Updated: Aug 9
The draft Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) was released for public consultation on November 18, 2022. Post public consultation, the DPDB Bill was revised and put before the Union Cabinet (the revised version has not been released publicly, as yet). Recent media reports indicate that the Cabinet has approved the revised DPDB Bill on July 6, 2023.
The DPDB Bill is now expected to be placed before the Indian Parliament for consideration, debate, and approval. This may happen as soon as the Monsoon Session that will get underway in July 2023.
Here is a short ‘recap’ of the DPDB Bill, and how it may affect your business.
What is regulated: The DPDP Bill provides an expansive definition for “Data Principal”, i.e., the individual to whom the personal data relates, and includes a child (i.e., a person under 18 years) as well as the parent or lawful guardian of the child concerned. The bill has simplified the definition of “Personal Data” as 'any data about an individual who is identifiable by or in relation to such data. The DPDP Bill requires data fiduciaries (within India or outside India) to provide data principals with a notice stating: (i) the personal data to be collected; and (ii) the purposes for which such personal data will be processed. Such notice is required to be provided on or before requesting the data principal's consent for processing.
Penalties for non-compliance: The DPDP Bill defines 'Personal Data Breach' widely as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data. The DPDP Bill prescribes penalties for personal data breaches, with penalties of INR 250 crore (about USD 30 million) for a failure to take reasonable security safeguards. It also requires personal data breaches to be reported to every affected data principal, with non-compliance triggering a penalty of INR 200 crore (about USD 25 million). The wide definition has implications not only for the kind of instances that are reported as personal data breaches, but also for parallel penalties that may apply to the same processing activities.
Consent Mechanism: The DPDP Bill provides two broad bases for the processing of personal data – express consent and deemed consent. The DPDP Bill allows for data fiduciaries to process personal data based on the consent obtained from individuals. Such consent must be free, specific, informed and unambiguous (although these factors have been left undefined) and must be provided through affirmative action for a specified purpose. The DPDP Bill also permits the processing of personal data based on 'deemed consent'. This includes some of the standard grounds typically recognised across other jurisdictions, e.g., for compliance with a judgement or order; medical emergencies; and employment-related purposes.
Data Fiduciaries under the DPDP Bill are required to take reasonable efforts to ensure personal data processed by them or on their behalf is accurate and complete where the data is (i) likely to be used by the data fiduciary to make a decision that affects the data principal, or (ii) is likely to be disclosed by the data fiduciary to another data fiduciary. The DPDP Bill also requires every data fiduciary to implement reasonable security safeguards to prevent personal data breaches and to protect the personal data in its possession or control. The specific standards for such safeguards, however, have not been prescribed.
The DPDP Bill does not impose a hard data localisation requirement i.e., to process and store critical personal data only in India. All personal data may be transferred outside of India to countries or territories that are notified by the Central Government (based on factors it considers necessary) in accordance with the terms and conditions that it may specify (reports indicate that this ‘whitelisting’ approach may change to a ‘blacklisting’ one, in revised drafts). Note that the DPDP Bill does specify that its provisions are in addition to (and not in derogation of) existing laws, and only in cases of a conflict will the provisions of the DPDP Bill prevail. Given this, any localisation requirements under existing laws (such as those applicable to payments data that also qualifies as personal data) will continue to apply even after the DPDP Bill (if notified in its present form) comes into force.
What Happens Next: The DPDB Bill may be passed by the Indian Parliament in 2023, following which there will likely be a 12-18 months ‘bedding in’ period given for compliance. That said, this law will fundamentally change how businesses collect and use personal data in India. It is useful to start evaluating the impact the DPDB Bill implementation will have on your activities in India.