India’s Ministry of Electronics and Information Technology (‘MeitY’) recently released the (long-awaited) draft Digital Personal Data Protection Bill, 2022 (‘DPDP Bill’) on November 18, 2022, and solicited all relevant stakeholders to submit their suggestions and comments (no later than December 17, 2022). The DPDP Bill constitutes the latest in a series of draft legislation propagated (and withdrawn) by the Ministry in the Indian Parliament (as well as for public consultation) over the last few years (since mid-2018) in a bid to introduce a comprehensive data protection regime in India.
Remarkably, the DPDP Bill has been introduced just a few months after MeitY announced the withdrawal of its predecessor – the Personal Data Protection Bill, 2019 (“PDP Bill”) in August, 2022 (after the Joint Parliamentary Committee reviewing the PDP Bill proposed over 80 amendments and multiple recommendations). The new (and streamlined) DPBP Bill intends to – ‘provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.’ This article scrutinizes the provisions of the draft DPBP Bill and provides a breakdown of major changes introduced thereunder for concise understanding of all stakeholders.
Scope of the DPDP Bill
The DPDP Bill applies to any ‘digital personal data’ processed within India. For the purpose of understanding, the term ‘data’ is used in the DPDP Bill to mean the ‘representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means’; while the term ‘personal data’ is defined as ‘any data about an individual who is identifiable by or in relation to such data’. The term ‘digital personal data’ (in the DPDP Bill) encompasses data collected offline and subsequently digitized as well as data collected online by a ‘Data Principal’ (viz. the individual to whom the personal data processed is in relation to). Notably, if such private individual is a ‘child’ (viz. less than eighteen years of age), then the term ‘Data Principal’ includes the parents or lawful guardian(s) of such a child.
It is pertinent to note, however that the territorial scope of the DPDP Bill is not limited to India – but is also applicable to digital personal data processed outside India, provided such processing is undertaken for the purpose of:
- ‘profiling’ or processing personal data specifically to ‘analyse or predicts aspects concerning the behavior, attributes or interests’ of an individual in India;
- offering of goods or services to individuals in India.
However, the DPDP Bill excludes personal data which is processed ‘offline’ from its purview. It also expressly excludes data processed for any ‘personal or domestic purpose’ by an individual; personal data contained in a record existing for at-least 100 years; and/or the ‘non-automated processing’ (or manual processing) of personal data from its purview.
Important Duties and Obligations of Data Fiduciary
A ‘Data Fiduciary’ is an entity not presently identified or discussed under the extant Indian law. The concept of a ‘Data Fiduciary’ has been introduced under the DPDP Bill to refer to a person –including a natural person (such as any individual) as well as an artificial or juristic person (such as a company, firm or other organization) – who individually or jointly (with other persons) ‘determines the purpose and means of processing’ of personal data of Data Principles. The DPDP Bill further distinguishes between a ‘Data Fiduciary’ and a ‘Significant Data Fiduciary’ and prescribes mandatory obligations and duties for such Data Fiduciaries. An overview of the notable obligations prescribed under the DPDP Bill is provided below:
Consent vs. Deemed Consent
At the outset, the DPDP Bill provides that Data Fiduciaries may process any personal data of an individual only: for lawful purposes; with the consent (or ‘deemed’ consent) of such individual; and in a manner that is compliant with the DPDP Bill and with other prevailing laws. It clearly provides that ‘consent’ (in relation to a Data Principal) means consent which is given freely; is specific and is informed. Such consent must be unambiguous, in the form of any affirmation or action which clearly evidences that a Data Principal has agreed to processing of his/her personal data. To seek such consent, it is mandated that Data Fiduciaries must issue a notice (prior to, or at the time of, requesting consent) to relevant Data Principals (including even individuals from whom consent was obtained prior to the issuance of the DPDP Bill) inter-alia detailing what data is sought to be collected. Further, pursuant to such notice, an express request must be made to relevant individual to seek their consent (in the prescribed format). For this purpose, Data Fiduciaries are preliminarily required to appoint a ‘Data Protection Officer’ (whose details need to be shared with Data Principal at time of seeking consent) as well as a ‘Consent Manager’ (viz. a specific class/category of Data Fiduciary under the DPDP Bill).
Importantly, a Data Principal not only has an option to give consent, but also to withdraw consent given to a Data Fiduciary through the Consent Manager (a registered entity acting on behalf of a Data Fiduciary which is held accountable to the Data Principal). To provide for this, a Consent Manager is obligated to provide a Data Principal with a transparent platform/means to ‘give, manage, review or withdraw’ his/her consent. Data Fiduciaries are held accountable to ensure that Data Principals personal data ceases to be processed (within a ‘reasonable time’) once the relevant Data Principals consent is revoked.
Interestingly, while the DPDP Bill mandates that the language of the notice and the consent request of a Data Fiduciary must be ‘clear’ and ‘plain’ – it provides Data Principal’s the option to have such request/notice be in any of the languages recognized/listed in the (eight schedule of) the Indian Constitution (of which there are over 20). Data Fiduciaries are further held accountable to provide proof of issuance of notice or obtention of consent of a Data Principal (in the event of a judicial challenge by the relevant Data Principal)
However, the DPDP Bill simultaneously provides for the concept of ‘deemed consent’ in certain specific situations (where consent of a Data Principal is deemed ‘necessary’). This includes situations where a Data Principal is reasonably expected to provide his/her personal data voluntarily to a Data Fiduciary (for any lawful function such as to avail any beneficial services, or to obtain a license, certificate, permit etc.); where such data is necessary for compliance with judicial orders, for employment purposes; for public interest; as well as for other ‘fair and reasonable’ purposes. Interestingly, the DPDP Bill does not expressly provide for the review, management, or withdrawal procedures of the ‘deemed consent’ of a Data Principal.
‘Data Fiduciary’ v. ‘Significant Data Fiduciary’
The DPDP Bill prescribes certain general and additional obligations for Data Fiduciaries. In the general context, Data Fiduciaries are inter-alia required to implement appropriate technical, legal and security measures and establish grievance mechanisms to ensure compliance with the DPDP Bill. Moreover, Data Fiduciaries are responsible for ensuring the compliance of any Data Processors (viz. any person engaged to process data on behalf of the relevant Data Fiduciary) in addition to their own. In terms of additional obligations, a specific responsibility is imposed on a Data Fiduciary as regards personal data of Data Principals which are children. To process personal data related to children, Data Fiduciaries are not only required to obtain prior ‘verifiable parental consent’ (or the consent of lawful guardian) – they are specifically barred from processing of personal data in any manner that is likely to cause harm to a child (as may be prescribed) and from tracking and/or monitoring behaviors of children (by processing their personal data) or from any form of advertising targeted directly at children.
Additionally, the DPDP Bill provides for the classification of certain Data Fiduciaries as ‘Significant Data Fiduciary’. This classification is based on assessment of several factors such as the ‘volume’ and ‘sensitivity’ of personal data processed by any Data Fiduciary vis-à-vis the risks posed to a Data Principal (as well as India’s electoral democracy, national security, sovereignty, public order etc.). A Data Fiduciary is required to carry out certain compliances in addition to the compliances mentioned above if it classifies as a ‘Significant Data Fiduciary under the DPDP Bill. Notably, such obligations include the requirement to appoint a Data Protection Officer (necessarily resident in India); the appointment of an auditor for evaluation of compliance under the DPDP Bill; and the requirement to undertake a mandatory ‘Data Protection Impact Assessment’ process (as may be prescribed) [for evaluation of the relevant Significant Data Fiduciary’s processing of personal data, the risks or harm associated thereto, and the management thereof.].
Constitution of the Data Protection Board of India
The DPDP Bill provides for formation of a regulatory body termed as the ‘Data Protection Board of India’. The Bill mentions that the primary function of the Board is to determine non-compliance with provisions of this Act and impose penalty under the provisions of this Act. The Bill further states that the composition, strength, incidental qualifications, process of selection, terms of appointment, removal of chairperson and other members shall be prescribed at a later stage (i.e. potentially under the Rules which will be published once the Bill is passed in the parliament). Additionally, the Bill provides that the Chief Executive of the Board would be appointed by the Central Government and the terms and conditions of service shall be such as may be determined by the government.
The reason for delegation of this power (of specifying the relevant details) of the Board to the executive seems surprising. The Rules under the legislation (assuming that the current Bill is passed by the Parliament) will come into effect through a simple publication in the Official Gazette (and will not undergo deliberations from both houses of the Parliament). Considering various factors including (but not limited to) that this legislation pertains to a fresh, technical and complex field of law; that the Board has powers equivalent to that of a Civil Court and exclusive original jurisdiction to entertain challenges under the intended legislation; that the Board has been given extensive powers to impose penalties to the tune of INR 500 cr, etc., the Bill should have ideally mentioned at least some pertinent details about the Data Protection Board of India (such as its composition, qualifications and process of selection) for it to be open to deliberation by the Parliament as well as by the public (including industry experts). More importantly, as the chief executive would be the presiding member at the apex of the Board, it is pertinent that the qualification along with the terms and conditions of service (of the chief executive) be thoroughly deliberated upon, both by the Parliament and the public.
While the Rule making power of the executive is not being questioned, the Government should have mentioned such pertinent aspects pertaining to the Board in the Bill itself (instead of giving the power to the executive to decide to take a call on such aspects). Moreover, since the Board will observe the functions of an adjudicating body, it seems very surprising that the executive has been given the power to decide the composition of an intended judicial body (which will raise questions on the independence of functioning of the Board).
The Bill has introduced the concept of voluntary undertaking which can be submitted by any person who is a party to any matter (before the Board) with respect to compliance with the provisions of the Bill to undertake or refrain from undertaking a particular action within a specified time period.
While can be presumed that ‘voluntary undertakings’ could assist in speedy disposal of matters by the Board (and could potentially shield the accused parties from being subject to hefty penalties under the Bill), the introduction of this concept also raises some concerns. Firstly, the provision does not specify any objective parameters on what would qualify as an appropriate voluntary undertaking, which leaves room for ambiguity on what may be considered by the Board (in their subjective opinion) whilst accepting such voluntary undertaking(s). It can be further seen from the provisions of the Bill that the proceedings (before the Board) would be barred subsequent to the acceptance of the undertaking. Therefore, it is pertinent that the intended legislation prescribes a set of objective criteria which should be present in a voluntary undertaking for it to qualify as an acceptable undertaking (which would result in ceasing of the investigation against the accused party).
Secondly, the provision provides for consideration and subsequent acceptance of the voluntary undertaking ‘at any stage’ of the proceeding (which could potentially include the preliminary stages of the proceeding as well). The acceptance of a voluntary undertaking from an accused party (which would result in a bar on the proceedings before the Board) at a preliminary stage in the proceedings would potentially mean that the Board would give relief to the accused in situations where the accused could be potentially liable for a greater degree of financial penalty had the proceedings been completed before the Board (the degree of which cannot be compared with a voluntary undertaking). The practical applicability of the provision (in its current form) could raise potential questions on the fairness of the procedure (adopted by the Board) in granting relief to an accused party (through a voluntary undertaking) without adjudicating on the exact breach of the provisions of the intended legislation. It could be considered that voluntary undertakings be submitted (and taken up for consideration by the Board) only upon completion of the proceedings in respect of a particular matter (to ascertain the exact nature of violation by the accused party and ensure that the terms of the undertaking are proportional to the breach committed by such party).
Lastly, the provision provides for the undertaking to be publicized (by the party which has agreed to furnish a voluntary undertaking). However, it does not provide any clarity with respect to the exact mode and medium where the undertaking would be publicized. The government should ensure that a copy of the voluntary undertaking (as accepted by the Board) should be uploaded on the online platform of the Board along with the order in the relevant proceedings for the same to be easily accessible by members of the public.
Right to correction and erasure vs the right be forgotten
The Bill in its present form has diluted the data principal’s ‘right to be forgotten’. Provision 13 of Chapter 3 of the Bill while providing a data principal the right to correction and erasure of personal data, limits the scope of utilisation of such a right by them. The Bill, for starters does not provide the manner by which a data principal shall move the request with a data fiduciary for erasure of their data. Further, the Bill states that upon receiving such a request from a data principal, the data fiduciary shall erase such data that is no longer necessary for the purpose for which it was processed unless such retention is necessary for legal purposes. The completion of such erasure is contingent upon the fact that the data is no longer necessary for the purpose for which it was collected, which shall mean that the data principal in order to claim such a right will have to forgo their right to claim any service/good that would require the data fiduciary to retain such data. Further, under provision 16 of the Bill, it is stated that the Data Principal shall only furnish such information that is verifiably authentic while exercising the right to correction or erasure under the Bill.
The bill should bestow the right to be forgotten on each data principal and the exercise of the same should not rest upon fulfilment of any pre-supposed conditions.
Duties of Data Principal
The DPDP Bill prescribes certain duties for a Data Principal and the same have been enumerated in the Chapter 3 of the Bill. It is pertinent to note that the provision imposes upon the Data Principal the duty to comply with the provisions of all applicable laws while exercising the rights under the provisions of the DPDP Bill. The provision in its current form raises the question whether the ability of a Data Principal to exercise the rights under the DPDP Bill are dependent upon the Data Principal’s compliance with the applicable laws. In such a case, it is unclear as to who shall bear the burden of proving whether the Data Principal is in fact complying or not complying with the applicable laws. Additionally, the phrase ‘applicable laws’ casts a wide net in the ocean of laws that the Data Principal shall have to ensure compliance with.
The DPDP Bill further imposes a duty upon a Data Principal to ensure that they do not register a false or frivolous compliant with the Data Fiduciary as well as the Board. The use of the term frivolous has many implications since there is no universal standard of adjudging a complaint as frivolous. Additionally, the imposition of such a duty on the Data Principal is in itself unprecedented. The DPDP Bill has further stated in its Schedule that non-compliance with this provision of the Bill will attract penalty of upto INR 10,000, which might act as a deterrent to Data Principals when they decide to approach a Data Fiduciary or the Board with a grievance.
The provision further stipulates that a Data Principal, who is intent upon exercising their right to correction or erasure of their data under the Bill will have to make sure that only such information that is verifiably correct is furnished to the Data Fiduciary. The provision imposes yet another condition upon the exercise of the Data Principal’s rights over their own data and as such acts as a deterrent. The use of the phrase ‘verifiably authentic’ is additionally problematic since the standards of ensuring verifiable authentic information have not been provided.
Transfer of personal data outside India
The DPDP Bill in its Chapter 4 has provided to the Central Government to notify the countries or territories outside of India where a Data Fiduciary could possibly transfer personal data. The provision further states that the terms and conditions under which such transfer shall be allowed shall be notified later by the Government. The DPDP Bill has failed to set a boundary with factors that might be taken into consideration for notifying countries.
Wide Range of Exemptions
Under Provision 18 of the DPDP Bill, sub-provision 1 stipulates that the entirety of Chapter 3 (which bestows rights and duties of a Data Principal) in addition to almost all of Chapter 2 as well as Provision 17 shall not apply where:
1. the data is being processed for enforcement of any legal right or claim;
2. the data is being processed by any court or tribunal or any other body in India for the performance of any judicial or quasi judicial function;
3. the data is being processed in the interest of prevention, detection, investigation, or prosecution of any offense or contravention of any law;
processing of data of Data Principals that are not residents of India and the same is being processed pursuant to any contract entered into with any person outside of India by any person in India.
The entirety of this sub-provision casts a dangerously wide net into the processing of data of Data Principal in a plethora of situations. The DPDP Bill should have incorporated measures to ensure that the processing of such data is limited to certain events instead of the blanket provision that allows any other body in India fulfilling a judicial or a quasi-judicial function. Furthermore, the suspension of the Data Principal’s rights in the given situations shall have far reaching consequences. Lastly, the phrase – ‘personal data of Data Principals not within the territory of India’ limits the rights of Data Principals that are citizens of India but not residing within the territory at a particular period of time.
The Provision further stipulates that the Central Government could by notification, factoring in the volume and nature of the personal data processed, exempt certain Data Fiduciaries or class of Data Fiduciaries to whom Provisions 6(2) and (6), 9, 10, 11 and 12 of the Bill will not apply. The provision provides a free ride to the notified Data Fiduciaries wherein they will not even be obligated to provide the required data as requested by a Data Principal under Provision 12 of the Bill. The Bill should have ensured that the rights that have been bestowed upon a Data Principal should not be so easily avoidable by the Data Fiduciary, even in case they are dealing with the enormous volumes of data.
Additionally, under sub-Provision 4, the DPDP Bill stipulates that in case of processing of personal data by State or any of its instrumentalities, the sub-Provision 6 of Provision 9 shall not be applicable. It is pertinent to note that Provision 9(6) is concerned with the obligation of a Data Fiduciary to delete/remove personal data that is no longer purposeful and the retention is no longer necessary for legal or business purposes.
While the current document is only open for public discussions, it remains to be seen whether this draft bill (and what form) will be introduced before the Parliament (for consideration to be conceived as a law).