The Ministry of Electronics & Information Technology (MeitY), on the 18th of November, released the latest draft version of India’s proposed data protection law. The DPDP Bill is open for public consultation till the 17th of December this year.
Note: The DPDP Bill, as of now, has not attained the status of formal ‘law’. After the public consultation deadline, the Bill will be considered for parliamentary deliberations – given the timelines, it is unlikely that this will happen in this winter session of parliament, which is commencing on this 7th of December.
Data Fiduciary – any person who alone or in conjunction with other persons determines the
purpose and means of processing of personal data
Data Principal – any person to whom the personal data relates; includes parents or lawful
guardians in case of children
Data Processor – any person who processes personal data on behalf of a Data Fiduciary
1. Restriction of scope to ‘digitized’ personal data; exclusion of non-personal data
2. Language compliances for notice & consent requirements; inclusion of ‘deemed consent’
3. Inclusion of ‘Significant Data Fiduciary’; consequent requirement of appointing an India-based DPO
4. Obligation to report data breach incidents to each affected Data Principal
5. Setting up of a Data Protection Board
6. ‘Notified countries’ for transfer of data outside India
What Do I Need to Know?
I. Data Being Regulated
• As the title suggests, the scope of the DPDP Bill is restricted to ‘digital’ personal data, whether collected online, or collected offline and then digitized.
• The DPDP Bill does away with categorizations of personal data such as sensitive and critical personal data; it instead defines ‘personal data’ more broadly as any data about an individual who is identifiable by or in relation to such data.
• The DPDP Bill also envisages certain exceptions in terms of applicability of the provisions, including to non-automated processing of personal data, personal data processed by an individual for personal or domestic purpose, etc.
II. Territorial Application
III. Consent / Notice Requirements
• The Bill specifies that the only grounds for processing of personal data are either express consent (by way of a clear affirmative action) or deemed consent for a lawful purpose.
• Circumstances which would amount to deemed consent include, for instance, public interest; sharing of personal data where such sharing can reasonably be expected; performance of functions specified under law; furtherance of a court order; and interestingly, for purposes related to employment – including for preventing corporate espionage, background verification and verification of attendance.
• ‘Itemized notice’ comprising a description of personal data sought to be collected, along with the purpose of processing such personal data, shall be given to the data principal.
• Requests for ‘consent’ and ‘notice’ should give the data principal the option to access it in English or any of the official languages of India. The DPDP Bill also introduces the concept of a Consent Manager, which enables a data principal to manage and keep track of consent previously provided
IV. Obligations: Data Fiduciary; Significant Data Fiduciary
• General obligations of a Data Fiduciary include appointing a Data Protection Officer; making reasonable efforts to ensure accuracy and completeness of processed data; taking reasonable security safeguards to prevent personal data breach etc. An interesting development is the data fiduciary’s obligation of reporting a data breach to each affected Data Principal – a requirement absent under existing law.
• ‘Significant’ Data Fiduciaries may be notified by the central Government based on an assessment of relevant factors including volume and sensitivity of personal data processed, risk of harm to the data principal, etc. Significant Data Fiduciaries will have additional compliance obligations, including the appointment of a Data Protection Officer (DPO) based in India, and undertaking a Data Protection Impact Assessment (DPIA) when prescribed. This ‘Significant’ categorization seems to be following the trend set by regulations affecting social media intermediaries, which also entails a higher compliance standard.
• The DPDP Bill specifies that anyone under the age of 18 is a ‘child’; that a child’s personal data may only be processed after obtaining consent from a parent, in a manner that will be specified by the government; and that broadly, processing of the child’s data should not be in such a manner that is likely to cause harm. Behavioral monitoring of a child is also prohibited.
• The DPDP Bill lists some ‘exemptions’ to the obligations of the Data Fiduciary, which include processing of personal data necessary for enforcing any legal right or claim, or done in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law. Further, the Bill provides for the central government to – by notification – exempt any state instrumentality from the application of provisions of the Bill.
VI. Data Principal – Rights & Duties
• The rights of Data Principals include the right to obtain information from the Data Fiduciary (including confirmation on whether the latter is processing or has processed personal data of the former, identities of all the Data Fiduciaries with whom the personal data has been shared, etc.); right to correction and erasure of personal data; right of grievance redressal and right to nominate any other individual to exercise the rights of the data principal in the event of death of incapacitation.
• The DPDP Bill has introduced a provision for the duties of data principals, which includes a duty on the data principal to not register a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board. For the first time in any iteration of this bill, penalties for non-compliance (on the part of Data Principals) have been introduced.
VII. Localization / Transfer of Data outside India
• The DPDP Bill proposes to permit cross-border transfers of data only to countries that will be notified by the central Government.
VIII. Data Protection Board and Penalties
• The DPDP Bill calls for the appointment of a Data Protection Board, by the Government, to enforce compliance with the provisions of the Bill, and broadly sets out the procedure to be followed by the Board to ensure such compliance. The Board has been provided powers to impose serious financial penalties up to approximately USD 61 million.
This update is for information purposes only. It is not and should not be construed as legal advice. If you would like to know more or seek legal advice, see below.