The Ministry of Electronics and Information Technology released a draft of the Digital Personal Data Protection Bill, 2022 (the "Bill") on 18 November 2022 for public consultations, which is expected to be tabled before Parliament in the coming budget session. Our Partner, Anuj Bhatia, Senior Associate, Shruti Bhat and Associate, Aastha Saily analyse some of the key concepts that have been proposed in the Bill.

Introduction

Following the withdrawal of the Personal Data Protection Bill, 2019 (the 2019 Bill) earlier this year, a draft Digital Personal Data Protection Bill, 2022 (the 2022 Bill) was released by the Indian Government on 18 November 2022. A copy of the 2022 Bill can be accessed here.

The main features of the 2022 Bill are set out below:

A Streamlined Bill

By Indian legislation standards, the 2022 Bill is extremely concise, and contains only 30 clauses (as compared to 98 clauses in the 2019 Bill). Whilst this has been welcomed in some quarters on the basis that this will give the legislation longevity (since it will be flexible enough to deal with rapidly emerging new technologies), there are several instances where the 2022 Bill makes a reference to further detail being provided in rules to be "prescribed" by the Government. There are therefore concerns that:

  • there is still a long way to go in terms of fleshing out the necessary detail required to ensure that the framework is comprehensive (and can be fully understood and implemented); and
  • this gives the Government disproportionate powers to create delegated legislation (dealing with substantive rather than procedural aspects), which could lead to legal challenges and possibly delayed enforcement as and when the 2022 Bill becomes law.

Digital Personal Data

The 2022 Bill only deals with digital personal data and does not apply to non-automated processing of personal data or offline personal data. More notably:

  • the 2022 Bill does not contain the concepts of sensitive personal data or critical personal data (which were present in previous data bills, and which were subject to more stringent conditions as to consent or use, and cross border transfers); and
  • the 2022 Bill does not cover non-personal data, which is widely seen as a welcome step.

Localisation Requirements Relaxed

One aspect that will be very welcome by global technology and social media corporations is that the data localisation requirements contained in earlier proposed data legislations have been relaxed. The 2022 Bill provides that the Government can notify the countries or territories where personal data may be transferred based on factors that it considers necessary. Accordingly, it is expected that various jurisdictions with a sophisticated data protection regime (such as the USA, the UK and the EU) will be "white-listed", and this is also expected to assist India in achieving adequacy status under the corresponding data regimes in those regions.

It should be noted though that:

  • localisation requirements under other laws and regulations (such as the 2018 Reserve Bank of India circular requiring all payment gateways along with other entities in the payment ecosystem to store payment related data locally) will continue to apply; and
  • significant data fiduciaries (whether located in India or not) will need to appoint a data protection officer based in India.

Consent and Deemed Consent Requirements

The requirements for data fiduciaries (i.e. data controllers) to give detailed notices to, and obtain clear consent from, data principals (i.e. data subjects) remain similar to those found in previous proposed data legislations in India. In addition, the 2022 Bill retains the concept of a "consent manager", through which a data principal can manage their data consents.

The 2022 Bill also permits the processing of personal data in certain situations where consent is deemed to have been given by data principals (which include circumstances such as epidemics, disasters and breakdowns of public order). Non-consent / deemed consent-based processing is also permitted in circumstances similar to those contained in the GDPR (such as fair and reasonable purpose and legitimate interests).

Breach Notification

In a significant change from earlier proposed data legislations, the 2022 Bill now makes it mandatory for data fiduciaries and data processors to report data breaches to affected data principals (the 2019 Bill required reporting to data principals only if the data authority required this). There is a concern that those could result in notifications being sent to data principals even for minor matters (thereby resulting in data principals getting notification fatigue and being unable to distinguish between significant and insignificant breaches), so this could be an area where some measure of materiality is included in the final legislation.

The 2022 Bill does not specify a timeline within which a breach should be reported (in the 2019 Bill the timeline was 72 hours), and presumably this will be specified in the rules to be created by the Government. It is worth noting that at present, breaches are required to be reported within 6 hours!

Government Powers and Exemptions

Significant criticism has been levelled against the 2022 Bill in that it gives the Government – the largest collector and processor of data in the country – wide powers, thereby raising concerns regarding surveillance and lack of Government accountability:

  • the Government can exempt from the purview of the legislation any instrumentality of the State on certain grounds but with no specific conditions as to "reasonableness" or "proportionality" (which were concepts contained in the Supreme Court judgement that recognised the right to privacy as a fundamental right);
  • the 2022 Bill also exempts any state authority from the requirement of deletion of data after use (which could enable such authorities to indefinitely store such data with no limitations as to purpose or otherwise);
  • the numerous instances of "as may be prescribed" language in the 2022 Bill raises concerns of the Government having significant powers to create delegated legislation; and
  • the Government will have the power to appoint the members of the Data Protection Board (which is described as being an independent body, having the powers of a civil court), which has raised questions about how such an authority can remain independent, and if it will really be in a position to exercise oversight and impose fines on the Government in practice.

It remains to be seen how such provisions will hold up against any judicial scrutiny to which they may be subject once the 2022 Bill becomes law.

Voluntary Undertakings

In a move that is intended to avoid long drawn out proceedings where possible, the 2022 Bill gives entities that are in breach the ability to "plea bargain":

  • the Data Protection Board may accept a voluntary undertaking in respect of any matter related to compliance with the provisions of the legislation from any person at any stage (which may include an undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicize the voluntary undertaking); and
  • acceptance of the voluntary undertaking by the Data Protection Board shall constitute a bar on proceedings under the provisions of the legislation as far as the contents of the voluntary undertaking are concerned (except in cases of non-compliance with the terms of the voluntary undertaking).

Penalties

Under the 2019 Bill, penalties for breaches were linked to a percentage of the total worldwide turnover of a data fiduciary and were uncapped. Under the 2022 Bill, the aggregate penalty for non-compliance is capped at INR 5 billion (approx. USD 61 million) (with different non-compliances (such as failures to take "reasonable" security safeguards or to notify the Data Protection Board or affected data principals) being capped at lower sub-thresholds). Concerns are being expressed about whether the quantum of the penalties will be sufficient to ensure compliance by large global players.

The 2022 Bill also imposes certain duties on data principals, which include refraining from registering a false or frivolous grievance or complaint with a data fiduciary or the Data Protection Board and not furnishing any false information, suppressing any material information or impersonating any other person while applying for any document or service. The 2022 Bill prescribes a penalty of up to INR 10 thousand (approx. USD 122) in case of non-compliance with such obligations by a data principal.

What's Next?

The 2022 Bill is currently open for public comments till 17 December 2022, and as per recent press releases, may be tabled in the Parliament's budget session (tentatively February-March 2023). The Electronics and Information Technology Minister has been quoted as saying that the 2022 Bill, along with the bill overhauling telecommunication law in India, are expected to become law by August 2023. Given the track record of past proposed data legislations, it remains to be seen if this timeline will be met! In any event, we do anticipate that the provisions of the 2022 Bill will be brought into effect in a staggered basis, to give companies dealing with personal data sufficient time to prepare (noting that many companies in India are already now familiar with requirements under other regimes such as GDPR).

The devil will be in the detail, so it will be important to review the draft rules that will need to be prepared by the Government to get a better understanding of the requirements that data fiduciaries and data processors will need to comply with. It will also be interesting to see what changes (if any) the 2022 Bill undergoes to address the "who will guard the guards" concerns that have been expressed about its potential lack of applicability to the Government, and the perceived lack of independence of the Data Protection Board.

We are continuing to monitor developments and will provide updates as and when further information becomes available.

Originally published November 29, 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.