India – A fresh attempt to pass a comprehensive data protection law

In November 2022, the Indian government released a draft of the Digital Personal Data Protection Bill, 2022 (“Bill”), in a fresh attempt to create a comprehensive data protection regime.

The Bill is proposed to be tabled before the Parliament of India in the first half of 2023. We discuss the key provisions of the Bill.

The path to reform

India has not yet enacted a comprehensive legislation on data protection. The current regulatory framework is derived from Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which apply specific and limited obligations. Sectoral laws may also be applicable to entities in regulated sectors such as financial services and telecommunications. Please see here for a detailed summary of the data protection regime in India.

The Indian Government has made a number of attempts to introduce a comprehensive data protection law. For example, it previously proposed a Data Protection Bill, 2021 (“2021 Draft Bill”) which had some similarities to the General Data Protection Regulation (“GDPR”).

That 2021 Draft Bill has now been withdrawn and has been replaced by the new Bill. This Bill has been drafted as an entirely new law and appears to be both government and business friendly; it is not an iteration of the 2021 Draft Bill. The Bill will replace Section 43A of the IT Act and the SPDI Rules.

Outline of the Bill

Scope

The Bill starts with a number of concepts that are broadly similar to those in the GDPR. It governs data fiduciaries (i.e., data controllers), data processors and data principals (i.e., data subjects).

It is applicable to the processing of digital personal data, i.e., information relating to an individual which can identify such individual, where the data is either collected online or is digitised after it is collected offline.

The 2021 Draft Bill contained a complex delineation of personal data into sensitive or critical personal data, and a hierarchisation of a data fiduciary’s obligations on the basis of the type of personal data processed. This has been done away with. Additionally, ‘non-personal data’ has been removed from the ambit of the Bill, which is a welcome change.

Grounds for processing – lawful purpose and consent

The processing of personal data should be in accordance with the Bill for a lawful purpose, i.e., a purpose not expressly prohibited by law.

Consent remains a key ground for processing personal data but, as set out below, is a very different concept to consent under the GDPR. Data fiduciaries must provide a clear and itemised notice (with a description of the personal data sought and the purpose of collecting such data) to concerned data principals to seek their consent.

The Bill has a broad conception of consent. In addition to express/ affirmative consent, it recognises ‘deemed consent’, the ambit of which appears to be very broad. While affirmative consent should be free, specific, informed and unambiguous and can be withdrawn, ‘deemed consent’ does not require individuals’ affirmative action and does not attract any notice obligations. It is also unclear as to how the withdrawal of ‘deemed consent’ would work.

The Bill lists situations where ‘deemed consent’ can be relied on including:

• where data is provided voluntarily with the reasonable expectation that the data must be provided for the said purpose;
• data provided in relation to legal or judicial purposes;
• data provided in relation to medical emergencies and health services;
• data provided in relation to breakdown of public order;
• data provided in relation to employment, which includes prevention of corporate espionage, maintenance of confidentiality, recruitment and termination and attendance and assessment of performance; and
• when data is processed in public interest. This includes data processed in relation to M&A and corporate restructuring transactions, credit scoring, fraud prevention, etc. or for any fair and reasonable purpose ‘as may be prescribed’.

Obligations of data fiduciaries

The key obligations of data fiduciaries include:

• employing measures to comply with the Bill;
• ensuring accuracy and completeness of personal data;
• employing reasonable security safeguards to prevent data breaches;
• removing personal data from records once the purpose is fulfilled, unless retention is legally required; and
• employing a grievance redressal mechanism.

The Bill defines children as anyone below the age of 18 years and requires verifiable parental consent for processing the personal data of children.

Companies can be designated as ‘significant data fiduciaries’, based on factors like volume and sensitivity of personal data processed, risk of harm to data principals and potential impact on India’s security and public order. These ‘significant data fiduciaries’ are subject to additional obligations like conducting periodic audits and data protection impact assessments and appointing an independent data auditor and a data protection officer.

Organisations which routinely deal with large volumes of personal data (banks, telecom companies, insurance companies, hospitals) are likely to fall under this category, though unlike the 2021 Draft Bill, social media platforms are not specifically identified as ‘significant data fiduciaries’.

Rights and duties of data principals

Individuals have:

• the right of information such as, the status of processing of personal data, summary of the data processed, and the names of companies their personal data has been shared with;
• the right of nomination of any other individual, in the event of death or incapacity;
• the right of correction and erasure, which includes data fiduciary’s duty to correct inaccurate/ misleading data, complete incomplete data, update personal data, and erase data after the purpose is fulfilled; and
• the right of grievance redressal before the Data Protection Board of India or data fiduciaries.

Unusually, the Bill also imposes duties on data principals (individuals). They can be subject to penalties up to INR 10,000 for non-compliance, a unique provision which seems to have been introduced to prevent frivolous complaints.

Data localisation and cross-border data transfers

While the Bill does not specifically mandate storage of digital personal data within India, data localisation requirements under other laws (e.g., imposed by the Reserve Bank of India on banks and other payment service providers) will continue to apply.

Further, under the Bill, cross-border data transfers are permitted to jurisdictions that the Indian government ‘may prescribe’. Therefore, it appears that data transfers will only be permitted to countries that fall within a government white list.

Adjudicating authority

A ‘digital by design’ and an independent, though government-appointed, Data Protection Board of India, composed of a chairperson, a chief executive, members and other officers and employees, will be established by a government notification, to ensure compliance and penalise non-compliance.

The board has the power to conduct inquiries basis, inter alia, suo moto complaints or complaints from affected individuals/ references from the government and issue orders. Such orders can be further reviewed by the board or be appealed before relevant High Courts. The board can also recommend alternate dispute resolution processes and can stop its proceedings by accepting voluntary undertakings from violating entities.

Penalties

While the quantum of penalties for breaches and non-compliance of the Bill is high (capped at INR 500 crores, which is approximately Euro 60m), penalties are not linked to the entity's world-wide turnover, as in the case of the GDPR and the 2021 Draft Bill. Another welcome change has been the removal of criminal sanctions. The ability of affected data principals to claim compensation has also been removed.

Exemptions

State entities are exempt from the obligation to not retain data even after the purpose is fulfilled and can also be exempted from the provisions of the Bill by the Indian government in the interests of the State’s security, sovereignty and integrity or to maintain public order.

Certain companies can also be exempted by the Indian government from certain specified obligations. Further, many obligations of data fiduciaries do not apply when processing is necessary (i) for judicial/ quasi-judicial purposes by courts or tribunals, (ii) for the enforcement of legal right/ claim, or (iii) in relation to prevention of an offence.

What next

The Bill is proposed to be tabled before the Parliament of India in its 2023 budget session and will have to be passed by both houses of the Indian Parliament and notified in the official gazette before it becomes the law. Even after enactment, the Bill is likely to be implemented in a phased manner over a certain time period. The Indian government will also subsequently make rules to carry out the provisions of the Bill.

Please see here for a detailed article on the summary of the key amendments proposed in the Bill.

By Deepa Christopher, Partner, and Anindita Dutta, Associate, at Talwar Thakore & Associates, a leading Indian law firm.