India’s decade-long journey towards a data protection law finally has reached its (almost) final step. The Lok Sabha on August 7, 2023, passed the Digital Personal Data Protection Bill, 2023 (DPDP Bill, 2023) through a ‘voice vote’. What remains, now, is for the bill to be passed by the Rajya Sabha and thereafter receive presidential assent for it to become law. The journey of India’s data protection law has been an interesting one, to say the least. It began as an elaborate prescriptive draft legislation in 2019, which was under consultation by Parliament until 2021. The first two drafts of India’s data protection were widely criticised for being too compliance-heavy by industry experts, whereas civil society spokesperson also raised valid concerns regarding unfettered access to and processing of personal data by state and law enforcement agencies. The earlier bill was actually withdrawn – a fate that does not befall many legislations in these times.
Thereafter, the Ministry of Electronics and Information Technology (MeitY) in November 2022 released a leaner, principle-based draft for public consultation (“2022 Bill”). MeitY is said to have received almost 20,000 submissions regarding the 2022 Bill, and undertaken several dozen consultations. This effectively set the stage for the evolution and adoption of a customised and inherently Indian legislation that prima facie has the potential to achieve the elusive balance between enabling ease of doing business and protecting sovereign imperatives and citizens’ rights.
What is It?
The DPDP Bill, 2023 is a concise and simply written 33-page document, which is accompanied by several useful illustrations, and is a marked departure from the dense and prescriptive approaches to personal data protection legislations till date. The DPDP Bill, 2023 also differs in several ways from its 2022 predecessor.
Key changes from the 2019 draft include; a negative-list regime for cross-border data transfers; removal of the reasonable purposes and public interest grounds of processing; exemption to data made publicly available by a data principal or under legal obligation; exemption of data fiduciaries from parental consent and other children’s data processing obligations in certain cases; and government powers to block access to the data fiduciary’s platform, among several others. The DPDP Bill 2023 provisions are ‘principle based’, and more intricate details of implementation have been left to the realm of subordinate rule-making.
Here is a deep dive into some important takeaways from the Bill:
Applicability and Scope
The DPDP Bill, 2023 in its material scope applies to personal data that is collected in digital form and in non-digital form but subsequently digitized. The DPDP Bill, 2023 has done away with the use of ambiguous words such as “online data” and “offline data” which had been used in the 2022 Bill.
The DPDP Bill, 2023 does not apply to:
data processed for personal or domestic purposes; and
data made available by a data principal or any other person under a legal obligation.
The categories of such data have been narrowed down from the 2022 Bill. Interestingly, the DPDP Bill, 2023 applies to personal data outside of Indian only if the processing of such personal data is in connection with the offering of goods and services to data principals within India. This is different from the 2022 Bill, wherein the provisions of the bill held force outside of India if the processing related to the profiling of Indian data principals.
Notice and Consent
The regime of notice and consent is still in place in the DPDP Bill, 2023. However, the requirement for itemised notices has been done away with. Data Fiduciaries must now while obtaining consent from a data principal notify him or her of the type of personal data being processed and its accompanying purpose; details of the way data principals may exercise their rights to withdraw consent and grievance redressal. Also to be provided are details on how data principals may file a complaint with the Data Protection Board (“DPB”). The provisions of consent are largely unchanged from the 2022 Bill. Consent under the DPDP Bill, 2023 is defined as an indication by the data principal signifying an agreement for their data to be processed for a specified purpose. Consent should be free, specific, informed, unconditional and unambiguous and it should be through clear affirmative action. Under the DPDP Bill, 2023 data principals also have the right to withdraw their consent and utilize the services of consent managers. Furthermore, data principals or users can access information made available to them in English, or choose any language specified in the Eighth Schedule of the Constitution of India.
Grounds for Processing and Obligations of Data Fiduciaries
The DPDP Bill, 2023 has moved away from the deemed consent framing of non-consent-based processing of data. The bill now provides a narrow list of legitimate uses and has done away with the ‘fair and reasonable purposes’ and ‘public interest ground’. There are provisions within the DPDP Bill, 2023 which allow for the processing of data without consent when a data principal has provided such data willingly and has not indicated that he or she is not willing to allow such processing. The new bill provides illustrations which explain scenarios in which such processing can be allowed for example when data is provided in exchange of services. There are substantial obligations placed on data fiduciaries under the DPDP Bill, 2023. They have to ensure compliance with the bill from their data processors; set up grievance redressal mechanism; ensure accuracy and completeness of data particularly if such data is shared with third-parties; and also delete the data of data principals when the data principal has withdrawn consent or if it is reasonable to assume that the specified purpose is not being served. Further, under the DPDP Bill, 2023 the Central Government is allowed to notify certain categories of data fiduciaries as significant data fiduciaries by assessing factors like volume and sensitivity of the personal data processed, risk to the rights of the data principals potential impact on the sovereignty and integrity of India, among others. Data fiduciaries are also allowed to engage data processors through valid contracts however the responsibility to set security safeguards falls only on the shoulders of data fiduciaries.
Rights of Data Principals and Children’s Data
Similar to the 2022 Bill, the DPDP Bill, 2023 allows data principals to seek information on the personal data being processed, the processing activities, and identities of all the data fiduciaries and processors that their data has been shared with. Furthermore, they also have a right to correction and erasure and the right to nominate an individual to exercise rights on their behalf. With regards to children’s data, data fiduciaries must obtain ‘verifiable consent for processing. The DPDP Bill, 2023 prohibits tracking and targeted advertising towards children that is likely to have any detrimental effect on the wellbeing of a child. The DPDP Bill, 2023 however provides certain cases in which the government can exempt certain classes of data fiduciaries from requiring parental consent.
Cross Border Transfers
The DPDP Bill, 2023 abandons the white list approach of the 2022 Bill and instead adopts a negative list. Essentially, data can be transferred to all countries outside of those barred by the Central Government by way of notification. Sectoral restrictions on data transfers such as those of the RBI will continue to apply.
Data Protection Board ("DPB")
A DPB under the DPDP Bill, 2023 will be adjudicatory and enforcement body and not a regulator. The Central Government is tasked with its composition and functioning, with criteria for membership and composition of the board also being provided for in the bill. The DPB can issue monetary penalties to data fiduciaries for non-compliance with provisions of the Bill with the maximum penalty that can be issues being INR 250 Crore.
Blocking Powers and Exemptions
In a first the DPDP Bill, 2023 empowers the Central Government or any of its authorised officers to block public access to the platform of a data fiduciary on the recommendation of the Data Protection Board. However, blocking can only be ordered if it is necessary or expedient in the interests of the general public, and before issuing a blocking order data the fiduciary should be given an opportunity to be heard. The Central Government can order any intermediary to assist in giving effect to the blocking order.
The DPDP Bill, 2023 also exempts the application of certain provisions on the processing of personal data in cases such as;
a) investigation of offences;
b) implementation of a scheme of compromise or merger or amalgamation;
c) detection of financial frauds; and
d) processing data of a data principals who is situated outside India under valid contract etc.
The Central Government may also provide exemptions for research, archiving and statistical purposes - in case the data is not being used to take any decision specific to the data principal. Lastly, certain data fiduciaries including start-ups may also be exempted by the Central Government.
What cannot be denied is that the DPDP Bill, 2023 has a uniquely Indian flavour in its attempt to establish a modern data protection regime and that the extensive consultations undertaken by MeitY have been extremely beneficial. The DPDP Bill, 2023 is principle based and not as prescriptive as the supposed norm setter that it the EU’s GDPR. It seems to be more business friendly and does a more than decent job in enshrining protection of user rights within its provisions. It will be interesting to see how the implementation of the DPDP Bill, 2023 plays out as the bill proposes a staged implementation with the Central Government notifying the clauses that will take effect periodically.