Series
Blogs
India – A fresh attempt to pass a comprehensive data protection law
India – A fresh attempt to pass a comprehensive data protection law
21 December 2022
Series
Blogs
21 December 2022
In November 2022, the Indian government released a draft of the Digital Personal Data Protection Bill, 2022 (“Bill”), in a fresh attempt to create a comprehensive data protection regime.
The Bill is proposed to be tabled before the Parliament of India in the first half of 2023. We discuss the key provisions of the Bill.
India has not yet enacted a comprehensive legislation on data protection. The current regulatory framework is derived from Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which apply specific and limited obligations. Sectoral laws may also be applicable to entities in regulated sectors such as financial services and telecommunications. Please see here for a detailed summary of the data protection regime in India.
The Indian Government has made a number of attempts to introduce a comprehensive data protection law. For example, it previously proposed a Data Protection Bill, 2021 (“2021 Draft Bill”) which had some similarities to the General Data Protection Regulation (“GDPR”).
That 2021 Draft Bill has now been withdrawn and has been replaced by the new Bill. This Bill has been drafted as an entirely new law and appears to be both government and business friendly; it is not an iteration of the 2021 Draft Bill. The Bill will replace Section 43A of the IT Act and the SPDI Rules.
Scope
The Bill starts with a number of concepts that are broadly similar to those in the GDPR. It governs data fiduciaries (i.e., data controllers), data processors and data principals (i.e., data subjects).
It is applicable to the processing of digital personal data, i.e., information relating to an individual which can identify such individual, where the data is either collected online or is digitised after it is collected offline.
The 2021 Draft Bill contained a complex delineation of personal data into sensitive or critical personal data, and a hierarchisation of a data fiduciary’s obligations on the basis of the type of personal data processed. This has been done away with. Additionally, ‘non-personal data’ has been removed from the ambit of the Bill, which is a welcome change.
Grounds for processing – lawful purpose and consent
The processing of personal data should be in accordance with the Bill for a lawful purpose, i.e., a purpose not expressly prohibited by law.
Consent remains a key ground for processing personal data but, as set out below, is a very different concept to consent under the GDPR. Data fiduciaries must provide a clear and itemised notice (with a description of the personal data sought and the purpose of collecting such data) to concerned data principals to seek their consent.
The Bill has a broad conception of consent. In addition to express/ affirmative consent, it recognises ‘deemed consent’, the ambit of which appears to be very broad. While affirmative consent should be free, specific, informed and unambiguous and can be withdrawn, ‘deemed consent’ does not require individuals’ affirmative action and does not attract any notice obligations. It is also unclear as to how the withdrawal of ‘deemed consent’ would work.
The Bill lists situations where ‘deemed consent’ can be relied on including:
Obligations of data fiduciaries
The key obligations of data fiduciaries include:
The Bill defines children as anyone below the age of 18 years and requires verifiable parental consent for processing the personal data of children.
Companies can be designated as ‘significant data fiduciaries’, based on factors like volume and sensitivity of personal data processed, risk of harm to data principals and potential impact on India’s security and public order. These ‘significant data fiduciaries’ are subject to additional obligations like conducting periodic audits and data protection impact assessments and appointing an independent data auditor and a data protection officer.
Organisations which routinely deal with large volumes of personal data (banks, telecom companies, insurance companies, hospitals) are likely to fall under this category, though unlike the 2021 Draft Bill, social media platforms are not specifically identified as ‘significant data fiduciaries’.
Rights and duties of data principals
Individuals have:
Unusually, the Bill also imposes duties on data principals (individuals). They can be subject to penalties up to INR 10,000 for non-compliance, a unique provision which seems to have been introduced to prevent frivolous complaints.
Data localisation and cross-border data transfers
While the Bill does not specifically mandate storage of digital personal data within India, data localisation requirements under other laws (e.g., imposed by the Reserve Bank of India on banks and other payment service providers) will continue to apply.
Further, under the Bill, cross-border data transfers are permitted to jurisdictions that the Indian government ‘may prescribe’. Therefore, it appears that data transfers will only be permitted to countries that fall within a government white list.
Adjudicating authority
A ‘digital by design’ and an independent, though government-appointed, Data Protection Board of India, composed of a chairperson, a chief executive, members and other officers and employees, will be established by a government notification, to ensure compliance and penalise non-compliance.
The board has the power to conduct inquiries basis, inter alia, suo moto complaints or complaints from affected individuals/ references from the government and issue orders. Such orders can be further reviewed by the board or be appealed before relevant High Courts. The board can also recommend alternate dispute resolution processes and can stop its proceedings by accepting voluntary undertakings from violating entities.
Penalties
While the quantum of penalties for breaches and non-compliance of the Bill is high (capped at INR 500 crores, which is approximately Euro 60m), penalties are not linked to the entity's world-wide turnover, as in the case of the GDPR and the 2021 Draft Bill. Another welcome change has been the removal of criminal sanctions. The ability of affected data principals to claim compensation has also been removed.
Exemptions
State entities are exempt from the obligation to not retain data even after the purpose is fulfilled and can also be exempted from the provisions of the Bill by the Indian government in the interests of the State’s security, sovereignty and integrity or to maintain public order.
Certain companies can also be exempted by the Indian government from certain specified obligations. Further, many obligations of data fiduciaries do not apply when processing is necessary (i) for judicial/ quasi-judicial purposes by courts or tribunals, (ii) for the enforcement of legal right/ claim, or (iii) in relation to prevention of an offence.
The Bill is proposed to be tabled before the Parliament of India in its 2023 budget session and will have to be passed by both houses of the Indian Parliament and notified in the official gazette before it becomes the law. Even after enactment, the Bill is likely to be implemented in a phased manner over a certain time period. The Indian government will also subsequently make rules to carry out the provisions of the Bill.
Please see here for a detailed article on the summary of the key amendments proposed in the Bill.
By Deepa Christopher, Partner, and Anindita Dutta, Associate, at Talwar Thakore & Associates, a leading Indian law firm.