The draught Digital Personal Data Protection Bill, 2022 ("DPDB"), which was released by the Ministry of Electronics & Information Technology (MeitY) on November 18, 2022, is available for public comment through December 17, 2022. MeitY withdrew the Data Protection Bill 2021 earlier on August 4, 2022, under the justification that the Joint Committee had recommended significant changes to the original draft. This action highlighted the need for creating a "comprehensive" legal framework that is in line with current privacy laws and the constantly changing nuances of the digital ecosystem.
Analyzing the fundamental elements of what an Indian data protection law would entail if DPDB were passed into law in its current form.
Application and coverage:
The DPDB will apply to:
- All processing of digital personal data is subject to exemptions (material scope),
- All processing is carried out inside India, and in some circumstances, the processing is carried out outside of India (territorial scope).
Consent and Deemed Consent:
The processing of digital personal data must be done for a legitimate reason with the data principal's consent or implied consent. Consent or deemed consent requirements can result in fines of up to INR 500 million (about USD 6.1 million). Consent remains the main legal justification for processing, albeit with weakened constraints.
According to DPDB, consent must be unrestricted, explicit, informed, and clear. It must be acknowledged by the data principal through affirmative action and be restricted to the designated purposes.
A data fiduciary must offer an itemized notice (i.e., displayed as a list of individual items) on or before obtaining consent that clearly and plainly explains the personal data sought to be processed as well as its intended use.
In 9 instances, the DPDB uses the data principal's consent, or "deemed consent," as the legal justification for the processing. These include:
- When the data principle freely provides personal information, and it is reasonable to assume that they will supply such information, such as when a contract is entered into or performed;
- Providing services or benefits (such as social welfare programs) to the data principal as part of the fulfillment of any statutory duty, processing by the state for any purpose;
- Providing the data principal with a certificate, license, or permit (such as collecting biometric information for the issuance of an AADHAAR);
- Obeying any ruling or directive;
- Response to a medical emergency posing a threat to the data principal's or another person's life or health;
- Supplying any individual with medical care or health services during an epidemic, disease outbreak, or public health emergency, such as contact tracing;
- Disaster management, or public disorder;
- Employment-related purposes; in the public interest (DPDB defines "public interest" as interest in India's sovereignty and integrity, state security, friendly relations with foreign states, maintenance of public order, preventing incitement to commit any cognizable offense in relation to the foregoing interests,
- And preventing the dissemination of false statements or facts), and for any fair and reasonable purpose as may be prescribed later) while not being unlawful.
Other than the requirements that were mentioned above directly, the fine for non-compliance with other fiduciary obligations might reach INR 500 million (about USD 6.1 million). DPDB has fewer restrictions on data fiduciaries than the preceding legislation did. Perhaps the goal is to encourage self-regulation, reducing enterprises' costs and the burden of compliance. At the same time, this might affect privacy governance structures already in place.
Notification of significant data fiduciaries:
The central government may designate any class of data fiduciaries as significant data fiduciaries (SDF). Variables such as the volume and sensitivity of the data processed, the risk of harming the data principal, the potential impacts on India's sovereignty and integrity, state security, electoral democracy risks, and other matrices will be evaluated when making these decisions.
The earlier iterations of the criteria featured more specifics and attempted to include certain social media intermediaries within the scope of SDFs; presently, this is left open-ended. An SDF would be required to select an individual resident in India to serve as its Data Protection Officer (DPO).
The scope of the data principle:
Rights in connection to their data have been constrained by DPDB, and the organization also aims to impose some duties on them. A data principal is entitled to:
- Confirmation of processing; access to a summary of processed personal data; processing activities;
- Identification of all data fiduciaries; and such information as may be required;
- Rectification of false or misleading personal information;
- Updating personal data;
- Completing incomplete personal data;
- Deletion of personal information that is no longer required for processing or any legal purpose; note that a fiduciary is allowed to keep personal information if it is required for business purposes; as a result, it is unclear whether the right to erasure will supersede this right of the fiduciary, and this needs to be clarified;
- Register a grievance with the data fiduciary;
- File a complaint with the DPBI if the data fiduciary does not respond to their registered grievances or does so in an unsatisfactory manner;
- And designate another person to represent them in the event of their decease or incapacity.
There is no right for data principals to be forgotten, no right to object to certain kinds of processing (automated data processing being the key area of regulation cannot be objected to by the principal), or no right for data portability, which has been a contentious issue worldwide.
The manner, timeline, format, and other details on how rights can be exercised have been left to rule-making. Nevertheless, for exercising these rights, the data principal is obligated to comply with certain duties. One of them requires data principals to comply with the provisions of all applicable laws.
Cross-border data transfer:
Stakeholders have argued the specifics of cross-border data transfer under past laws extensively, with significant opposition to soft and rigid data localization standards. Such localization standards are eliminated by DPDB, which is a positive development.
It stipulates that the central government must notify any jurisdiction to which personal data may be transferred, under any applicable terms and conditions, following any examination of considerations that it may judge essential.
It suggests that the central government will have complete discretion when deciding whether jurisdictions are appropriate or not, as well as when to set requirements for data transfers. Alternative alternatives for cross-border transfer, such as mandatory business policies, and typical contract provisions.
Currently, IT Rules only allow cross-border transfers with consent or when such transfers are necessary for the performance of the contract entered into with the data principal. Data transferors are required to assess whether a similar level of data protection will be afforded to personal data by the data transferee.
The DPDB envisions broad exemptions from important state laws and specific types of processing. No data fiduciary or SDF obligations will apply to the processing of personal data that is :
- for enforcing legal rights or claims,
- by judicial, quasi-judicial, or other body while performing judicial or quasi-judicial functions,
- which is in the interest of prevention, detection, or prosecution, or
- for any other restriction on cross-border transfer that may be notified later.
In addition, the DPDB stipulates that the state and its instrumentalities are exempt from storage and retention restrictions, so they are free to keep personal data for as long as they see fit. Additionally, the central government has the authority to exempt some data fiduciaries from complying with notice, data accuracy, retention limitation, and access plus confirmation rights requirements by considering the volume and nature of data processing.
Data Protection Board of India (DPBI):
The DPDB intends for the DPBI to be established to detect DPDB non-compliance, enforce sanctions, issue directives, and perform other such duties as the federal government may specify. The DPBI will act as a separate regulator, and all of its operations are designed to be digital.
The DPBI will have the power to handle complaint-related processes, call witnesses, examine the evidence, conduct investigations, and impose penalties. Thus, its composition must possess the right balance for it to function independently of the other wings of the state. However, DPDB makes no mention of these points. It grants the central government the power to dictate the DPBI's composition, membership criteria, terms of appointment, and conditions for dismissal.