The Ministry of Information and Technology (“MeitY”) has released the Draft Digital Personal Data Protection Bill, 2022 (“Draft DPDP Bill”), on 18th November 2022, for public comments[1].
ASPECTS OF THE DRAFT DPDP BILL
1. The EU GDPR frame work has been partly retained – The Draft DPDP Bill partly retains the “GDPR formula” in terms of consent, purpose, collection and storage limitation of data, legal basis for processing personal data and some other limited aspects as opposed to the broad GDPR style framework proposed to be adopted by the 2018 and 2019 drafts of the Personal Data Protection Bill as well as by the Data Protection Bill 2021 as redrafted by the Parliamentary Committee. The current draft is, in many respects, a “light touch” legislation in comparison to the earlier drafts.
2. The distinction between types of “Personal Data” is out – The Draft DPDP Bill now envisages only Personal data, and not Personal Data, Sensitive Personal Data as in the earlier draft Bills
3. Increase in compliance processes and costs likely due to Indian language obligations- Local language based Notice and consent language will entail increased compliance costs in setting up policies, notices and consent forms and processing such forms.
4. Deemed Consent introduced under the Draft DPDP Bill. Legitimate interest factored in.
5. Cross border transfer is allowed but Government retains the keys to change the rules – Cross border transfer of data will be allowed since the Data Localisation Rules have been softened to a large extent however the government has sought to appropriate the power to designate ‘trusted’ jurisdictions setting the stage for some level of Policy uncertainty.
6. Draft DPDP Bill does not address existing Data localisation requirements under other Legislations and Regulations.
7. No Data portability in the Draft DPDP Bill
8. No right to be forgotten obligation in the Draft DPDP Bill
9. Government retains the power to exempt itself from the draft law. This will not only adversely impact encryption because the Government has proposed rolling out other legislation increasing its surveillance powers. The will also not pass muster with adequacy regimes in other territories.
10. Government can exempt certain Data Fiduciaries or class of Data Fiduciaries, with respect to the volume and nature of personal data processed from certain aspects of the law. This potentially may apply for start-ups.
11. Government can designate certain Data Fiduciaries as Significant Data Fiduciaries with additional obligations – These will include requiring appointment of Data Protection Officer and undertaking data protection impact assessment.
12. No Data Protection Authority but a Data Protection Board – This Board is slated to ostensibly be “Independent” but the statutory make up will likely lead to constitution validity issues on the basis of failure to abide by the ‘separation of powers’ doctrine when any regulator is charged with adjudicatory or quasi-judicial powers.
| BRIEF OVERVIEW OF THE DRAFT DPDP BILL |
1. Change in Draft Law’s Name: The name of the draft bill has been changed from Personal Data Protection Bill, 2019 (“2019 DP Bill”) or as revised later by the Joint Parliamentary Committee’s Report in the Data Protection Bill in 2021 (“2021 DP Bill”) to Digital Personal Data Protection Bill, 2022.
2. Definitions:
a) The Draft DPDP Bill seeks to introduce specific definitions of terms like gain, loss, and public interest which were not defined in the 2019 DP Bill or 2021 DP Bill.
b) Among other changes, the definition of ‘personal data’ has been simplified and effectively broadened to include “any data about an individual who is identifiable by or in relation to such data”. The Draft DPDP Bill seems to do away with the categorization of personal data vis-a-vis non-personal data and sensitive personal data.
c) The definitions of the certain terms such as anonymisation, financial data, genetic data, health data, sensitive personal data, significant harm, transgender status, which were provided in the 2019 DP Bill or 2021 DP Bill have been omitted from Draft DPDP Bill.
d) The definition of ‘Data Principal’ has been revised to mean the ‘individual’ (and not ‘natural person’ as previously referred to in the 2021 DP Bill) to whom the personal data relates and includes the parent/lawful guardian of a child.
e) The definition of ‘Data Fiduciary’, in essence, appears to be the same as proposed under the 2021 DP Bill and includes any ‘person’ (including inter alia individual, company, firm, State, etc.) who determines the purpose and means of processing personal data.
(f) for any fair and reasonable purpose as may be prescribed.
The broad ambit of ‘deemed consent’ appears to automatically absolve the State and employers from complying with the provisions of notice and requesting consent from Data Principals.
9. Consent managers recognised: Entities i.e., Data Fiduciaries registered with the Data Protection Board can be appointed by Data Principals to manage consent, grant of consent and its withdrawal.
10. Cross-Border transfer of personal data allowed only for notified Geographies:
(a) Based on the assessment of certain factors, the Government proposes to retain the power to notify certain countries/territories to which a Data Fiduciary may transfer personal data in accordance with terms and conditions as may be specified.
(b) Effectively, this is a data localisation provision vis-à-vis countries that are not notified by the Central Government under this proposed provision.
(c) This provision does not account for conflict with provisions with the data protection laws of the foreign country which was notified by the Government for transferring personal data. Such laws might prohibit or restrict the transfer of data back to India which would cause regulatory uncertainty and confusion.
(d) Additionally, this requirement under the Draft DPDP Bill is in conflict with cross-border transfer allowances under extant regime for storage of payment system data that do not limit the transfer of data to specific notified countries i.e. allow for the transfer of laws across all geographies as opposed to those specifically notified by the Government.
11. Exemptions from provisions of Draft DPDP Bill:
(a) Provisions relating to obligations of Data Fiduciary under Chapter 2 (except Data Fiduciary’s obligation to take reasonable security safeguards), rights & duties of Data Principal under Chapter 3 and Cross-border Transfer of Data under Section 17 shall not apply in the following situations:
(b) Central Government can exclude the application of the Draft DPDP Bill from processing of personal data on the following grounds:
(c) Central Government can by notification exempt certain Data Fiduciaries or class of Data Fiduciaries, having regard to the volume and nature of personal data processed, from obligations relating to; (i) notice, (ii) ensuring accuracy of the collected data, and (iii) retention period for storing collected personal data. Further, the provision exempts such notified Data Fiduciaries from additional obligations in relation to processing of personal data of children, additional obligations in case such notified Data Fiduciaries are significant Data Fiduciaries, and the obligation to provide information to Data Principal in the exercise of the Data Principal’s right to information about personal data.
(d) The Draft DPDP Bill also exempts any processing of personal data by the State or its instrumentalities from complying with the data retention requirement.
12. Additional Obligations of Significant Data Fiduciaries:
The Central Government may notify any Data Fiduciary or a class of Data Fiduciaries as ‘Significant Data Fiduciary’ (“SDF”) after assessing relevant factors such as – (a) the volume and sensitivity of personal data processed, (b) risk of harm to the Data Principal, (c) potential impact on the sovereignty and integrity of India, (d) risk to electoral democracy (e) security of the State, (f) public order, and (g) such other factors as it may consider necessary. The Draft DPDP Bill mandates SDF to appoint a Data Protection officer (“DPO”) who shall be an individual responsible to the Board of Directors or a similar body which governs the SDF. The DPO shall be the point of contact for grievance redressal mechanism. SDFs are also required to appoint independent auditors and undertake data protection impact assessment (or “DPIA” which is defined as a process comprising description, purpose, assessment of harm, measure for managing risk of harm and such other matters with respect to personal data) and periodic audit.
13. Data Protection Board:
(a) The Draft DPDP Bill seeks to introduce an independent body, namely the Data Protection Board of India (“Board”), which will be established by the Central Government to, inter alia, determine non-compliance under the Draft DPDP Bill and impose penalties and perform any other function as may be assigned by the Central Government. The Board can issue binding directions from time to time.
(b) The Board can also adopt urgent measures to remedy any breach or mitigate harm caused to Data Principal. The Board can,4 either on a representation to this effect or suo moto, review its order. An appeal against the order of the Board can be filed before a High Court within 60 days from the date of the Board’s order.
(c) The Draft DPDP Bill specifically excludes the jurisdiction of any civil court to entertain any suit or take any action, including granting of injunction, in respect of any matter or action taken under the Draft DPDP Bill.
(d) Since the Board has been vested with the powers of a civil court and the appeals from its orders are proposed to lie before a High Court, it performs tribunal-like functions. In this regard the Supreme Court has held that the ‘basic structure’ of the Indian Constitution includes separation of powers between the legislature, executive and the judiciary[2] and accordingly the constitutional validity of the Board can be called into question based since members of tribunals discharging judicial functions can only be drawn from sources possessed of expertise in law[3] as also the need for exclusion of control of the Executive over quasi-judicial bodies/tribunals discharging responsibilities akin to courts[4].
(e) Furthermore, while the Draft DPDP Bill gives powers of inquiry to the Board, the scope of this power is not clear. For instance, it is unclear whether the inquiry power includes any search and seizure powers within its ambit.
14. Data Breach Reporting:
(a) The Bill proposes a reporting obligation on the Data Fiduciary or Data Processor, in the event of a personal data breach to the Board as well as all the affected Data Principal in the manner as will be prescribed.
(b) It is worth noting that a similar reporting requirement has also been mandated by the Indian Computer Emergency Response Team (“CERT-In”) under its Directions dated April, 2022 which mandated reporting of data breaches to the CERT-In. The implementation of this draft provision, in its current form, is likely to create an overlap between authorities, requiring the data breach to be reported to both the CERT-In as well as the Board.
(c) Additionally, this provision under the Draft DPDP Bill essentially codifies CERT-In’s advisory dated January, 2021 which lists the steps to be taken by an organisation/entity when affected by a data breach/data leak. The advisory inter alia recommends that the impacted organisations should notify users/customers who could be affected by the data breach/data leak in question with the details of information breached and the actions being undertaken to address the problem.
15. Financial Penalties:
(a) The Board is empowered to impose financial penalties on ‘significant’ non-compliance under the Draft DPDP Bill
(b) The maximum amount of financial penalty that may be imposed cannot exceed Rs. 500 crore (Approx. USD 61 Million) in each instance mentioned under Schedule-I, which inter alia includes (i) failure of Data Processor/Data Fiduciary to take reasonable security safeguards to prevent personal data breach; (ii) failure to notify the Board and affected Data Principals in the event of personal data breach; (iii) Non-fulfilment of obligations in relation to children; (iv) Non-fulfilment of additional obligations of and SDF and (iv) Non-compliance with provisions other than those listed in the Schedule.
16. Right of nomination: Under the Draft DPDP Bill, the Data Principal has the right to nominate any individual who shall exercise its rights, as under the Draft DPDP Bill, in the event of death or incapacity of the said Data Principal. Incapacity has been defined under the provision as the inability to exercise rights due to ‘unsoundness of mind or body’.
17. Omission of the right to data portability: Unlike its previous iteration, the Draft DPDP Bill does not include the right to data portability within its scope. Under the right to data portability, in case the processing of data was carried out by automated means, Data Principals had the right to receive (i) the personal data provided to Data Fiduciary, (ii) the data that had been generated in the course of providing services, and (iii) the data which forms a part of any profile on the Data Principal, or which the Data Fiduciary has otherwise obtained, in a structured, commonly used, machine-readable format.
18. Omission of the right to be forgotten: The Draft DPDP Bill also excludes from its purview the right to be forgotten. The right to be forgotten was included under the 2021 DP Bill and it conferred the right on Data Principals to restrict or prevent the continued disclosure or processing of his personal data by a Data Fiduciary where such processing or disclosure: (a) served the purpose for which it was collected or was no longer necessary, (b) was made with the consent of the Data Principal and such consent had now been withdrawn, and (c) was made contrary to the provisions of the Draft DPDP Bill. The lack of a statutory right to be forgotten has led to conflicting opinions by various high courts on the extent to which the right to be forgotten can be enforced. Therefore, in the absence of a statutory right to be forgotten, the issue with respect to the scope of the right will continue to exist until settled by the Supreme Court of India.
19. Penalisation of Data Principal for non-compliance with Duties: Schedule-I of the Draft DPDP Bill (which specifies penalties for non-compliance with the respective provisions under the Draft DPDP Bill provides a penalty of up to Rs. 10,000 on the Data Principal for non-compliance with the duties listed under Clause 16 of the Draft DPDP Bill. These duties inter alia include the duty to not register false or frivolous grievance/complaint with the Data Fiduciary or the Board as well as the duty to furnish only such information that is “verifiably authentic” while exercising the right of correction and erasure under the Draft DPDP Bill.
20. Removal of Difficulties and Consistency with other laws: Any difficulty in giving effect to the provisions of the Draft DPDP Bill can be addressed by the Central Government through an order published in the Official Gazette with provisions as may appear to be necessary for removing the difficulty but which are not inconsistent with the provisions of the Draft DPDP Bill. The provisions of the Draft DPDP Bill are in addition and not in derogation of the provisions of any other existing law. However, in case of a conflict, the Draft DPDP Bill will prevail.
This article is Draft Digital Personal Data Protection Bill, 2022 the courtesy of Saikrishna and Associates