India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
The Bill regulates “data fiduciaries” and “data processors”. A “data fiduciary”, much like a data controller under the GDPR, is any person who, either alone or with others, determines the purpose and means of processing personal data. A “data processor” is any person who processes personal data on behalf of a data fiduciary. A “data principal” is the natural person to whom personal data relates.
The Bill establishes the Data Protection Authority of India (“Authority”) to oversee and regulate processing of data. The government has the power to appoint members of the Authority. Members include the Attorney General of India, the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs, an independent expert nominated by the government, and Directors of the Indian Institutes of Technology and Indian Institutes of Management. The Authority has wide powers under the Bill, and will, over time, issue regulations to address various operational aspects of the law. The Committee has recommended that the Authority be constituted within three months of the enactment of the law and commence activities within six months.
The Authority has the power to create sub-categories of data fiduciaries called “significant data fiduciaries”, depending on the volume of personal data processed, sensitivity of such data, risk of harm posed by the processing, and the turnover of the data fiduciary. Significant data fiduciaries are subject to enhanced obligations under the Bill and are required to register themselves with the Authority.
Certain types of “social media platforms” (i.e., platforms that primarily enable online interactions between users and allow them to create, disseminate, and modify data and information) may also be categorised as significant data fiduciaries.
The Committee has recommended that an approximate period of 24 months be provided for the implementation of the provisions of the Bill to enable data fiduciaries and data processors to effectively comply with its requirements.
- Material Applicability: The Bill has a wider scope than the PDPB: it applies to the processing of personal data, sensitive personal data, and non-personal data (which includes personal data that has been anonymised). The change in the title of the proposed law to the “Data Protection Bill, 2021” underscores the Committee’s resistance to distinguishing between personal data and other types of data and information and implementing separate legal framework for different types of data.
Definitions: “Personal data” is defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or other feature of the identify of such person. The Bill defines “non-personal data” to mean any data other than personal data. Significantly, several provisions of the Bill apply to non-personal data, and the scope of the Authority’s powers now extend to the regulation of the processing of non-personal data.
- Territorial Applicability: The Bill applies to:
- the processing of personal data within India, where such data has been collected, stored, disclosed, shared, or otherwise processed within India;
- the processing of personal data by any person under Indian law; and
- the processing of personal data by data fiduciaries or data processors not present within India if the processing is in connection with any:
- business carried out in India, or any systemic activity of offering goods or services to data principals within India; or
- activity that involves the profiling of data principals in India.
|Key Divergence from the PDPB|
|The draft law will now extend to the processing of “non-personal” data: a wide category that includes all data that is not personal data. This approach echoes recent policy initiatives to regulate non-personal data.|
EXEMPTIONS TO APPLICABILITY
- Government Agencies:
The Bill permits the government to exempt any government agency from the applicability of its provisions (a) in the interest of the sovereignty or integrity of India, security of the state, foreign relations with foreign states, or public order, or (b) for preventing any incitement to the commission of any cognisable offence relating to the sovereignty or integrity of India, security of the state, foreign relations with foreign states, or public order. The exercise of this right must be in accordance with just, fair, reasonable, and proportionate procedures and will be subject to safeguards and oversight mechanisms prescribed by the government.
- Contravention of Law, Legal and Judicial Proceedings, Personal or Domestic Use, and Journalistic Purposes:
Certain provisions of the Bill will not apply to processing of personal data if the processing is:
- in the interests of prevention, detection, investigation, and prosecution of any offence or any contravention of any law;
- necessary for enforcing any legal rights or related claims, seeking relief, defending charges, opposing claims, or obtaining legal counsel in impeding legal proceedings;
- by any court or tribunal for the exercise of judicial functions;
- by a natural person for personal or domestic purposes, except where the processing involves disclosure to public, or is undertaken in connection with any professional or commercial activity; or
- necessary for or relevant to a journalistic purpose, and such processing is compliant with rules and regulations issued under the Bill and any code of ethics issued by the Press Council of India or any statutory media regulatory organisation.
- Processing Data of Data Principals Outside India:
The Bill allows the Indian government to exempt the processing of personal data of data principals outside India by data processors (or a class of data processors) incorporated in India who process such data pursuant to a contract with a person outside India.
- Research, Archival, or Statistical Purposes
The Authority has the right to conditionally exempt processing of personal data under classes of research, archiving, or statistical purposes from the provisions of the Bill.
- Non-Automated Processing by Small Entities:
Non-automated processing by small entities (i.e., entities that fall within a particular category classified by the Authority) are granted limited exemptions from certain provisions of the Bill.
- Data Fiduciaries and Start-Ups Included in Regulatory Sandbox:
The Authority may create a regulatory sandbox to encourage innovation in AI, machine-learning, or other emerging technology. Certain provisions of the Bill will not apply to organisations that are a part of the sandbox.
|Key Divergence from the PDPB|
|The government’s right to exempt government agencies from the provisions of the Bill has not been without controversy. Recognising a need for the constitutionally guaranteed fundamental right of privacy to be upheld, the Committee has introduced language that requires any exercise of this right to be in accordance with just, fair, reasonable, and proportionate procedures.|
OBLIGATIONS OF DATA FIDUCIARIES
- Purpose and Collection Limitation:
Personal data may only be processed in a fair and reasonable manner that will ensure the privacy of data principals. It can be collected only to the extent necessary for the purposes of processing.
- Privacy Notice:
Data fiduciaries are required to provide data principals with a notice that details specific information, including purposes of processing, nature and categories of personal data being collected, and the basis of processing. This notice must be clear, precise, and easily comprehensible to an individual and in multiple languages to the extent necessary and practicable. Notably, no notice is required where the provision of such notice would prejudice the processing of personal data for Public Interest (defined below).
- Quality of Personal Data:
Data fiduciaries must take necessary steps to ensure personal data processed is complete, accurate, not misleading, and updated.
- Data Retention:
Personal data may be retained only for the period necessary for the purpose for which it was processed, and the data must be deleted at the end of such period, unless expressly consented to the contrary by the data principal, or if necessary to comply with any law in force.
Data fiduciaries are responsible for compliance with the Bill, and any rules and regulations made under it, with respect to any processing undertaken by them or on their behalf. In this vein, data fiduciaries are required to enter into written contracts with data processors.
GROUNDS FOR DATA PROCESSING
- With Consent: Consent is the primary ground for processing personal data under the Bill.
- Personal data can only be processed by a data principal providing free, informed, specific, and clear consent that is capable of being withdrawn at the commencement of processing.
- Sensitive personal data can only be processed with the explicit consent of data principals.
- The burden of proving if consent of a data principal has been sought vests with data fiduciaries.
- Data fiduciaries can only process personal data for purposes that are consented to by the data principal or purposes which are incidental to or connected to such purpose and where the data principal would reasonably expect the processing in regard to the purpose, and in the context and circumstances in which the personal data was collected.
- The provision of goods or services, contractual performance, or the enjoyment of a legal right or claim cannot be (i) made conditional to the consent for the processing of any data not necessary for the purpose and (ii) denied based on the exercise of choice.
- Without Consent:
- Both, personal data and sensitive personal data may be processed without the consent of data principals (“Public Interest”):
- for the performance of certain state functions;
- for compliance with orders or judgments of courts, quasi-judicial authorities or tribunals in India;
- to respond to medical emergencies involving a threat to life or the health of a data principal or any other individual;
- to undertake measures to provide medical treatment or health services during epidemics, outbreak of diseases or other threats to public health; or
- to provide safety measures, assistance or services to any individual during a disaster or breakdown of public order.
- Personal data may be processed without consent for employment-related purposes, which include recruitment, assessments, and employment verifications if necessary or can be reasonably expected by the data principal. However, sensitive personal data cannot be processed on this ground.
- Personal data may be processed without consent for reasonable purposes such as corporate restructuring or combination transactions, network or information security, debt recovery, or operating search engines, after taking into consideration:
- the legitimate interest of the data fiduciary;
- whether the data fiduciary can reasonably be expected, and it is practicable to obtain consent;
- any public interest;
- degree of adverse effects on the rights of the data principal; and
- reasonable expectations of the data principal.
The scope of “reasonable purposes” is not clearly defined: the Authority has the power to specify the scope of reasonable purposes and set out additional regulations to ensure the protection of data principals whose data is processed under this ground.
PERSONAL DATA OF CHILDREN
Processing of the personal data of a child (i.e., someone below the age of 18 years) must be done in a manner that protects the rights of the child. A data fiduciary must, before processing the personal data of a child, verify the age of the child and obtain their parent’s or guardian’s consent in a prescribed manner.
Data fiduciaries are prohibited from profiling, undertaking the tracking or behavioural monitoring of or direct advertising directed at children, or undertaking any processing that can cause significant harm to a child.
|Key Divergence from the PDPB|
|The Committee has recommended the deletion of the concepts of “guardian data fiduciaries” which were, under the PDPB, data fiduciaries that (a) operated commercial websites for or provided online services that were directed towards children, or (b) processed large volumes of personal data of children. Instead, data fiduciaries that process personal data of children or provide services to children will be classified as “significant data fiduciaries”, and will therefore automatically be subject to more enhanced compliance obligations.|
DATA PRINCIPAL RIGHTS
- Right of Confirmation and Access to Information:
- Data principals have a right to:
- seek confirmation on whether the data fiduciary is processing or has processed personal data of such data principal;
- access all personal data being processed or a summary of such data;
- be provided with information of processing activities undertaken with respect to their data;
- access such information in a clear and concise manner easily comprehensible to a reasonable individual in a similar context; and
- access the identities of the data fiduciaries with whom personal data has been shared by any data fiduciary, together with the categories of personal data shared.
- While the PDPB was silent on the privacy rights of deceased individuals, the Committee has identified a need for data principals to have specific rights upon death. Accordingly, data principals have the right to nominate legal heirs or representatives as nominees who can exercise specific rights on behalf of data principals upon their death.
- Right of Correction and Erasure:
- Data principals have a right to:
- correct inaccurate or misleading personal data;
- complete and update personal data; and
- seek the erasure of personal data if the purpose of collection is satisfied, or if the consent on which the data was processed has been withdrawn.
- Data fiduciaries must take necessary and practicable steps to notify any correction, completion, updation, or erasure of any personal data to all entities to which they have disclosed such data.
- Right to be Forgotten:
- Data principals have the right to apply to the Authority to restrict the continued disclosure or processing of their personal data by a data fiduciary if the data:
- has served its purpose;
- is not permitted to be processed due to withdrawal of consent; or
- is processed contrary to any applicable law.
- The Authority may grant the request to be forgotten on the following grounds:
- the sensitivity of the personal data;
- the scale of disclosure or processing and degree of restriction sought;
- the data principal’s role in public life;
- the relevance of such personal data to the public; and
- nature of disclosure or processing and impact on the activities of the data fiduciary.
- This right cannot be exercised unless the data principal proves that their right to prevent the continued disclosure or processing of their personal data overrides:
- the right to freedom and speech and expression, or information of any other citizen; or
- the right of the data fiduciary to retain, use and process such data in accordance with the Bill.
- Right to Data Portability:
Data principals have the right to receive data in a structured, commonly used, and machine-readable format if the processing has been undertaken through automated means and transfer this data to any other data fiduciary, except where:
- processing is necessary for state functions, compliance with the law, any judgment or order of any court, quasi-judicial authority, or tribunal; or
- compliance would not be technically feasible by the data fiduciary. The Authority will prescribe regulations to guide such decision making.
- Exercise of Rights and Grievance Redressal:
As a general process, data principals may exercise their rights either directly to the data fiduciary or through a consent manager (which is a data fiduciary that enables data principals to give, withdraw, and otherwise manage their consent). A request to exercise the right to be forgotten, however, must be made to the Authority. Data fiduciaries must comply with these requests in accordance with the timelines and processes specified by the Authority; any refusal to act upon such request must be accompanied by a written explanation. Data principals have the right to file complaints with the Authority if a data fiduciary fails to comply with a request.
|Key Divergences from the PDPB|
|Data principals have the right to nominate legal heirs and representatives to exercise specific data principal rights in the event of the death of a data principal.|
|The exercise of the right to be forgotten must be balanced with the right of data fiduciaries to retain, use, and process personal data in accordance with the provisions of the Bill.|
TRANSPARENCY, ACCOUNTABILITY, AND SECURITY
- Privacy by Design:
Principles of privacy by design have been incorporated in the law and data fiduciaries are required to prepare policies in this regard and have them certified by the Authority.
Data fiduciaries are required to ensure and maintain transparency in their processing activities and make available specific information, such as details of personal data collected and processed, data trust scores, details of cross-border transfers, the use of algorithms utilised for processing personal data and the fairness of such algorithms, etc. The Authority has the power to prescribe regulations to govern the manner of how this information should be made available.
- Security Safeguards:
The Bill requires all data fiduciaries and data processors to implement security standards and practices, which include de-identification and encryption techniques and the ability to protect the integrity of personal data and prevent its misuse, unauthorised access, modification, disclosure, or destruction. These safeguards should be reviewed periodically.
- De-identification is a process by which a data fiduciary or data processor removes or masks identifiers from personal data or replaces identifiers with other fictitious names or code that are unique to an individual but do not, on their own, directly identify a data principal.
- De-identification is a mandatory security safeguard.
- The Authority will specify codes of practice to promote good practices of data protection, which will include methods of de-identification.
- Notification of Breach:
- Data fiduciaries are required to mandatorily report any breach of personal data processed by them to the Authority within 72 hours of becoming aware of the breach.
- The Authority has the right to determine whether the occurrence of such breach should be notified to data principals by accounting for the personal data breach and the risk of harm to the data principal. Additionally, the Authority may direct the concerned data fiduciary to take steps to remedy the breach or mitigate the harm caused to the data principal.
- The Authority has the right to determine steps and processes in the event of a breach of non-personal data.
- Data Protection Officer:
- A significant data fiduciary must appoint a data protection officer (“DPO”) who must be senior level officer in the state or key managerial personnel in a company, or an employee of equivalent capacity in other entities.
- The DPO has the several functions such as advising the data fiduciary in matters of compliance, developing internal mechanisms, carrying out data protection impact assessments, monitoring the processing activities of the data fiduciary, providing assistance to and cooperating with the Authority, maintaining inventory of records to be maintained by data fiduciaries, and acting as a point for contact for grievance redressal.
- DPOs must be based in India.
- Data Protection Impact Assessments:
All significant data fiduciaries are required to undertake data protection impact assessments if they intend to undertake any processing involving new technologies, large-scale profiling or use of sensitive personal data, or other processing that carries a significant risk of harm to data principals.
- Data Audits:
All significant data fiduciaries are required to undertake data audits that are to be conducted by independent data auditors.
- Compliance Certification Mechanisms:
Upon the completion of a data audit, data auditors assign a “data trust score” to a significant data fiduciary. The Authority has the right to determine criteria for this score.
|Key Divergences from the PDPB|
|Breach notification requirements will also apply to security incidents that involve non-personal data.|
|Under the PDPB, data fiduciaries were required to report data breaches to the Authority if the breach(es) were likely to cause harm to any data principal. This harm-based evaluation has now been removed, and data fiduciaries are required to report all security incidents to the Authority. The Bill also proposes a timeline of 72 hours for making such report.|
|A DPO must be a “key managerial personnel” within an organisation (or be an employee of equivalent capacity in another entity).|
- Cross-Border Data Transfers:
- Sensitive personal data may only be transferred outside India with the explicit consent of the data principal and on the basis of:
- a contract or an intra-group scheme approved by the Authority in consultation with the government, provided that the contract or intra-group scheme will not be approved if it is against public or state policy;
- the approval of the government for transfer to a country or organisation that is approved or judged “adequate”, where the transfer would not affect the enforcement of laws. For transfers in accordance with an adequacy decision, sensitive personal data cannot be shared with a foreign government or agency unless approved by the government; or
- an approval from the Authority (where such approval is provided in consultation with the government).
- Critical personal data may only be transferred outside India if such transfer is to a:
- person or entity(s) engaged in health or emergency services or purposes; or
- country or an entity approved by the government with respect to security and strategic interest of the State.
- Data Localisation:
- A copy of all sensitive personal data must be stored in India.
- Critical personal data may only be processed in India.
|Key Divergences from the PDPB|
|Under the PDPB, one of the grounds for cross-border transfers of sensitive personal data was reliance on an intra-group contract or scheme approved by the Authority. Under the Bill, such approval will require the Authority to consult with the government, and such contract or scheme will not be approved if it is against “public or state policy” – that is, an act that promotes the breach of any law, is not in consonance with public policy or state policy, or has a tendency to harm the State or citizens.|
|Sensitive personal data that is transferred on the basis of an adequacy decision cannot be shared with a foreign government or authority without the government’s prior approval.|
The Bill prescribes varying penalties.
|Nature of Offence||Maximum Penalties|
|A data fiduciary’s failure to comply with its security and transparency obligations||The government has the right to prescribe penalties, but such penalties cannot exceed the higher of INR 15,00,00,00 or 4% of a data fiduciary’s worldwide turnover in the preceding year (or the higher of INR 5,00,00,00 or 2% of a data fiduciary’s worldwide turnover in the preceding year, depending on the nature of the offence).|
|A failure to comply with data principals’ requests in respect of data principals’ rights||Significant data fiduciaries: INR 10,00,000|
Data fiduciaries: INR 5,00,000
|Failure to furnish reports and information to the Authority||Significant data fiduciaries: INR 20,00,000|
Data fiduciaries: INR 5,00,000
|Failure to comply with orders or directions of the Authority||Data fiduciaries: INR 2,00,00,000|
Data processors: INR 50,00,000
|Reidentification and processing of de-identified personal data without the consent of a data fiduciary or data processor||Both, imprisonment of up to 3 years and a fine which may extend to INR 2,00,000|
|Offences for which specific penalties have not been provided||Significant data fiduciaries: INR 1,00,00,000|
Data fiduciaries and data processors: INR 25,00,000
ABOUT THE AUTHORS
Mathew is the Head of the Technology, Media & Telecommunications practice group at Spice Route Legal, and is recognised as a leading Indian lawyer by several national and international directories. With close to two decades of experience, he advises on a variety of cross-border corporate and commercial transactions, including in relation to investments, fund-formation, technology laws, data privacy, intellectual property, commercial and regulatory compliance, tech law disputes, and risk mitigation strategy.
Aadya is a senior associate with the firm’s Technology, Media and Telecommunications practice group, with a special focus on, and extensive experience in, handling data protection, cybersecurity and privacy mandates. Recognised as a Rising Star by The Legal500 in 2020, Aadya regularly works with domestic and international market leaders in industries, ranging from financial services, and blockchain, to telecommunications, consumer retail, and emerging technologies.
Shambhavi is an associate with the firm’s Data Protection, Privacy and Cybersecurity practice, within the broader TMT Practice Group. She assists clients with structuring their data protection practices, procedures and policies to demonstrate compliance with applicable laws, and advises on a range of issues including risk mitigation, international data transfers, and data breach response and management.