Technology Law Analysis
December 17, 2021
Proposed Indian Privacy Law Revamped: Light at the End of the Tunnel?
Detailed Analysis of the New Data Protection Bill in India
I. Amendments to Current Law
The DPB, when enacted, will replace Section 43A1 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Current Law) which currently, in tandem with sectoral laws, provide for the data protection framework in India.
The DPB applies to the processing of personal data of natural persons, of which SPD and CPD are subsets. The natural person whose data is being processed is referred to as a “Data Principal”. Further, the proposed law applies to both automated and non automated processing, as further elaborated in Section XVIII.
The DPB does not define what would amount to ‘carrying on business in India’. For reference, the Australian Privacy Principles without defining ‘carrying on business’ have interpreted it to generally involve conducting some form of commercial enterprise, ‘systematically and regularly with a view to profit’; or to embrace ‘activities undertaken as a commercial enterprise in the nature of an ongoing concern, i.e., activities engaged in for the purpose of profit on a continuous and repetitive basis’. While the Report of the Parliamentary Committee acknowledges suggestions to clarify this point, guidance on the interpretation of the phrase has not been included in the DPB.
The DPB has tried to ensure a balance between seeking to ensure the applicability of the DPB to the personal data of foreign residents processed in India, and at the same time has provided for exemptions, where necessary to promote data processing activities in India.
Section 2 of the DPB which sets out the applicability of the law, prescribes a territorial nexus with India for establishing jurisdiction for the purposes of the DPB - this could be on the basis of residence of the Data Principal, or the residence of the data fiduciary. If the data is processed by any person or entity within India, then the provisions of the DPB will apply. This could possibly go on to show that India is seeking to provide an equivalent level of data protection to the data of foreigners, hence increasing the chances of gaining ‘data adequacy’ status from jurisdictions such as the EU.
However, in view of the fact that India has a well-developed domestic data processing industry the Central Government has been given the power to exempt the processing of personal data of Data Principals located outside India by Indian data processors, if pursuant to a contract executed with a person outside the territory of India.
III. Major Obligations
IV. Grounds for Processing personal data and SPD
The DPB requires all personal data to be processed on the basis of consent obtained in accordance with Clause 11 of the DPB, with the exception of certain limited circumstances where personal data may be processed without consent.
V. Personal and Sensitive Personal Data of Children
Age of consent: The DPB mandates that parental consent will be necessary for the processing of personal data of children (i.e., persons below the age of eighteen years).
Obligations of Data Fiduciaries: Data fiduciaries are to verify the age of children and seek parental consent before processing their personal data.4 Thus, the obligation to ensure age gating / verification and the necessary tools will have to be implemented by businesses. Age verification mechanisms are to be specified by regulations.
Bar on profiling/tracking children: Data fiduciaries are barred from undertaking activities such as profiling, tracking, behavioral monitoring, targeting advertising directed at children, or any form of processing that could cause significant harm to children.
This provision triggers when there is significant harm caused to children. While significant harm is defined, the interpretation of what encapsulates significant harm and who determines it is debatable.
These provisions may lead to practical implementation issues for the following reasons:
The DPB removes the concept of a “guardian data fiduciary” from the previous version and classifies all data fiduciaries processing children’s personal data as SDFs. Additionally, the exemption from consent granted to counseling and child protection services from the previous version has been removed.
There are certain platforms which are targeted / focused on young adults aged 14-18 such as casual gaming, education, or even specific video platforms. Seeking parental consent in each of these cases would not only be difficult but also impractical. While the Parliamentary Committee noted that stakeholders suggested that the age of children should be 13/14/16 years for the purpose of the definition, it did not adopt this recommendation.
Businesses catering to those below 18 might be affected. Education focused startups, who rely on targeted advertisements for example, may suffer due to the bar on processing of personal data of children. Similarly, audio / video streaming platforms may not be able to offer suggestions based on individual preferences. Importantly, emerging technologies such as AI, which are used as teaching aids may not be able to function as the profiling, tracking and behavioral monitoring of children will now not be allowed minus any exceptions to profiling or processing of data. Blanket restrictions such as this are likely to hinder effective service delivery to children, such as for educational purposes.
VI. Rights of Data Principals: Right to Confirmation and Access / Right to Correction
The DPB provides detailed rights to the Data Principal to access and correct their data.
With regards to a right of review, the DPB grants rights to: (a) a confirmation about the fact of processing; (b) a brief summary of the personal data being processed; and (c) a brief summary of processing activities. Similarly, the right of correction has been developed in the DPB into a detailed step-wise process for how correction, completion or updating of the personal data should be done. The DPB also grants the right to request for erasure of personal data which is no longer necessary for the purpose for which it was processed.
In addition, the DPB also grants Data Principals, the right to access in one place and in a manner as may be prescribed via any regulations (a) the identities of all the Data Fiduciaries with whom their personal data has been shared; and (b) details as to the categories of their personal data which has been shared with such Data Fiduciaries, which seems quite onerous.
The DPB requires businesses to provide the Data Principal with summaries of the personal data being processed rather than the entire data dump. This may require some effort on the part of Data Fiduciaries.
VII. Data Portability
In an attempt to grant users more control over their data, the DPB introduces a provision with respect to data portability, whereby Data Principals may seek from the Data Fiduciary, their personal data in a ‘structured, commonly used and machine-readable format’. The DPB however does not specify the technical specifications of such a format, or what would be threshold for ‘common use’.
The personal data to be provided to the Data Principal would consist of: (i) data already provided by the Data Principal to the Data fiduciary; (ii) data which has been generated by the Data fiduciary in its provision of services or use of goods; (iii) data which forms part of any profile on the Data Principal, or which the Data fiduciary has otherwise obtained.
Exemptions have been provided for instances where (i) the data processing is not automated; (ii) where the processing is necessary for compliance of law, order of a court or for a function of the State; and significantly, (iii) where compliance with the request is technically not feasible.5 The erstwhile exemption in the PDP Bill for data that reveals trade secrets has been omitted from this version of the law.
In relation to points (ii) and (iii) of the personal data to be provided to Data Principals above, following issues arise:
Crucially, the right to data portability may be exercised not only against SDF’s but any Data fiduciary. This includes large platforms that collect personal data but also smaller companies and startups that may collect personal data for the purpose of improving their services. While large platforms may be able to sufficiently comply with these requirements, it may be difficult for smaller companies who may not have the resources to spare from their core services. For instance, major platforms are now introducing tools to enable transferring photos from one platform to another. But introducing the obligation to provide personal data in this format may be onerous for smaller companies, particularly when the standard of providing such personal data is not specified. Standards that are “commonly used” differ between developers and the general populace may not be well versed with the technicalities of various formats. Besides, the purpose of seeking such data is also important. The format for a user wanting to inspect their personal data may be quite different from a format for a user wanting their personal data to move to a different service. Some of these practical issues are not adequately addressed by the DPB and need to be fleshed out more thoroughly.
VIII. Right to be Forgotten
The DPB introduces a ‘Right to be Forgotten’. The right can be exercised by a Data Principal only through an order of an adjudicating authority who will determine the reasonability of the request for erasure. This right appears to apply with regard to publishers or intermediaries who may be regarded as Data Fiduciaries, such as content streaming platforms, e-commerce platforms, aggregators etc.
A Data Principal can request for an order directing the Data Fiduciary to ‘restrict or prevent continuing disclosure or processing of personal data’. The DPB brings in the restriction to ‘process’ data under the Right to Be Forgotten, which may unnecessarily widen the scope of this right. As a general concept this right is meant to remove information from the public domain that is no longer relevant. Since ‘processing’ is a wider term, it may restrict data where it is used even in an anonymized form, or where it is irreversibly integrated with other data sets. However, it should be examined whether the exercise of the right to be forgotten should be subject to further restrictions such as processing as required under law.
A Data Principal can request for an order directing the Data Fiduciary to ‘restrict or prevent continuing disclosure or processing of personal data’. The DPB brings in the restriction to ‘process’ data under the Right to Be Forgotten, which may unnecessarily widen the scope of this right, which is meant to remove information from the public domain that is no longer relevant. Since ‘processing’ is a wider term, it may be restricting data where it is used even in an anonymized form, or where it is irreversibly integrated with other data sets.
Courts in India have adjudicated on the question of the right to be forgotten before in a number of instances.6 Notably, the Madras High Court observed that it would be more appropriate to wait for the enactment of a Data Protection Act and rules thereunder to recognise and enforce a right to be forgotten. In this respect, enactment of this provision would be crucial.
The Right to be Forgotten is not absolute and is subject to the Data Principal showing that his/her right overrides (a) the right to freedom of speech and expression of any other citizen. (b) the right to information of any other citizen, or (c) the right to retain, use and process such personal data legally by a data fiduciary.
In addition, it is important to note that, the Supreme Court in Justice K.S Puttaswamy v. Union of India7 has observed that the right to remain anonymous may form a part of the fundamental right to privacy. While there seems to be no conclusive ruling to this effect in India to this effect, in the United States, the right to publish anonymously is protected as part of the right to free speech. In the case McIntyre v. Ohio Elections Commission, the US Supreme Court said that “Anonymity is a shield from the tyranny of the majority. . .. It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.” Similarly, even if it can also be argued that the right to speak anonymously is protected by Article 19(1)(a) of the Constitution of India, Article 19(2) provides that any restriction in the interest of security of the State is reasonable.
In any event, a Data Principal is empowered to request for erasure of personal data, which is no longer necessary for the purpose for which it was processed, and the storage period limitation requires personal data to be ordinarily be deleted once the purpose of processing has been achieved.
IX. Data localization
The DPB provides that SPD may be transferred outside India, but a copy of the data should be stored in India. Further, certain CPD may be identified by the Central Government which should only be processed in India. Additionally, personal data may be freely transferred and stored outside India. The intention behind the DPB appears to be to make the data localization obligation applicable only for SPD belonging to Indian residents, however, this has not been made clear, as the data localization obligation applies generally to SPD under the DPB presently. One of the recommendations of the Parliamentary Committee is that the Central Government should, in consultation with sectoral regulators, prepare an extensive policy on data localisation encompassing broadly aspects such as: (i) the development of adequate infrastructure for the safe storage of data of Indians which may generate employment; (ii) introduction of alternative payment systems to cover higher operational costs; (iii) inclusion of systems to support local business entities and start-ups; (iv) promote investment, innovations and fair economic practices; (v) proper taxation of data flow; and (vi) creation of local AI ecosystem to attract investment and to generate capital gains.
The Parliamentary Committee also stated that the revenue generated from data location should be used for welfare measures in the country, especially to help small businesses and start-ups to comply with data localization norms, and that Government surveillance on data stored in India must be strictly based on necessity.
A few concerns arise:
Mixed data sets: It is very likely that data will be collected and stored as a mixed data set, comprising of both personal data and SPD, and at times possibly even CPD. Since, it may be practically difficult to separate the SPD and CPD from such a data set, the entire data set would have to be stored locally, due to the element of SPD and CPD. For example, as stated earlier in the Indian context, surnames of individuals would demonstrate the caste / religion of Data Principals. This may result in data collected containing items of SPD, even though it was not intended.
CPD: The DPB does not give any guidance/examples on what data would compromise or be notified as CPD. Delegation of the right to determine / notify CPD to the Government without specific guidance under the DPB grants excessive powers to the Government in relation to DPB, which may not be preferable.
Data collected directly by foreign entities: It is to be determined whether data collected directly by foreign entities would be subject to the localisation requirement.
X. Cross Border Transfers
The DPB proposes that SPD may be transferred outside India only when:
SPD may be transferred outside India subject to either points (a) or (b) above being fulfilled (similar to personal data), and wherein the Data Principal has explicitly consented to such a transfer. The DPB however also empowers the Central Government to notify specific ‘critical personal data’ that may be transferred outside India, without restriction:
The DPB continues to retain restrictions upon cross-border transfer of personal data, SPD and CPD. However, several modes of cross-border transfer have now been made subject to decisions taken by the Central Government. For instance, the DPA is now required to consult with the Central Government prior to approving intra-group schemes or standard contractual clauses for cross-border transfers of SPD. Likewise, the transfer of SPD to a foreign government is prohibited without the approval of the Central Government.
It appears that the Central Government favors the use of approved clauses / schemes between the transferor and transferee, or specifically notifying certain countries / organizations that in its view, meets an adequate level of data protection and enforcement mechanism.
In addition, it is unclear as to whether the restrictions and compliances pertaining to cross border transfer of SPD would apply in the instance of direct collection of SPD of Indian Data Principals by Data Fiduciaries outside India, or if the restrictions may only apply to transfer of SPD from Data Fiduciaries in India (post collection from the Data Principal) to third parties outside India.
The explanation to what constitutes to be against public or State policy includes where an act has a ‘tendency’ to harm the interest of the State or its citizens. It is unclear as to how the term “tendency” is likely to be interpreted.
XI. Breach notifications
A ‘data breach’ under the DPB includes breach of personal data as well as breach of NPD. While a breach of personal data is defined in respect of a particular Data Principal, a breach of NPD is defined as that which generally compromises its confidentiality, integrity or availability.
If there is a breach of personal data processed by the Data Fiduciary, the Data Fiduciary should notify the Data Protection DPB of such breach within 72 hours of becoming aware of the breach. The notifications should contain certain particulars, either submitted to the DPB together or in phases. The data breach reporting is now mandatory (to be done within 72 hours) and is not subject to the result of any self-assessment by a Data Fiduciary.
Further, while no reporting obligations have been included with regard to NPD breaches, the DPB contemplates the issuance of rules by the Government, for mitigating NPD breaches.
In case of a breach of personal data, the DPB may direct the Data Fiduciary to notify the Data Principal of such breach, undertake remedial actions and to post the details of the breach on its website after considering the personal data breach and the severity of harm to the Data Principal. The DPA may also direct the Data Fiduciary to adopt any urgent measures or remedy to mitigate harm to a Data Principal.
In case of a breach of NPD the DPA must take steps as may be prescribed later by the Government through subsequent rules.
It is unclear as to how the DPA will coordinate with specialised agencies such as the Computer Emergency Response Team (CERT-In) and the MeitY’s Standardisation Testing and Quality Certification (STQC) which are currently vested with the responsibility of monitoring and mitigating the impact of data breaches, and testing and certifying hardware and software products. The DPB does not provide a general obligation for the DPA to consult with other sectoral regulators. However, the specification of appropriate actions required of data fiduciaries in the aftermath of a data breach, is included within the scope of subjects on which the DPA may issue or approve a Code of Practice. The DPA is required to consult with sectoral regulators in the development of a Code of Practice. It is therefore likely that the CERT-In would be consulted in the development of the relevant code of practice.
XII. Significant Data Fiduciary
The DPB is empowered to notify certain Data Fiduciaries or entire classes of Data Fiduciaries as ‘Significant Data Fiduciaries’ (SDFs).10 The concept of an SDF appears to stem from the attempt at identifying and regulating entities that are capable of causing significant harm to Data Principals as a consequence of their data processing activities.
Accordingly, the DPB proposes that such SDF register itself with the DPB and prescribes greater levels of compliances to be undertaken by such SDF, such as carrying out data protection impact assessments prior to significant processing activities, record keeping, independent data audits, and the appointment of a data protection officer.
The data protection officer appointed by an SDF is required under the DPB to be a senior level officer or a key managerial personnel11 (in case of a company) or an equivalent employee (in case of other entities). The DPB also describes various functions of such a data protection officer including acting as the point of contact for redressal of grievances of Data Principals and advising the SDF on various compliances under the bill. The DPB also mentions that SDFs will be regulated by respective sectoral regulators.
In addition, the DPB requires any social media platforms12 with users above a certain threshold as may be prescribed by the Government in consultation with the DPA, whose actions are likely to have a significant impact on the sovereignty and integrity of India, electoral democracy, security of the State or public order; as well as Data fiduciaries who process data relating to children, or provide services to children are also included in the definition of an SDF. Such social media platforms are required to enable voluntary verification for its users in a manner that may be specified. It is not clear whether this will be specified by the DPA or the Central Government.
The factors to be taken into account for the notification of SDFs are quite subjective, leaving significant discretion with the DPA. Certain obligations like a data protection impact assessment prior to commencing data processing may slow down time-sensitive Big Data exercises and have a chilling effect on experimental processing activities.
As with the expanded definition of “harm”, the inclusion of certain types of social media platforms within the definition of “significant data fiduciaries”, appears to stem from concerns of harm arising from profiling. Social media platforms, whose actions are likely to have a significant impact on the sovereignty and integrity of India, electoral democracy, security of State or public order, have been designated as significant data fiduciaries. The inclusion of the phrase “electoral democracy” appears to acknowledge evidence of coordinated misinformation and voter manipulation campaigns run by third parties on major social media platforms in India and other jurisdictions.
The introduction of these provisions seems to stem from the broad purpose of the DPB as set out under the “Statement of Objects and Reasons”. As per the “Statement of Objects and Reasons”, the DPB seeks to bring a strong and robust data protection framework for India and to set up an authority for protecting personal data and empowering the citizens' with rights relating to their personal data ensuring their fundamental right to "privacy and protection of personal data", as well as “ensure the interest and security of the State”.
While it is possible for social media platforms to make verification a part of their terms and conditions for users to register on the platform (which is a matter of contract between the platform and its user), a provision that mandates social media platforms to verify identities of its users and then identify their accounts as verified accounts may not be preferable, unless conclusively substantiated to be in the interest of security of the State. However, the current provision only prescribes voluntary verification of users. It is also important to note that anonymity may operate for at least two distinct levels – anonymity of the user with respect to the company that operates a platform, and anonymity of the user with respect to other users on the platform. The Government could consider requesting social media platforms to verify user accounts for the purpose of the company that operates the platform (in order to comply with law enforcement agencies, etc.) while allowing the users to retain anonymity with respect to other users on the platform.
The Parliamentary Committee also makes certain recommendations to hold social media platforms who do not function as intermediaries liable as publishers for the content on their platforms and posted via unverified accounts. While these recommendations do not find their way into the text of the law, these recommendations appear out of the scope of the DPB and may be subject to challenge.
The DPB has empowered the DPA to create a sandbox13 in public interest for the purpose of encouraging innovation in Artificial Intelligence, Machine Learning or other emerging technologies.
Eligibility: Data Fiduciaries as well as start-ups whose privacy by design policies have been certified by the DPA are eligible to apply.
Application: Data Fiduciaries applying for inclusion in the sandbox will have to submit the term for which it intends to use the sandbox (which cannot exceed 12 months), the innovative use of technology, Data Principals participating, and any other information as may be specified by regulations.
Term: The maximum period a Data Fiduciary may use the sandbox is 3 years.
Exemptions: Participation in the sandbox will exempt the participating Data Fiduciary from certain obligations:
The DPA is empowered to specify the penalties applicable to Data Fiduciaries participating in the sandbox, along with the compensation that can be claimed by Data Principals from such Data Fiduciaries. From a reading of the DPB, it appears that no additional penalties would be applicable to such Data Fiduciaries other than those specified by the DPA.
The DPA should keep in mind existing sectoral sandboxes while issuing these regulations.
XIV. Data Protection Authority
The DPB also contemplates the creation of an independent data protection authority (DPA). The DPA has been given a wide range of powers and responsibilities, which inter alia include:
The DPA also has the power to undertake actions that are crucial for a majority multinational corporate groups, such as the power to approve a contract or intra-group scheme by laying down conditions for cross-border transfer of SPD and CPD.
These functions are multi-faceted as they include powers and duties which are administrative, rule-making and quasi-judicial in nature. The wide range and extent of delegation of legislative powers to the DPA appears to be excessive delegation of legislative powers to the DPA, which should be adequately addressed. The Parliamentary Committee Report recommends that the DPA should handle both personal data and NPD, which appears to be inappropriate and may lead to overlaps in jurisdiction. Moreover, there appear to be inherent conflicts in the regulatory mandate vested upon the DPA. A review of the recommendations of the NPD Committee would suggest that the primary purpose of regulating NPD is to promote sharing of high-value NPD (including anonymised personal data) for the purposes of accelerating the growth of the digital economy. Should the DPA be vested with such a mandate by way of subordinate legislation, it would be in direct conflict with the DPA’s mandate to ensure the security of personal data, and prevent re-identification of anonymised personal data - since greater sharing of NPD is likely to increase the risks of re-identification and subsequent misuse of anonymised personal data. The independence of the DPA is also debatable considering the proximity the DPA’s composition has to the executive i.e. the Central Government. Further, many functions that were previously autonomous to the DPA has now been made subject to the view of the Central Government (e.g. approving intra-group schemes for cross-border transfer of SPD must be done in consultation with the Central Government). The Central Government also has been empowered to issue binding directions to the DPA (see section XVII below). This issue of lack of autonomy has also been raised by a few dissent notes submitted by members of the Parliamentary Committee.
The DPB contemplates codes of practice (similar to a self-regulatory mechanism) also to be issued by the DPA or approved by the DPA if submitted by an industry or trade association, an association representing the interests of Data Principals, any sectoral regulator / statutory authority or any departments of the Central or State Government.
These codes of practice should address more granular points of implementation including related to various compliances under the DPB, such as on notice requirements, retention of personal data, conditions for valid consent, purpose limitation, exercise of various rights by users, transparency and accountability measures, methods of destruction / deletion / erasure of personal data, breach notification requirements, cross-border data transfers, etc.
XVI. Privacy by design
Similar to the GDPR, the DPB stipulates that Data Fiduciaries implement a policy along the lines of a “Privacy by Design” principle.14 Further, subject to regulations made by the DPB, Data Fiduciaries may submit their privacy by design policy to the DPB for certification, which upon examination / evaluation by the DPB or its authorized officer shall be certified to be in compliance with the requirements under the DPB. Such a certified policy has to be published on the website of both the Data Fiduciary and the DPA.
Hence, industry players would have to include privacy and its related principals as a part of their systems / architecture at the time of launching their business / operations itself, and not as an afterthought. However, the fact that the certification requirement from the DPA is not mandatory may ease the compliance burden overall.
XVII. Power of the Government to issue directions to the DPA
The Government is empowered under the DPB to issue directions to the DPA in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States or public order. The DPA is bound to abide by these directions but would be given an opportunity to express its views beforehand, as far as practicable.
The power to issue binding directions by the Government to the DPA was limited to questions of policy in the PDP Bill. This power of the Government has now been expanded widely allowing it to issue binding directions beyond just policy questions subject to certain grounds.
The DPB also has provisions that exempt certain kinds of data processing from its application.
In what may be a welcome provision for the Outsourcing industry, the Central Government can exempt the processing of personal data of Data Principals that are not within the territory of India. This can be done in respect of processing by data processors who are contracting with foreign entities. Indian outsourcing entities processing foreign individuals’ data therefore may be exempt from the provisions of the DPB.
Indian captive units of foreign multinationals may look forward to availing this exemption as far as foreign individuals are concerned.
Government and public interest
With respect to the Government’s own processing of information, the Central Government has the power, on various grounds of public interest,15 to direct the inapplicability of any or all provisions of the Bill to any agencies of the Government, subject to safeguards which are to be prescribed by rules.
Notably, the grounds of discretion are fairly broad and allow the government significant leeway to provide exemptions from the application of the DPB, whereas civil society had expressed the hope that the DPB would ensure that Government’s use of personal data would be restricted to necessary and proportionate instances. The dissent notes expressed by a number of the members of the Parliamentary Committee have also highlighted the liberal exemptions provided to the Government as a point of concern. Individuals will hence observe keenly whether the safeguards to be prescribed by rules under the DPB will meet the principles laid down by the Supreme Court in its 2017 Right to Privacy judgment.
The retention of this provision by the Parliamentary Committee has been objected to in separate dissent notes provided by 8 members of the Parliamentary Committee. The grounds for triggering the exemption are relatable to the reasonable restrictions on the freedom of speech and expression, as listed under Article 19(2) of the Indian Constitution. However, the possibility of an absolute exemption from all obligations of the DPB, may not fulfil the constitutional requirement for narrow tailoring of restrictions. While the revised provision clarifies that the exemption so granted would be subject to just, fair, reasonable and proportionate procedures, it is unclear whether this alone would remedy the widely worded scope of the exemption.
Processing of personal data in the interests of criminal investigation and prosecution, including “prevention”, is also exempt from most provisions of the DPB. Unlike the above provision, this exemption has not been conditioned with safeguards to be prescribed by rules. With law enforcement agencies gaining en masse access to biometric and facial recognition information, often cited to be in the interests of prevention of crime, civil society will have a significant concern on whether all such data is exempt from the safeguards in the DPB.
Small businesses; personal/domestic purposes
Certain provisions, such as the requirement to provide notice, transparency and accountability, and rights of the Data Principal, are also inapplicable in the case of personal data processed by a ‘small entity’ where such processing is not automated. A small entity may be defined by the DPA after considering the turnover of the Data Fiduciary, the purpose of collecting personal data and the volume of personal data processed. This provision appears intended to cover small brick-and-mortar businesses.
Exemptions from many provisions of the Bill are also granted in other circumstances in connection with judicial functions, legal proceedings, and research, archiving, and journalistic purposes.
XIX. Penalties, Offences and Compensation
The DPB contemplates various streams of enforcement: penalties to be paid to the Government, compensation to the Data Principal, as well as criminal liability in certain cases.
XX. Implementation Period
Elaborating on the recommended phased approach for implementation, the Parliamentary Committee suggested that the Chairperson and Members of DPA should be appointed within three months, the DPA commences its activities within six months from the date of notification of the Act, the registration of data fiduciaries should start not later than nine months and be completed within a timeline, and adjudicators and appellate tribunal should commence their work not later than twelve months, and the provisions of the Act shall be deemed to be effective not later than 24 months from the date of notification of this Act. However, the DPB does not include provision in this regard. It simply allows the Government to implement different provisions of the DPB at different times by way of notification.
XXI. Road Ahead
As next steps, we will need to wait and watch as to how the parliamentary proceedings unfold, and it is a possibility that the DPB may go through further changes before it is passed as law. Given that the Parliamentary Committee has deliberated this for about 2 years and provided more than 90 recommendations, it would not be amiss to open the DPB for public consultation and invite stakeholder comments.
In any event, irrespective of the course of legislative review adopted, the industry should start to focus on the development of Codes of Practice pertaining to subjects covered under the DPB. Given that the DPB continues to omit specific references to timelines for phased implementation, proactive engagement at this stage is likely to enhance the industry’s preparedness for complying with the DPB as and when enacted.
You can direct your queries or comments to the authors
1 Section 43A: Compensation for failure to protect data
“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected. (Change vide ITAA 2008) Explanation: For the purposes of this section (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”
2 As per Section 39 of the DPB, the provisions that are not applicable to non-automated processing by small entities are Section 7, 8, 9, 17(1)(c), and Sections 19 -32.
3 The DPB specifically bars the processing of biometric data, unless such processing is “permitted by law”. Notably, the provision is quite wide and the scope of which biometric data may not be processed seems to be unclear.
4 The only entities exempted from the parental consent requirement are those guardian data fiduciaries who provide exclusive counseling or child protection services.
5 The determination of technical feasibility has also been made subject to rules prescribed by the Central Government.
6 X vs. Https://www.youtube.com/watch?v=iq6k5z3zys0 and ors. [Delhi HC - CS(OS) 392/2021]; Jaideep Mirchandani and Ors. vs. Union of India and Ors. [Delhi HC - W.P. (C) 8557/2021]; and Jorawer Singh Mundy vs. Union of India and Ors. [Delhi HC - W.P. (C) 3918/2021].
7 Judgment issued by the Supreme Court in Writ Petition (civil) No 494 of 2012, dated August 24, 2017.
8 The Authority may only approve standard contractual clauses or intra-group schemes that effectively protect the Data Principal’s rights, including in relation to further transfers from the transferee of the personal data, and is not against public policy or State policy.
An act is deemed to be against public policy or State policy, if it promotes breaches any law, is against the relevant public policy or State policy, or has a tendency to harm the interest of the State or its citizens.
9 This would be subject to the Indian Government finding that the other country or section within a country or international organization shall provide for an adequate level of data protection for the personal data, as well as effectiveness of enforcement by authorities. Where SPD is being further shared to a third foreign government or agency, such sharing must be approved by the Indian Government.
10 The Data Protection Authority may from time to time notify certain Data Fiduciaries (or class of Data Fiduciaries) as SDFs based on:
11 Key managerial personnel under the DPB may be the Chief Executive Officer or the managing director or the manager, the company secretary, the whole-time director, the Chief Financial Officer, or any other personnel as prescribed.
12 A ‘social media platform’ is defined as “a platform who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”.
13 The expression "Sandbox" has been defined to mean such live testing of new products or services in a controlled or test regulatory environment for the limited purpose of the testing. The DPA may also permit certain regulatory relaxations for a specified period of time.
14 The policy needs to contain/ specify (a) the organizational / business practices and technical systems in place to prevent harm to the Data Principal; (b) their obligations under the PDP Bill; (c) certification that the technology used to process personal data is in accordance with commercially accepted / certified standards; (d) that legitimate business interests, including innovation are achieved without compromising privacy interests; (e) protection of privacy is ensured throughout the life cycle of processing of personal data (from point of collection to deletion); (f) personal data is processed in a transparent manner; and (f) the Data Principal’s interests are accounted for at each stage of processing of personal data.
15 This may be done when the Central Government is satisfied that it is necessary to do so either (a) in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, public order; or (b) to prevent incitement to the commission of any cognizable offence relating to any of the grounds in (a) above.
Benchmark Litigation Asia-Pacific:Tier 1 for Government & Regulatory and Tax
Legal500 Asia-Pacific:Tier 1 for Tax, Investment Funds, Labour & Employment and TMT
Chambers and Partners Asia-Pacific:Band 1 for Employment, Lifesciences, Tax and TMT
IFLR1000:Tier 1 for Private Equity and Project Development: Telecommunications Networks.
AsiaLaw Asia-Pacific Guide 2020:Ranked ‘Outstanding’ for TMT, Labour & Employment, Private Equity, Regulatory and Tax
FT Innovative Lawyers Asia Pacific 2019 Awards: NDA ranked 2nd in the Most Innovative Law Firm category (Asia-Pacific Headquartered)
RSG-Financial Times: India’s Most Innovative Law Firm
Who’s Who Legal 2020:
The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.