ‘deemed consent’ has also been introduced for situations such as (i) compliance with judicial orders (ii) voluntarily provides personal data and reasonably expected to provide personal data (iii) medical emergency (iv) disasters (v) in public interest (vi) for employment purposes (viii) fair and reasonable cases etc. The aforesaid instances are very broad and may create a blur between an individual’s privacy and the right of a data fiduciary to assume “deemed consent”.
   4. Obligation of Data Processor: The draft Bill mandates that data processors shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
   5. Obligations of Data Fiduciary: The draft Bill holds a data fiduciary completely responsible for processing of personal data in compliance with the provisions of the draft Bill. The draft Bill enumerates specific obligations of a data fiduciary from ensuring accuracy of the personal data being processed to deploying reasonable security safeguards as well as effective grievance redressal mechanism to data prinicpals. The draft Bill mandates that personal data shall be collected for the limited purpose for which the consent has been given for and cease/remove personal data as soon as “it is reasonable to assume” (no specific timeline) that it no longer serves the purpose of its retention or any legal or business purpose.
   6. Additional obligations of Significant Data Fiduciary: Consistent with its predecessor versions, the draft Bill comprises the term ‘significant data fiduciary’. Significant Data Fiduciaries are required to (i) appoint a Data Protection Officer, based in India; (ii) appoint an independent Data Auditor and (iii) undertake measures for managing risk of harm and such other matters with respect to processing of personal data under the draft Bill.
   7. Rights of Data Principals: Data principals have been granted the (i) right to correction and erasure of personal data, which subsumes the controversial right to be forgotten in previous iterations of the draft Bill (ii) right to information (from data fiduciary regarding confirmation, nature, summary, purpose of processing the personal data and list of all data fiduciary with whom the said data is shared) (iii) right to grievance redressal (from data fiduciary which may be referred to Data Protection Board within seven days or less of receiving unsatisfactory response or no response at all) and (iv) right to nominate (another individual to exercise his rights in the event the principal’s of death or incapacity).
   8. Duties of Data Principals: The draft Bill also imposes certain duties on data principals which carves out a harmonious relationship between data principals and data fiduciaries. Data Principals shall (i) comply with the provisions of the draft Bill (ii) not register a false or frivolous grievance or complaint (iii) not furnish any false particulars or suppress any material information or impersonate another person shall furnish verified and authentic information while exercising the right to correction or erasure.
   9. Data localization: Unlike the predecessor Bills, the draft Bill permits transfer of personal data outside India to certain countries or territories. However, such countries or territories will be notified by the central government (after assessing any factors as it deems necessary). The draft Bill is silent regarding the framework of such transfer and only states that, “may transfer personal data, in accordance with such terms and conditions as may be specified”.
   10. Penalties: The draft Bill only imposes monetary penalties for non-compliances (which ranges from ten thousand to 250 crores, not exceeding 500 crores at each instance) Criminal penalties have been completely removed from the draft Bill which may come as a sigh of relief to many tech giants. However, there is no guidance on how the fines will be imposed; instead the draft Bill states a list of matters including nature, gravity, type and nature and duration of non-compliance, repetitive nature of non-compliance,whether the person, as a result of the non-compliance, has realized a gain or avoided any loss, whether any action to
       mitigate the effects and consequences of the non-compliance etc) which need to be considered while determining the amount of financial penalty.
   11. Composition of Data Protection Board: Akin to GDPR, the draft Bill mandates composition of an independent body ie. Data Protection Board which will, inter-alia, determine and investigate non-compliance with the provisions of the draft Bill and impose penalties, issue additional guidelines etc. The board has the power to take actions on suo-moto basis or upon receipt of a complaint. Any appeal against the order of the Data Protection Board shall lie before the High Court. The Data Protection Board may also refer the concerned parties to mediation, in cases it deems fit.
   12. Exemption to certain entities: The draft Bill exempt states from any or all the provisions of the draft Bill for “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these” and for research or statistical purposes. Further, the central government may exempt certain entities (having regard to the volume and nature of personal data processed) from provisions such as prior notice before consent, ensuring accuracy of personal data, deleting data after its purpose is served, data fiduciary obligations and data principal’s right to information under the draft Bill.
   13. Amendments to Information Technology Act, 2000 (“IT Act”): The draft Bill also amends IT Act to amend Section 81² to read as, “…provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 (14 of 1957) or the Patents Act, 1970 (39 of 1970) “or the Digital Personal Data Protection Act, 2022” .] ”. The interpretation of this section may be presumed to mean that “safe harbor” under Section 79 of the IT Act is unavailable to data breaches and non-compliance with the provisions of the draft Bill. However, it is a settled law³ that remedies of the intermediaries would be available and the same shall not stand precluded by virtue of Section 81 of the IT Act. Mere addition of Digital Personal Data Protection Act, 2022 in the proviso to Section 81 of the IT Act would mean that data principals can demand action against intermediaries and intermediaries can seek safe harbor where they are not responsible for data breaches and non compliance with the draft Bill.

   While the draft Bill has been appreciated for its unadorned language, there are few gaps which need to be fulfilled. The draft Bill has expanded the role of the central government in regulating the data protection framework in the country and majority of rule making has been delegated to the government which may result in uncanalised powers. For example, the draft Bill does not define “significant data fiduciary” and the same will be notified by the central government on assessment of factors such as volume and sensitivity of personal data processed, risk of harm to
   2 81. Act to have overriding effect.–The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. 2 [Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 (14 of 1957) or the Patents Act, 1970 (39 of 1970).] 3 Myspace Inc. v. Super Cassettes Industries Ltd., 2016 SCC OnLine Del 6382, 23-12-2016
   data principals etc. Further, the mechanism for data transfer will also be decided by the central government in addition to the list of countries and territories. Furthermore, the states and its instrumentalities are exempted from the provisions of the draft Bill and are permitted to enjoy relaxation in relation to processing of data which includes privileges like retaining personal data beyond the purpose of such retention without any accountability whatsoever.
   To conclude, the draft Bill is one step closer to a definitive framework dealing with duties and obligations of data fiduciaries and rights of data principles and it will be interesting to observe how the final legislation actually pans out.

2. [1] https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf[2] 81. Act to have overriding effect.–The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.
3. [2] Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 (14 of 1957) or the Patents Act, 1970 (39 of 1970).

   [3] Myspace Inc. v. Super Cassettes Industries Ltd., 2016 SCC OnLine Del 6382, 23-12-2016