Vikram Jeet Singh and Prashant Daga
[This article is the first in a two-part series on the subject]
Ever since the Indian Supreme Court recognized informational privacy as part of the fundamental Right to Life in 2017, Indian lawmakers have been attempting to develop a new data protection framework. A first draft was released in 2018, and a revised draft one in 2019. Both these drafts proposed a GDPR style privacy law for India. The 2019 bill was subsequently withdrawn in 2021 after the Join Parliamentary Committee (set up to review the bill) recommended nearly 100 revisions to the bill.
On November 18, 2022, the Ministry of Electronics and Information Technology ("MEITY") released a new draft Digital Personal Data Protection Bill, 2022 ("2022 Bill"). As per the explanatory note provided along with the law, MEITY has opted for a back-to-basics approach. A number of controversial, unworkable, or complex items have been dropped from this draft, and certain operational elements are kept for subordinate rules to be issued later.
The law is based on the (following) 7 fundamental principles:
Use: Use of personal data should be lawful, fair, and transparent to individuals.
Purpose: Data collected should only be used for the purpose for which it was collected.
Minimization: Only the personal data required for a specific purpose should be collected.
Accurate: The personal data collected should be accurate and updated.
Retention: Personal data should be retained for only as long as required for the purpose of its collection.
Protect: The personal data should be reasonably safeguarded to prevent personal data breaches, unauthorised collection, or processing of personal data.
Accountability: The person who decides the purpose and means of processing of personal data should be accountable for such processing.
To help you parse this legislation, we have prepared this 2-part article which ‘Unpacks’ the 2022 Bill.
WHEN WILL THE 2022 BILL COME INTO FORCE?
The new draft law will likely be placed before the Indian Parliament for approval in early 2023. Given that this is the third cut of the privacy law, and a streamlined one compared to the previous versions, the 2022 Bill has a good chance to be promulgated into law.
In-line with the Parliamentary committee's recommendations, the 2022 Bill proposes a stage-wise implementation, where different dates may be appointed for enforceability of different provisions. The draft currently does not show what these timelines could be (the 2019 version called for a 2 year transition period, that was welcomed by businesses).
WHAT DOES THIS LAW REGULATE?
Personal Data: The 2022 Bill includes a broad definition of what constitutes data and personal data, and regulates the processing of digitized personal data i.e., any data about an individual who is identifiable by or in relation to such data, within India. Data collected offline, but digitized is also subject to the 2022 Bill. Unlike its predecessor and existing SPDI Rules, it does not further classify the personal data into sensitive personal data and critical personal data. The following forms of data have been omitted from the law's purview: (a) personal data processed by non-automated means; (b) offline-personal data; (c) personal data processed for private purposes; and (d) personal data that has been in the public domain for at least 100 years.
Processing is defined broadly, as an automated operation or set of operations performed on digital personal data, and may include collection, recording, organization, structuring, storage...indexing, sharing, disclosure by transmission, dissemination…erasure or destruction. Presently, certain rights (such as retaining personal data for legal purposes) are only granted to those who collect the data (viz., 'data fiduciary'), and not to entities that process it on behalf of another entity (viz., 'data processor'). It may be useful that, since data processors may also be required to retain data for law enforcement, etc., such rights should be made available to them.
Extra Territorial Application: The 2022 Bill applies to processing of personal data within India. It does not refer to nationality/residence of the individual to whom such personal data relates to. Like the 2019 draft, the 2022 Bill also extends its applicability to processing of personal data outside India, if it is in connection with any profiling or offering goods and services to individuals within India. An Indian vendor collecting personal data from EU citizens to provide them services and storing such data in India would qualify as "processing personal data in India".
WHO DOES THIS LAW APPLY TO?
Data Principals: The draft law applies to individual data principals, i.e., to whom the personal data relates. In case of children, it includes the parents or lawful guardians of the child.
'Data Fiduciary' denotes the entity which decides the purpose and means of processing of an individual's personal data. While multiple entities may be involved in processing of personal data, the determining characteristic of a data fiduciary is specifying the purpose for collection and electing what to do with such data. A ‘Data Processor’ is person who processes personal data on behalf of a data fiduciary has been termed as a Data Processor.
Grounds for Processing: The new law allows processing of personal data for any ‘lawful purpose’ (i.e., purposes not expressly forbidden under law), provided the data principal has given their consent or deemed to have given it. As such, processing of personal data without valid consent may only be permitted if such instance falls under one of the categories for 'deemed consent'.
WHAT TO DO BEFORE PROCESSING PERSONAL DATA?
Giving Notice: Prior to collecting personal data, the Data Fiduciary is required to give an itemized notice to the Data Principal (in clear and plain language) describing the personal data sought to be collected and the purpose of processing such data. This notice is to be provided in English or any of the 26 local languages specified in the Eight Schedule of the Indian Constitution.
Taking Consent: As is the case with data protection laws globally (including the existing IT Personal Data Rules 2011), consent is the basis for processing personal data under the 2022 Bill as well. For consent to be valid under the 2022 Bill, it has to be free, specific, informed and unambiguous, and expressed via an 'affirmative' action, to signify their agreement to the processing of their personal data. An element of consent which falls foul of the law will not apply; the bill provides an illustration wherein if the consent also includes language which waives of (say) the data principal's right to file complaints with the data protection regulator, the waiver shall not be considered valid. Like the notice, every request for consent should be provided in English or any of the 26 local languages specified in the Eight Schedule of the Indian Constitution.
Deemed Consent: The concept of deemed consent has been borrowed from Singapore's privacy law, and permit processing of personal data without express consent under specific instances, such as vital interests of data subject, public interest, contractual obligation, legitimate interests, etc. This includes matters such as employment, where the consent of the Data Principal would not be required to provide them a benefit. The term ‘public interest’ has been defined to include (inter alia) detection of fraud, corporate restructuring, information security, operation of search engines, credit scoring, etc. Notably, the provision also contemplates permitting processing for any 'fair and reasonable purpose', with specified tests.
WHAT ARE A DATA FIDUCIARY’S OBLIGATIONS?
Data Fiduciary’s General Obligations: The primary liability to comply with the 2022 Bill is on each Data Fiduciary (regardless of their engagement of data processors), who are to make ‘reasonable efforts’ to ensure that personal data processed by them is accurate and complete. As with the current 2011 law, the Data Fiduciary is to implement appropriate technical and organizational measures and reasonable security safeguards (no standards have been specified, thus far). In a departure from the 2019 version, the Data Fiduciary is to inform the Data Subject and the regulator of any data breaches. Data Fiduciaries must share data only under a contract, and store it until its only as required under law or contract. Finally, a grievance redressal procedure is to be established, overseen by a Data Protection Officer.
Obligations of ‘Significant’ Data Fiduciaries: A special category of Data Fiduciaries has been singled out for additional compliance. ‘Significant’ Data Fiduciaries will be determined on the basis of criteria such as volume of data processed, risk of harm, public order, etc. In addition to appointing Data Protection Officers, such Data Fiduciaries are required to appoint Independent Data Auditors and undertake audits and other compliances that may be prescribed.
Children's Data: Data Fiduciaries that collect personal data of a child must obtain verifiable parental consent; the bill does not clarify what is considered as acceptable parental consent. Since children's data is a sensitive subject, and should be treated with utmost caution, the new law specifies that the lawful guardian of the child should provide consent for processing personal data on behalf of the child. As expected, processing a child's personal data for behavioral monitoring, targeted advertising, or is harmful to the child, is still prohibited, unless exempted for purposes identified by the regulator.
In part 2 of this article, we cover provisions pertaining to rights and obligations of Data Principals, cross-border transfers, exemptions, and consequences of non-compliances.