India: Remains Of The Day: Digital Personal Data Protection Bill, 2023

Contents

DPDP Bill, 2022

DPDP Act,2023

Impact on Businesses

Data Principal

The definition of Data Principal covered the persons to whom the data relates to and parents / guardians of a 'child'.

The definition has been expanded to include guardians acting on behalf of persons with disability.

The revised definition will lead to inclusive protocols in relation to all Data Principals.

Harm

The 2022 draft's definition for harm included bodily harm, identity theft, prevention of gains, wrongful losses, etc.

The Act does not offer any definition for harm. The references to harm as a factor for classifying a Data fiduciary (viz., data collector) as a 'Significant Data Fiduciary' (SDF) have also been replaced with the risk to the 'rights' of a Data Principal arising due to the proposed processing and its consideration for data protection impact assessments.

While there are other factors which will be considered for SDF classifications, this appears to be one factor over which Data Fiduciaries yield control i.e., implementation of comprehensive mechanisms to ensure Data Principal's rights are not compromised.?

Notice

Prior to collecting personal data, the Data Fiduciary was required to give an itemized notice to the Data Principal (in clear and plain language)describing the personal data sought to be collected and the purpose of processing such data.

Every request for consent has to be accompanied by a notice detailing the personal data requested, the purpose for seeking the same, the manner of exercising the rights of the Data Principal, and the manner of making complaints to the Board.

The practical constraints of providing a 'notice' and request for consent separately to the Data Principal as per DPDP 2022 have been eased. Businesses may formulate a singular mechanism which presents the notice and consent in one-go.

Legitimate Uses

The 2022 draft had put forth the concept of "deemed consent", i.e., grounds as per which data processing may be undertaken without the express consent of the Data Principal, and allowed owing to their 'deemed' consent.

The DPDP Act, 2023 replacesdeemed consent with 'certain legitimate uses'.The new law (inter alia) provides for processing data without consent in 'reasonably expected' scenarios,where data has been voluntarily provided.

This will reduce ambiguity, given that there could be differences on how fiduciaries view 'reasonable'. That said, the removal of fair and reasonable purposes may require businesses to review existing processing under the lens of the purpose specified.

Engaging Data Processor

Data Fiduciaries were permitted to engage data processors for activities related to their personal data processing under a valid contract. The engaged data processors were further permitted to appoint additional processors under a valid contract.

Data Fiduciaries have been allowed to engage data processors for processing (on its behalf) for any activity related to the goods / services offered to the Data Principals, under a valid contract.

Existing and future agreements with data processors would have to specifically stipulate a data processor's ability to contract to further third parties.

Reporting Data Breaches

In the event of a breach, Data Fiduciaries were obligated to notify the data protection board and each affected Data Principal.

Now, Data Fiduciaries are required to give 'intimation' of the breach to the board and affected Data Principal.

From a practical perspective, the modification does not offer any significant change in the expectation from the Data Fiduciary.

Cross-Border Transfers

Transferring personal data outside India was permitted only to the countries notified by the central government.

Personal data may be transferred outside India, except to notified restricted countries.

The 'white-list' mechanism proposed under the DPDP Bill, 2022 was met with significant pushback. Opting for the 'black-list' mechanism is a welcome step towards supporting ease of business.

Retention of Personal Data

Retention of personal data was permitted until it was reasonable to assume that the retained personal data was no longer necessary for the purpose it was collected for, and such retention was no longer necessary for business or legal reasons.

Personal data is to be erased as soon as the Data Principal withdraws her consent or it is reasonable to assume that the specified purpose is no longer being served. The obligation of ensuring erasure of personal data when no longer required is placed solelyon the Data Fiduciary.

Data retention SOPs may have to be factored in dynamic mechanisms for determining the applicable retention period, based on the Data Principal's engagement with the Data Fiduciary for the specified purpose.

Penalties

'Non-compliance' of any provisions of the law and/or any subordinate legislation would be subject to monetary penalties in accordance with the matrix specified. However, INR 500 Crores had been specified as the limit for penalties in each instance.

Instead of non-compliance, the final law specifies that 'breach' of the laws and subordinate legislations would be subject to penalties. A new penalty for breach of any terms of a voluntary undertaking by a person who is the subject of an inquiry proceeding has also been added.

The substitution of non-compliance with breach indicates that an element of willful transgression would be necessary for levy of penalties, as opposed to inadvertent lapses. However, this leeway is not without cost as the cap on penalties has been removed.