The Digital Personal Data Protection Bill, 2022 (the “Bill”) has been proposed by the Ministry of Electronics and Information Technology on November 18, 2022 for public consultation. This was released pursuant to the Joint Parliamentary Committee’s Data Protection Bill, 2021 (“2021 Draft”) and a series of drafts following the judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd) v. Union of India.
The Bill is applicable to all Data Fiduciaries and Processors who process digital personal data within India where such personal data is collected from Data Principals online and personal data collected offline, when digitized. It also applies to processing of personal data outside India in connection with offering of goods or services to Data Principals in India or profiling of Data Principals in India. As the Bill sets to take center stage in public consultations amid reports of it being introduced in the upcoming budget session of the Parliament, our key takeaways from the Bill (both positive and negative) are presented below:
- (+) Reduced Compliance Burden
The Bill proposes a simplified framework that reduces the compliance burden on Data Fiduciaries and Processors operating in the technology and digital space in India. Many obligations such as extensive consent requirement (and their management), accountability measures, reduced notice requirements, privacy by design policy, maintenance of records have been dropped or reduced under the Bill, thereby reducing compliance requirements to the extent required to safeguard user rights.
- (+) No requirement for mandatory local storage
Unlike its 2021 counterpart, the Bill does not subcategorize personal data and does not mandatorily require Data Fiduciaries to store any data within India, even when such data is transferred outside India on legally valid grounds. This relaxation may be particularly helpful for entities operating outside India, who may otherwise be required to operate servers in India to host or mirror data.
- (+) Wider Grounds for Processing
The Bill enables wider grounds for processing personal data by introducing concept of deemed consent and makes processing of personal data more accessible, especially for certain sectors, such as customer-facing service providers.
- (+) No applicability to non-personal data
The Bill is not applicable to non-personal data or data which does not identify an individual and is only applicable to digital personal data. This helps training datasets used for artificial intelligence, machine learning and other innovative technologies which do not contain personal data to be outside the purview of the Bill.
- (+) Alternative Dispute Resolution for Complaint Resolution
The Bill enables the determination by the Data Protection Board of complaints that may better be resolved by mediation or other processes of alternative dispute resolution and proposes a process for reference of such complaints to mediation or such methods. This is a positive step in promoting alternative dispute settlement methods in disputes in data protection.
- (+) Precise definitional ambit of personal data
The Bill provides a different definitional ambit of personal data as data about an individual who is identifiable in relation to such data. Earlier drafts also included inferences drawn from data for purpose of profiling as also being personal data.
- (+/-) Additional obligations of Significant Data Fiduciary
The Bill provides for additional set of obligations governing significant data fiduciaries. These include:
- Appoint a DPO who would be responsible to Board of Directors;
- Appoint an Independent Data Auditor responsible for evaluating and ensuring compliance with provisions of the Bill; and
- Undertake certain additional measures, such as Data Impact Assessment, etc. Although details of this aspect is not present in the Bill, the same would be prescribed in future regulation
- (-) Not facilitative of International Data Transfers
The Bill is ambiguous with respect to international data transfers through arrangements involving intra-group schemes, standard contracts or the like. Instead, transfers of personal data outside India are only based on adequacy of certain territories as notified by the Central Government, with very limited exceptions. Such an approach may not be consistently reliable.
- (-) Substantial Penalties
The Bill proposes substantial penalties for non-compliance, while taking a step forward in eliminating offences linked to imprisonment. While the maximum penalty under the 2021 Draft was capped at Rs. 15 crores (~USD 1.8 million), the limits under the Bill were increased to Rs. 500 crores (~USD 61 million).
- (-) Ambiguity around various provisions
The Bill retains ambiguity around various provisions which have been left to be prescribed by regulations or rules such as notice requirements, fair and reasonable purposes for deemed consent, compliance requirements associated with significant data fiduciaries, criteria for notification of adequate territories for cross-border transfers, terms and conditions for cross-border transfer etc.
Way forward for the Data Bill
The Digital Personal Data Protection Bill is a step in the right direction in providing much-needed simplicity to the proposed data protection law framework in India. However, certain aspects of the Bill may have to be relooked and reimagined in the context of the evolving digital paradigm. As transactions and data flow faster than ever before, the Bill may have to reimagine faster international data flows by enabling contractual and intra-group tools for such transfers.