This post sets out our key takeaways from the draft Digital Personal Data Protection Bill 2022, and lays down how key provisions have changed from earlier iterations of the bill – i.e., the Joint Parliamentary Committee’s Data Protection Bill, 2021 and the Personal Data Protection Bill, 2019.
On 18 November 2022, the Indian government published a new iteration of India’s data protection law – the draft Digital Personal Data Protection Bill, 2022 (2022 Bill) for public consultation.[i] Comments may be submitted until 17 December 2022. This is the fourth iteration of India’s proposed data protection law. The 2022 Bill is different from previous iterations, i.e., the Personal Data Protection Bill, 2019 (2019 Bill) and the Joint Parliamentary Committee’s Data Protection Bill, 2021 (JPC Bill). The 2022 Bill applies only to ‘digitised’ personal data and removes any references to non-personal data. It does away with the categorization of personal data into sensitive personal data and critical personal data, along with provisions on non-personal data, algorithmic accountability, data portability, and a governing framework for hardware/software certification. References to data localization have been taken out, while the central government has been empowered to approve cross-border data transfers to whitelisted countries. The 2022 Bill introduces a list of situations where consent may be ‘deemed’ and need not be explicit, with the aim of providing flexibility in data processing. But it also requires the government to notify reasonable purposes, the residuary processing ground. The 2022 Bill is much leaner than its predecessors – from 99 clauses in the JPC Bill to 30 clauses in the 2022 Bill. This appears in line with the government’s intention to create a simple, comprehensive data protection framework for India.[ii] As a result, however, a lot of discretion and critical decision-making power has been handed to the central government through its rule-making function.
Here is a summary of key provisions in the 2022 Bill – covering the changes from the JPC Bill and the 2019 Bill – along with what comes next in India’s journey to enact a personal data legislation.
1. Applicability and scope:
- Scope of data: Applies to the processing of “digital personal data”. As a result, both non-personal data and data in non-digital formats are excluded.[iii] The 2022 Bill also does not distinguish between the types of personal data – sensitive personal data (SPD) and critical personal data (CPD).
- Territorial applicability: Applies to processing digital personal data within the territory of India. It also applies to processing of digital personal data outside India if such processing is in connection with any profiling or offering goods or services to data principals within India.[iv]
- Processing activities: It does not apply to non-automated processing, processing for domestic or personal purposes by individuals, and personal data about individuals contained in records that have been in existence for at least 100 years.[v]
The JPC Bill sought to regulate both personal and non-personal data (NPD) within the same legislation[vi]. Even the 2019 Bill included provisions on sharing of NPD with the central government. The exclusion of NPD from the scope of the personal data protection bill was a key demand from various stakeholders.[vii] Similarly, stakeholders had demanded that the types of SPD should be limited to ensure legal certainty[viii] and the concept of CPD should be removed[ix] – this has largely been accepted in the 2022 Bill. However, the Bill retains the broad territorial scope of past versions and may apply to the incidental processing of personal data of people in India by foreign businesses.
2. Consent: ‘Consent’ means an indication by the data principal signifying an agreement for their data to be processed for a specified purpose.[x] Consent should be free, specific, informed, and unambiguous.[xi] And it should be through a clear affirmative action.[xii] The ‘specified purpose’ should be mentioned in the notice given by the data fiduciary. This notice should be clear, itemized, and in simple language.[xiii] Data principals also have the right to withdraw their consent, and utilize services of consent managers.[xiv] If a data principal withdraws their consent, the data fiduciary will have to cause the data processor to stop processing that principal’s personal data, unless it is otherwise authorized under the 2022 Bill or it is necessary to process that principal’s data without their consent.[xv] Data principals or users are entitled to access information made available to them in English, or choose any language specified in the Eighth Schedule of the Constitution of India.[xvi] This is a new requirement. In tune with this, government officials, in the past, indicated that the 2022 Bill would be simple[xvii] and accessible[xviii] and inclusive to everyone, including citizens in rural areas.
Provisions on consent are materially like past iterations of the Bill; consent remains the primary ground for processing personal data. However, according to the Bill, data fiduciaries may only have to provide notice to data principals when they process personal data based on consent, and not when they process based on deemed consent (discussed below). The requirement for the data fiduciary to cause the data principal to cease processing of data when the data principal withdraws their consent is new. As a result, data processors may have to cease processing once instructed by their data fiduciaries, if the data principal withdraws consent.
3. Deemed consent: The 2022 Bill introduces the concept of ‘deemed consent’.[xix] It refers to circumstances where consent is not expressly needed – and includes situations where the data principal voluntarily provides their data or can be reasonably expected to do so, and for performance of functions under law, among others. The 2022 Bill also recognizes deemed consent for public interest – such as for preventing fraud, to ensure network and information security, and for fair and reasonable purposes.[xx] The government can specify fair and reasonable purposes through rules.[xxi]
Industry stakeholders requested the codification of certain grounds mentioned in the 2019 Bill – like fraud, network and information security, and others – which have now been included as ‘public interest’ grounds under the 2022 Bill.[xxii] However, the 2022 Bill does not explicitly include ‘legitimate interests’ and ‘performance of a contract’ as grounds to process personal data without consent – despite it being a longstanding industry demand.[xxiii] The power to specify fair and reasonable purposes now vests with the central government – as opposed to earlier iterations, where the data protection authority could prescribe them through regulations.[xxiv]
4. Cross-border data transfers: The 2022 Bill does not include references to local storage or localization requirements. However, it introduces new conditions for cross border data transfers. Now, the central government can notify the countries or territories where personal data may be transferred.[xxv] While notifying these territories, the central government can assess any factors that it may consider necessary.[xxvi] Details on these factors are awaited. The 2022 Bill limits cross-border transfers of personal data to jurisdictions that the government notifies. This restriction applies to all personal data – not just SPD and CPD unlike earlier iterations. This appears similar to the adequacy mechanism under the GDPR. However, unlike the GDPR, the Bill does not recognize other grounds for overseas transfers, such as standard contract clauses, certifications, and others.
5. Personal data breach: Either the data fiduciary or the data processor must report a personal data breach.[xxvii] A ‘personal data breach’ includes both unauthorized processing and accidental disclosure, use, sharing, acquisition, etc. of personal data.[xxviii] Notably, data fiduciaries and data processors can be penalized upto INR 250 crores for failure to ensure reasonable security safeguards. They can also be penalized upto INR 200 crores if they fail to report a personal data breach to the proposed Data Protection Board and affected data principals.[xxix] The earlier timeline of 72 hours[xxx] for data fiduciaries to report data breaches has been removed. The obligation to report data breaches has also been extended to data processors. In the past, stakeholders from the data processing industry have indicated that they may not be able to report data breaches because they do not have visibility over the data they process.[xxxi] This obligation also overlooks industry views that only data fiduciaries should be responsible to report data breaches.[xxxii]
6. Significant data fiduciaries: The government can notify ‘significant data fiduciaries’ (SDFs) based on the volume and sensitivity of the personal data they process, the risk of harm to the data principal, their potential impact on the sovereignty and integrity of India, risk to electoral democracy, and other factors.[xxxiii] SDFs are subject to additional obligations – like appointment of an independent data auditor to assess their compliance with the 2022 Bill, and conducting data protection impact assessments.[xxxiv] They must also appoint a data protection officer based in India.[xxxv] The government’s power to designate SDFs and the additional obligations of SDFs have largely remained unchanged from the JPC Bill. A notable change, however, is that the 2022 Bill does not automatically consider social media platforms that meet a specified user threshold to be SDFs.[xxxvi] Also, earlier, SDFs had to mandatorily conduct data protection impact assessments only for data processing involving the use of new technologies, large scale profiling, use of SPD, or any other processing which risk of significant harm to a data principal.[xxxvii] Now, the 2022 Bill mandates data protection impact assessments for all SDFs.
7. Obligations of data fiduciaries: Data fiduciaries must take reasonable efforts to ensure accuracy and completeness of the data they process,[xxxviii] remove or cease to retain data for which the purpose of processing is complete,[xxxix] and establish grievance redressal mechanisms.[xl] They must publish the details of a data protection officer (for SDFs) or appoint a person who can answer the data principal’s questions about processing of their personal data and publish their details.[xli] Data fiduciaries are also ultimately responsible for complying with provisions of the 2022 Bill.[xlii] Data fiduciaries’ obligations under the 2022 Bill are largely similar to those under the JPC Bill and the 2019 Bill.
8. Obligations of data processors: The 2022 Bill clarifies that most obligations apply to data fiduciaries – but it extends some obligations to both fiduciaries and processors. For example, the obligation to take reasonable security measures to protect personal data,[xliii] and to report personal data breaches to the Data Protection Board and affected data principals[xliv] applies to fiduciaries and processors. Under the 2022 Bill, data fiduciaries can engage data processors through a valid contract.[xlv] And sub-processing is allowed if the data processors’ contract with the data fiduciary allows it.[xlvi] The broad recognition that data fiduciaries are primarily responsible for compliance is line with industry demands.[xlvii] But the 2022 Bill newly introduces the requirement for data processors to notify personal data breaches.
9. Data Protection Board (DPB): The central government will establish a DPB which will operate as an independent body and function as a digital office.[xlviii] The functions of the DPB will be ‘digital by design’.[xlix] The central government can prescribe the composition, qualifications and experience, process of selection, terms of appointment, removal, salary, allowances and other matters through rules.[l] The DPB will enforce the provisions of the bill and impose penalties for non-compliance.[li] It can conduct hearings, summon and enforce attendance, examine persons on oath, among other functions.[lii] Notably, however, the DPB cannot prevent access to a premises or take custody of any equipment or item that may disrupt the day-to-day functioning of any entity during its inquiries.[liii] The DPB can also accept voluntary undertakings – i.e., an entity subject to proceedings for non-compliance can undertake to perform or abstain from certain action, in which case the enforcement proceeding will stop.[liv]
The JPC Bill and the 2019 Bill specified the composition of the proposed data protection authority.[lv] Under the JPC Bill, the central government could also appoint the selection committee for the data protection authority, consisting of members from the executive.[lvi] However, the 2022 Bill states that the central government can appoint the chief executive of the DPB, and prescribe the terms and conditions and functions.[lvii] The 2022 Bill also specifically calls out the independence of the DPB – which was absent in the JPC Bill and the 2019 Bill. But notably, the central government retains control over several aspects of the DPB’s functioning. The newly introduced provisions on voluntary undertakings have been introduced to facilitate compliance and encourage timely admission of violations.[lviii] The role of the regulator is also a reduced one – focused on enforcement and adjudication, when compared to the previous versions of the bill where the data protection authority had a larger role, which would be manifested through regulations it was empowered to issue. Now the DPB cannot issue regulations – only the central government can frame rules.
10. Penalties: The 2022 Bill prescribes the maximum penalties to be INR 500 crores in each instance.[lix] Notably, both data processors and data fiduciaries can be penalized upto INR 250 crores if they fail to put in place reasonable security safeguards to prevent personal data breaches.[lx] The government may amend penalties, but newly proposed penalties cannot be more than double of what is prescribed in the 2022 Bill.[lxi]The JPC Bill had recommended that the government retain flexibility to determine penalties by considering rapidly evolving technologies.[lxii] While the 2022 Bill also allows the government to amend penalties, it prescribes an upper limit. The penalties under the 2022 Bill are also significantly higher – in line with recent reports that the government would impose heavy penalties for data breaches.[lxiii]
11. Rights of data principals: Data principals have the right to (a) obtain information on the personal data being processed, the processing activities, and identities of all the data fiduciaries their data has been shared with;[lxiv] (b) correction and erasure of their data,[lxv] (c) nominate an individual to exercise rights on their behalf in the event of their death or incapacitation;[lxvi] (d) grievance redressal,[lxvii] among others. They can exercise these rights through the data fiduciary. The JPC Bill and the 2019 Bill provided the right to data portability[lxviii] – i.e., the right to move their personal data across different service providers – which has been removed from the 2022 Bill. The 2022 Bill also introduces duties for data principals – these include (a) complying with the provisions of the Bill and other applicable laws while exercising their rights, (b) refraining from registering false or frivolous grievances with the data fiduciaries, (c) refraining from furnishing false particulars or suppressing material information, and (d) furnishing information that is verifiably authentic.[lxix] Earlier iterations of the Bill did not include duties for data principals.
12. Children’s data: The 2022 Bill defines a ‘child’ as a person below 18 years of age.[lxx] Data fiduciaries must obtain parental consent to process children’s’ data, and cannot track or target advertisement to children.[lxxi] However, the central government can prescribe exemptions to these prohibitions.[lxxii]In the previous versions, data fiduciaries processing children’s data were deemed to be SDF – this is no longer the case.[lxxiii] Despite criticism from civil society bodies and the industry, the 2022 Bill retains the age of consent at 18 years.[lxxiv] Stakeholders had called for reducing the age of consent to protect the agency and privacy of teenagers and adolescents on the internet.[lxxv]
13. Rule making powers of the government: The central government can frame rules on various issues – like fair and reasonable purposes for processing personal data without consent,[lxxvi] form and manner of reporting data breaches,[lxxvii] and the composition, qualifications and selection of members of the DPB.[lxxviii]The JPC Bill and the 2019 Bill allowed the proposed data protection authority to frame regulations – these powers have now been given entirely to the government. The 2022 Bill also does not mandate stakeholder consultation for rules framed by the government – despite experts’ recommendations that the government’s broad rulemaking powers should be subject to a consultative process.[lxxix]
14. Exemptions: The government may exempt state agencies from the application of the 2022 Bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to a cognizable offence related to these.[lxxx] The 2022 Bill also exempts processing if the data is not used to make decisions specific to a data principal.[lxxxi] The central government can exempt certain classes or types of data fiduciaries from obligations in the 2022 Bill.[lxxxii] Processing for a few purposes like enforcing a right or claim, performance of judicial functions, preventing contravention of laws, and others are exempted.[lxxxiii] The government’s power to exempt state agencies and exercise discretion has been expanded. The JPC Bill required that any exemption to state agencies by subject to just, fair, reasonable and proportionate procedures[lxxxiv] – this requirement has been removed from the 2022 Bill. But being a constitutional standard, will continue to apply to State action. The exemption for processing personal data of foreign data principals has also been clarified to apply to all entities processing such data[lxxxv] – while under the JPC Bill, the government could grant this exemption on a case-by-case basis.
15. Overriding effect of the 2022 Bill: The 2022 Bill, if enacted, will have an overriding effect over other laws in case of conflicting provisions. It will also apply in addition to existing sectoral laws / regulations on data governance. The 2022 Bill may only supersede existing sectoral laws / regulations on data governance in sectors like banking and finance, health, and others if there are conflicting requirements.
16. Implementation: The government has not specified implementation timelines for the 2022 Bill. The government may assign different commencement dates for various provisions.[lxxxvi]
B. Next steps: The 2022 Bill is open for public comments till 17 December 2022.[lxxxvii] The government may then analyse stakeholder feedback and incorporate any changes. As per recent reports, the 2022 Bill may be tabled in the Parliament’s budget session (tentatively February-March 2023).[lxxxviii]
[i] See, https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf.
[iii] Clause 4(1), Digital Personal Data Protection Bill 2022 (2022 Bill), https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf.
[iv] Clause 4(2), 2022 Bill.
[v] Clause 4(3), 2022 Bill.
[vi] Paragraph 2.15, Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (JPC Report), http://184.108.40.206/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf.
[vii] See, https://economictimes.indiatimes.com/tech/technology/experts-call-for-defining-non-personal-data-before-making-laws-on-it/articleshow/92835164.cms?from=mdr.
[viii] See, https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019, page 5, para 11.
[ix] See, https://cis-india.org/accessibility/blog/cis-comments-pdp-bill-2019, page 28.
[x] Clause 7, 2022 Bill.
[xi] Clause 7, 2022 Bill.
[xii] Clause 7, 2022 Bill.
[xiii] Clause 6, 2022 Bill.
[xiv] Clause 7(4), 2022 Bill.
[xv] Clause 7(5), 2022 Bill.
[xvi] Clause 3(1), 2022 Bill.
[xix] Clause 8, 2022 Bill.
[xx] Clause 8(8), 2022 Bill.
[xxi] Clause 8(9), 2022 Bill.
[xxii] See, https://www.bsa.org/files/policy-filings/02252020indpdp.pdf, page 13.
[xxiii] See for example, Broadband India Forum’s submission on the draft Personal Data Protection Bill 2018, page 25, https://www.medianama.com/wp-content/uploads/Broadband-India-Forum-Submission-India-Draft-Data-Protection-Bill-Privacy-2018.pdf. See also, https://blog.mozilla.org/netpolicy/files/2020/06/India-Joint-Parliamentary-Committee-Submission-Data-Protection-Bill-2019-25.02.2020.pdf, page 10.
[xxiv] Clause 14, JPC Bill and Clause 14, Personal Data Protection Bill, 2019 (2019 Bill).
[xxv] Clause 17, 2022 Bill.
[xxvi] Clause 17, 2022 Bill.
[xxvii] Clause 9(5), 2022 Bill.
[xxviii] Clause 2(13), 2022 Bill.
[xxix] Paragraph 2, Schedule 1, 2022 Bill.
[xxx] Clause 25, Data Protection Bill 2021, recommended by the JPC (JPC Bill).
[xxxi] See, https://www.bsa.org/files/policy-filings/02252020indpdp.pdf, page 22.
[xxxii] See, https://www.bsa.org/files/policy-filings/02252020indpdp.pdf, page 22.
[xxxiii] Clause 11(1), 2022 Bill.
[xxxiv] Clause 11(2), 2022 Bill.
[xxxv] Clause 11(2), 2022 Bill.
[xxxvi] See Clause 26(1)(f), JPC Bill.
[xxxvii] Clause 27, JPC Bill and Clause 27, 2019 Bill.
[xxxviii] Clause 9(2), 2022 Bill.
[xxxix] Clause 9(6), 2022 Bill.
[xl] Clause 14, 2022 Bill.
[xli] Clause 9(7), 2022 Bill.
[xlii] Clause 9(1), 2022 Bill.
[xliii] Clause 9(4), 2022 Bill.
[xliv] Clause 9(5), 2022 Bill.
[xlv] Clause 9(9), 2022 Bill.
[xlvi] Clause 9(9), 2022 Bill.
[xlvii] See, https://www.bsa.org/files/policy-filings/02252020indpdp.pdf, page 11.
[xlviii] Clause 19, 21, 2022 Bill.
[xlix] Clause 19(1), 2022 Bill.
[l] Clause 19(2)-19(5), 2022 Bill.
[li] Clause 20, 2022 Bill.
[lii] Clause 21(6)-21(9), 2022 Bill.
[liii] Clause 21(8), 2022 Bill.
[liv] Clause 24, 2022 Bill.
[lv] Chapter IX, JPC Bill and 2019 Bill.
[lvi] Clause 42, JPC Bill.
[lvii] Clause 19, 20, 2022 Bill.
[lviii] Page 7, paragraph 23, Explanatory Note to the 2022 Bill, https://www.meity.gov.in/writereaddata/files/Explanatory%20Note-%20The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf.
[lix] Clause 25(1), 2022 Bill.
[lx] Para 1, Schedule 1, 2022 Bill.
[lxi] Clause 27(1), 2022 Bill.
[lxii] Paragraph 2.215, JPC Report.
[lxiii] See, https://telecom.economictimes.indiatimes.com/news/data-protection-draft-being-tightened-may-reach-house-next-year/94655353.
[lxiv] Clause 12, 2022 Bill.
[lxv] Clause 13, 2022 Bill.
[lxvi] Clause 15, 2022 Bill.
[lxvii] Clause 14, 2022 Bill.
[lxviii] Clause 19, JPC Bill and Clause 19, 2019 Bill.
[lxix] Clause 16, 2022 Bill.
[lxx] Clause 2(3), 2022 Bill.
[lxxi] Clause 10(1) and 10(3), 2022 Bill.
[lxxii] Clause 10(4), 2022 Bill.
[lxxiii] Clause 26(1)(g), 2022 Bill.
[lxxiv] See, https://www.medianama.com/2022/02/223-consequences-data-protection-bill-children-digital-privacy/#:~:text=Age%20of%20a%20’child’&text=Under%20the%20DPA%2C%20any%20person,have%20the%20capacity%20to%20consent.
[lxxvi] Clause 8(9), 2022 Bill.
[lxxvii] Clause 9(5), 2022 Bill.
[lxxviii] Clause 19, 2022 Bill.
[lxxix] See, https://carnegieendowment.org/files/Burman_Data_Privacy.pdf, page 31.
[lxxx] Clause 18(2)(a), 2022 Bill.
[lxxxi] Clause 18(2)(b), 2022 Bill.
[lxxxii] Clause 18(3), 2022 Bill.
[lxxxiii] Clause 18(1)(a), 2022 Bill.
[lxxxiv] Explanation (iii), Clause 35, JPC Bill.
[lxxxv] Clause 18(1)(d), 2022 Bill.
[lxxxvi] Clause 1, 2022 Bill.