Data is one of the most valuable assets in the evolving digital ecosystem. The importance of data and privacy go hand in hand and cannot be ignored. An individual’s data is of utmost importance and requires protection because it reflects several facets of human personality and behaviour. The existing regulations in India to protect data are inadequate considering the increasing use of technology and global digital interfaces.
On 24 August 2017, the Supreme Court of India in Justice KS Puttuswamy vs. Union of India (2017) 10 SCC 1 recognized the Right to privacy as a fundamental right under Article 21 of the Constitution of India, 1950. In the Indian context, privacy is not a new concept and goes back to the case of Kharak Singh vs. The State of Uttar Pradesh 1964 SCR (1) 332.
On 31 July 2017, the government of India constituted a Committee of Experts on Data Protection under the chairmanship of former Justice BN Krishnan, which submitted the draft of the Personal Data Protection Bill, 2018 (“PDPB 2018”). After a public consultation process, the PDPB 2018 was replaced by the Personal Data Protection Bill, 2019 (“PDPB 2019”). The PDPB 2019 was withdrawn in August 2022 owing to multiple recommendations and amendments proposed by the Joint Parliamentary Committee (“JPC”).
The Digital Personal Data Protection Bill, 2022 (“Bill”) was introduced on 18 November 2022, two months after the withdrawal of the PDPB 2019. The principle of the Bill is similar to General Data Protection Regulation (“GDPR”).
In India, the Information Technology Act, 2000 (“IT Act”) defines personal information under Section 43A and includes sensitive personal data or information, followed by reasonable security practices and procedures and the sensitive personal data or Information Rules, 2011 (“SPDI Rules”). The SPDI Rules provide a framework for the privacy policy, collection of information by body corporates after taking consent, disclosure of information, transfer of information to third parties, and reasonable security practices and procedures. However, the Bill proposes to repeal Section 43A of the IT Act and the SPDI Rules.
The Bill provides for the protection of digital personal data and is applicable to the processing of digital personal data within India when such data is collected online or offline but digitized. The Bill also applies to the processing of digital personal data outside India if such processing of digital personal data is connected with “profiling” or any activity of offering goods or services to an individual within India. Profiling, as defined under the Bill, means any form of processing of digital personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of an individual. The concept of profiling is not new and finds mention in other global data privacy regulations. Considering the growth of artificial intelligence (“AI”) and machine learning, it will be interesting to see how the processing of digital personal data will be impacted under this Bill.
The Bill establishes a relationship between Data Principal (“DP”) and Data Fiduciary (“DF”), and between Data Fiduciary (“DF”) and Data Processor, which are the main players under the Bill. DP is an individual to whom the personal data belongs; a DF is a person who alone or in conjunction with other persons determines the means and purpose of processing of digital personal data and a Data Processor is a person who processes personal data on behalf of DF. Interestingly, under the GDPR, DP and DF are termed as ‘Data Subject’ and ‘Controller’. Notably, the definition of ‘person’ in the Bill is quite wide and includes an individual, HUF, company, firm, an association of persons or a body of individuals (whether incorporated or not), State and every other artificial juristic person.
A vital tenet of the Bill is to maintain transparency, lawfulness, and accuracy. This is evident from the fact that the right to seek information about personal data and the right to seek correction and erasure (deletion) of personal data is available to DP. Interestingly, DP also has the right to nominate in the event of death or incapacity of DP. Similar rights are also available in other global data protection regulations. The right to nominate should have necessary restrictions and limitations to avoid any risk and misuse of the personal data of a DP by a Nominee. There are also duties that are imposed on DP i.e., to furnish authentic information, to comply with all applicable laws, to not raise false complaints or grievances, and to not provide false particulars or suppress information or impersonate another person. The breach of duties imposed on DP may attract penalties under the Bill.
There are various obligations on DF, including seeking consent from DP through a prior itemised notice mentioning the specified purpose for which collection and processing of personal data are sought. DF, while discharging its obligations, will act as a Consent Manager for giving, managing, reviewing, and withdrawing consent by DP. Interestingly, there is an emerging trend across the world to provide consent management services. It will be interesting to see how such entities will emerge in India given the landscape of the Bill. The Bill also includes a concept of Deemed Consent or voluntarily providing digital personal data for processing, like GDPR.
To ensure protection and balance at each level for the processing of digital personal data between DP and DF, various obligations have been imposed upon DF. DF must provide all necessary mechanisms for DP to exercise her rights effectively. DF must appoint and publish the contact information of the Data Protection Officer (“DPO”) or any other person who will be responsible to answer the queries of DP vis-à-vis her personal data. Apart from the above, there are other obligations mandated by DF, which aim to ensure transparency and accuracy and take reasonable security safeguards to prevent data breaches. There are also crucial obligations in relation to the processing of personal data of children.
A unique aspect of the Bill is the introduction of a ‘Significant Data Fiduciary’ (“SDF”), for which the Central Government will notify such class of DF as SDF, considering relevant factors not limited to volume and sensitivity of personal data processed by DF. Notably, the appointment of a DPO and an Independent Data Auditor (“IDA”) is mandatory for SDF. It will be interesting to see what rules will be framed regarding the qualification or eligibility criteria of a DPO and IDA. It is also mandatory for SDF to undertake Data Impact Assessment Report and conduct periodical audits.
Importantly, the Bill allows the transfer of personal data outside India. The government may notify countries or territories to which DF may transfer personal data, on such terms and conditions which may be prescribed. It will be interesting to see whether stricter provisions of the GDPR will be adopted while prescribing the terms and conditions for the transfer of personal data outside India.
Several exemptions have been enumerated under the Bill for the processing of digital personal data, including situations where processing is necessary for the enforcement of a legal right or claim, the performance of any judicial or quasi-judicial functions and for a legal proceeding involving any offence or contravention of any law, among others. The government is also vested with the power to exempt the application of the Bill in circumstances which involve the processing of digital personal data by any instrumentality of the State in the interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, preventing incitement to any cognizable offence, and where the processing of personal data is necessary for research, archiving or statistical purposes.
Like the GDPR, there will be a Data Protection Board (“DPB”) established under the Bill, which will have various powers including the imposition of heavy financial penalties, power to review, take voluntary undertaking, conduct enquiry, and issue code of practice. Considering the wide powers given to DPB, the Bill can be said to be a complete code. The Bill is a special law and supersedes other legislations in case of a conflict. Apart from financial penalties, it will be interesting to see if a breach committed under the Bill could also expose DF or DP and data processor criminal exposure under other laws, including the Indian Penal Code, 1860 and the IT Act, as the Bill is silent on that aspect.
For a world that is dependent on technology, compliance with the Bill could add an additional cost to organizations that are either a DF or data processor if such organizations have not created the requisite technical architecture to safeguard data and prevent data breaches. India’s vision to attract global business and investors will require robust data protection regulations. Accordingly, a balance will have to be met between achieving the goals of the digital economy and protecting the digital personal data of an individual.
The Bill is proposed to be tabled before the parliament in the monsoon session.
**The views expressed are solely those of the author and should not be attributed to the author’s firm or its clients, or any other organization.