Ever since the right to privacy was recognised as a fundamental right by the Supreme Court in 2017, the legislature has sought to develop a comprehensive data protection framework for India. The need for an expedited introduction of such a law was propelled to the forefront with the controversy and legal proceedings surrounding WhatsApp’s revised policy which allowed it to share close personal information of its users with third parties including Facebook and its group companies.
In view of the same, on August 03, 2023, the Digital Personal Data Protection Bill (“DPDP Bill”), which primarily focuses on the protection of personal data, was introduced by the Minister of Railways, Communications, and Electronics and Information Technology, before the Lok Sabha. If both Houses pass the DPDP Bill 2023 in its current form, it will be sent to the President of India for approval, after which by publication in the Official Gazette, it will become the “Digital Personal Data Protection Act, 2023”.
The DPDP Bill is the Indian Government’s second attempt at drafting legislation related to data protection and privacy expanding to the existing data protection regime in India, i.e., Section 43A of the Information Technology Act, 2000 read with the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. It is also pertinent to highlight that it is the first ever Bill wherein ‘she & her’ have been used to refer to an individual’s right which is in line with the Government’s philosophy of empowering women. Some of the key features of the Bill have been elaborated upon below:
Key stakeholders as defined under Section 2 of the Bill who would work in tandem in the protection of personal data, would include:
- Data Protection Board – The governing body to be formed by the Central Government for the purposes of the Act.
- Data Fiduciary – Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
- Data Principal – The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child. The newest iteration of the bill has also introduced lawful guardians of persons with disabilities within this definition.
- Data Processor – Any person who processes personal data on behalf of a Data
- Data Protection Officer – An individual appointed as such by a Significant Data Fiduciary under the provisions of the Act.
- Significant Data Fiduciary: A Data Fiduciary has been notified by the Central Government after considering factors such as the volume of personal data processed, risk to electoral democracy, security of the State, public order, etc.
Scope and Application
The proposed bill applies to the processing of digital personal data within India when it is collected from Data Principals online; and if such personal data is collected offline if it is digitized. Processing of digital personal data outside the territory of India is also covered under the Bill, provided such processing is in connection with the activity of offering goods or services, or for profiling of Data Principals within India, thus including foreign entities within its scope. It keeps personal data processed by an individual for any personal or domestic purpose and personal data that is made or caused to be made publicly available by the Data
Principal herself or any other person who is under an obligation under any law to make such personal data publicly available, outside of its purview.
Grounds for Processing Digital Personal Data:
Data fiduciaries will be permitted to process personal data for any lawful purpose (i.e., a purpose that is not expressly prohibited by law) provided consent has been obtained from the Data Principal or for ‘certain legitimate uses’.
Conditions for Data Processing by Data Fiduciaries:
Prior to or at the time of seeking consent, the Data Fiduciary must provide the Data Principal with a notice that specifies the personal data to be processed and the purpose for which it will be used. The notice should also explain how the Data Principal can exercise their right to withdraw consent and how they can file a complaint with the Data Protection Board. Processing of personal data by the Data Fiduciary is only allowed if the Data Principal provides consent, which must be freely given, specific, informed, and clearly indicated through affirmative action, expressing their intention to allow the processing of their personal data for the purpose stated in the notice.
For consent obtained before the commencement of the DPDP Bill 2023, a similar notice should be provided to the Data Principal as soon as ‘reasonably practicable’. However, the DPDP Bill 2023 clarifies that until the Data Principal withdraws her consent, it can continue to be processed by the Data Fiduciary. Replacing the terminology of ‘deemed consent’ as was present in the previous 2022 iteration of the Bill, the concept of ‘certain legitimate uses’ has been introduced which allows the Data Fiduciary to process personal data without the Data Principal giving express consent, in some specific instances such as for specified purposes for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data; where the State and any of its instrumentalities require the personal data to provide or issue to the Data Principal a subsidy, benefit, service, certificate etc., for the performance by the State or any of its instrumentalities of any function under any law or in the interest of sovereignty and integrity of India or security of the State etc.
Data Fiduciary primarily responsible for compliance under the DPDP Bill
Certain duties are mandated for Data Fiduciaries to protect the security of personal data, irrespective of any contract to the contrary or any action taken by the Data Principal, which includes:
- complying with the provisions of the Act;
- appointing a Data Processor on its behalf for any activity related to the offering of goods or services to Data Principals only under a valid contract;
- making reasonable efforts to process accurate, complete and consistent personal data;
- implementing appropriate technical and organizational measures to ensure effective observance of the provisions of this Act;
- keeping security safeguards in place to avoid breach of personal data (which also include any unauthorised processing of personal data or accidental disclosure);
- notifying instances of data breaches to the regulatory body, the Data Protection Board of India and the affected Data Principal.
Another important obligation is to make sure to erase personal data when it’s no longer needed for legal compliance or the specified purpose. This should happen either when the Data
Principal withdraws consent or when it’s reasonable to assume that the purpose is fulfilled, whichever comes first. The Data Fiduciary must also ensure that its Data Processor erases any personal data provided for processing.
Data of Children and Persons with Disabilities
Under the Bill, an individual under the age of 18 years is a “child”. Data Fiduciaries, before processing any personal data of a child, are required to obtain verifiable consent from the parent or lawful guardian of the child. They are also restricted from undertaking any such processing of personal data which is likely to cause detrimental effects on the well-being of a child or undertaking tracking or behavioural monitoring of children or targeted advertising directed at children.
However, if the Central Government is satisfied that a Data Fiduciary is processing children’s personal data in a ‘verifiably safe’ manner, it may notify the age from which such classes of Data Fiduciaries are exempt from the obligations on verifiable consent and tracking/monitoring/targeted advertising, subject to any conditions that it may prescribe. Additionally, the Bill also includes the protection of any personal data of disabled persons, as verifiable consent must be obtained from their lawful guardian.
Obligations for Significant Data Fiduciaries (“SDF”)
SDFs would be a special category of Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government based on some relevant factors, who would have additional obligations such as carrying out periodic audits; undertaking data protection impact assessments; and appointing an independent data auditor and a Data Protection Officer. This Data Protection Officer would represent the Significant Data Fiduciary, be responsible to their Board of Directors/governing body and would be the point of contact for the grievance redressal mechanism set up for the Data Principal.
Certain rights and duties of Data Principals
Data Principals are ensured some rights such as the right to Information, right to correction and erasure of personal data, right of grievance redressal, right to nominate etc. Furthermore, the right to identity of the Data Fiduciaries and Data Processors and other rights as under Section 12(1)(b) and (c) would not be applicable if the information is collected for prevention/detection/investigation/prosecution of cyber offences. To prevent the abuse of their rights, the DPDP Bill also specifies duties for Data Principals such as not concealing relevant information, providing incorrect information, making false and frivolous complaints etc. as well as not impersonating another person when providing their personal data.
A Consent Manager would be a person registered with the Board, who would act as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an “accessible, transparent and interoperable platform”. The Consent Manager would be accountable to the Data Principal and shall act on her behalf.
Data Protection Board
The Bill establishes the Data Protection Board of India comprising a Chairman and as many other members as may be prescribed, which would be a specialised tribunal with the authority to check non-compliances and impose penalties, in situations such as:
- an intimation of a personal data breach;
- a complaint made by a Data Principal in respect of a personal data breach or a breach in observance by a Data Fiduciary of its obligations in relation to her personal data or her rights, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court;
- on the basis of a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager;
- on receipt of an intimation of breach of any condition of registration of a Consent Manager;
- on a reference made by the Central Government in respect of the breach in observance of the provisions of sub-section (2) of section 36 by an intermediary.
Every order made by the Board will be enforceable just like a civil court decree. Persons who are aggrieved by any orders/directions passed by the Board would be able to file an appeal against the same before the Telecom Disputes Settlement and Appellate Tribunal, and thereafter to the Supreme Court.
Broad powers with the Central Government
Section 36 grants the Central Government the authority to direct the Data Protection Board and any Data Fiduciary to provide information as required. The Central Government has the power to issue notifications, establish rules, and order blocking of access of Data Fiduciaries to any public information of Government agencies or intermediaries when it is in the public interest. This blocking order would prevent a Data Fiduciary from offering goods or services to Data Principals within India, following a reference from the Board.
Cross-border personal data transfer
The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such notified country or territory outside India. The Bill also clarifies that any other law for the time being in force in India that provides for a higher degree of protection for or restriction on the transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary will continue to apply.
The Bill imposes penalties for various non-compliances by Data Fiduciaries. Failure to implement reasonable security safeguards leading to a personal data breach can result in a penalty of up to 250 Crores. Not notifying the Board and affected Data Principals about a breach and not fulfilling additional obligations concerning Children may incur a penalty of up to 200 Crores. Additionally, non-compliance with the obligations of Significant Data Fiduciaries may lead to a penalty of up to 150 Crores. Penalty up to Rs 10 thousand can be imposed upon Data Principals in breach of their duties under Section 15.
Penalties are also applicable for breaching any term of a voluntary undertaking accepted by the Board under Section 32. Furthermore, a penalty of up to 50 Crores may be imposed for any other breach of the provisions of this Act or the rules established under it.
The Central Government has the authority to exempt certain situations from the application of the rights, duties, and compliance requirements enumerated for Data Fiduciaries under the Bill. These exemptions can be for enforcing legal rights, performing judicial or regulatory functions, facilitating business arrangements, or protecting national interests and security etc.
Furthermore, the Bill provides that exemptions from the provisions of the Act may also be granted to instrumentalities of the State as notified by the Central Government for reasons such as security of the State, friendly relations with foreign States, maintenance of public order, or for research, archiving, and statistical purposes as specified by the Central Government. Additionally, certain Data Fiduciaries, including startups, may be exempted from fulfilling the mentioned rights and duties. Furthermore, within five years from the commencement of the Act, the Central Government can issue notifications declaring that specific provisions of the Act will not apply to certain Data Fiduciaries for a specified period.
Based on the above, the DPDP Bill seeks to create a robust data protection framework, focusing on safeguarding personal data, respecting individual rights, and holding Data Fiduciaries accountable for their handling of personal information.
Authors – Manisha Singh & Omesh Puri