The last decade has seen a rise in the use of the internet as a platform from it being a provision to connect computers to it providing access to an unquantifiable amount of raw data, and information at our fingertips. The fact that such enormous amounts and varying types of data are uploaded in clouds that could easily be hacked raises huge concerns of digital data protection, especially since the users seem to have little control of the information they share. In an effort to improve the data protection, governments across the world have been coming up with data protection legislations, like the GDPR in the European Union. In India, the government came out with the Digital Data Protection Bill, in 2018. Later in the November of 2022 the MEITY has published a revamped version of the proposed Data Protection Bill in India titled The Digital Personal Data Protection Bill 2022. The purpose of this draft Bill is to provide processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data, and, the need to process personal data for lawful purposes, and for matters connected or incidental to it.
Important definitions in the Digital Personal Data Protection Bill 2022
The 2022 Bill defines personal data as “any data about an individual who is identifiable by or in relation to such data”[1]. The definition as it currently stands seems to include all kinds of Personal Data or information within the ambit of data protection, irrespective of such data by itself being able to identify a person. Even information drawn from Personal Data (which leads to profiling), shall now qualify as Personal Data. Although the definition of personal data is formulated in a language similar to that of the GDPR, the current definition of “Personal Information” provided under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”)[2] is more in line with the cohesive definition of personal data under the GDPR. The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. It further clarifies that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. It is still unclear whether the new version of the 2022 Bill would include a qualifying definition like in the GDPR to provide more clarity to the ambit of what constitutes personal data.
Additionally, in line with its earlier iterations, the Bill introduces the concept of a “Data Fiduciary” and “Data Principal”, casting an added duty of care on organisations which are dealing with and are entrusted with Personal Data. There is a third term which is used and that is Data Processor, to further place emphasis on the processing of data and/or the means for processing the data. Although these are novel concepts, it is pertinent to note that the burden of responsibility does not dramatically shift to different people under the SPDI Rules, which places the burden of responsibility under the SPDI Rules is placed on a body corporate[3], regardless of whether the body corporate is processing data or has the means for it.
Critical concepts under the Digital Personal Data Protection Bill 2022
Notice and Consent
In this Bill it has been prescribed that a Data Fiduciary seeking to collect data of a Data Principal must first ensure that they provide the Data Principal with an itemised notice as well as the purpose for which the data is being collected. The intended meaning of the term ‘itemised notice’ is ambiguous, as it is unclear whether it refers to a notice for every data item or a comprehensive notice similar to the one mandated by GDPR. The GDPR like the Bill mandates disclosure of the purpose of data collection and the contact information of a Data Protection Officer. However, it goes beyond the Bill’s requirements by necessitating disclosures in regards a legal basis for processing which is over an above the purpose of the data collection, along with the legitimate interests pursued by the controller or a third party; the recipients of the data – if any; references to safeguards taken – in the event data is anticipated to be transferred across countries; a definitive period or criterion to determine how long the data will be stored, and more. When compared, the GDPR imposes a more comprehensive set of obligations on corporations than what the Bill currently requires. However, it is possible that these details may be added later since the Bill allows for the provision of details through Rules.
Additionally, the Data Fiduciary must ensure that to take free, specific and unambiguous consent before collecting data from the Data Principal. Here, it is pertinent to note that consent which is inconsistent with the provisions of the 2022 Bill shall be deemed invalid. Further, the Data Fiduciary has to ensure that besides mentioning the details of the Data Protection officer, the request for consent is in English or any language specified in the Eighth Schedule to the Constitution of India. This is in contrast with the SPDI Rules where the only requirement for processing of Sensitive Personal Data was written consent. In this context it is interesting to note that the 2021 Data Protection Bill required consent to be clear, specific, withdrawable and most importantly, freely given as per the definition under the Indian Contract Act, which may be a high threshold to cross. Although the requirements of proper consent have been reduced in comparison to its earlier iteration, it is clear from this that the fiduciary obligations of any organisation dealing with personal data will increase significantly under the proposed law. This is especially true for organisations collecting terabytes of data in digital form on a daily basis. It will be crucial to recalibrate the internal data processing mechanisms to sync with what may be required once the Bill becomes law.
Deemed Consent
The 2022 Bill proposes a concept of deemed consent, similar to the GDPR, under which a Data Fiduciary is allowed to process personal data without seeking consent from the Data Principal if such processing is necessary and one or more of the following conditions stipulated under the Bill are met[4]:
-
the Data Principal voluntarily provides her personal data to the Data Fiduciary and it is reasonably expected that she would provide such personal data
-
for compliance with any judgment or order issued under any law
-
for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual
-
for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health
-
for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order
-
for the purposes related to employment.
There is room for further clarity with regards to the extent of the purpose for which Data Fiduciaries may be able to use the Data for which deemed consent is applicable since the details mentioned in earlier iterations such as the 2021 Data Protection Bill have been removed.
Obligations related to Children’s data
While the SPDI Rules is silent on the aspect of processing of Personal Data of children, the 2022 Data Protection Bill requires that Data Fiduciaries have a few restrictions and checks in. To start with, the proposed law has categorised everyone below the age of 18 as children, which in itself is higher than in most other countries. There is also the requirement to obtain verifiable parental consent in such manner as may be prescribed before processing the data of children keeping in mind that such processing of Personal Data will not bring any harm to the child. Further, Data Fiduciary is required to ensure that they do not use such Data to engage in tracking or behavioural monitoring of children or use the same for targeted advertising directed at children. However, there is scope for clarity on the frequency in which such consent may be renewed. Curiously, unlike its 2021 version, Data Fiduciaries offering child protection and counselling services will no longer be provided from data protection relaxations under the 2022 Bill, it would be interesting to see whether the final legislation will include the same or not.
Transfer of Personal Data
A key source of concern for businesses will arise with regard to data localisation. Like the GDPR, there is no restriction, at present, on transferring sensitive personal data to any other body corporate in any other country, that ensures the same level of data protection. In contrast, the 2021 Data Protection Bill laid down separate restrictions for separate categories of data. Data Fiduciaries had to take explicit consent of the Data Principal to transfer sensitive personal data, but there was a complete prohibition on transferring critical personal data. The 2022 Bill takes a middle path by permitting cross-border interactions of data with “certain notified countries and territories” only. These notified countries and territories are proposed to be notified by the Central Government, after an assessment of factors, which have not been detailed under the current version of the Bill.
Retention of personal data
A Data Fiduciary must cease to retain personal data or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer being served by its retention; and/or retention is no longer necessary for legal or business purposes. This may require organisations to revisit their data retention policies and implement requisite changes to organise periodic review of user data in order to sync the same with law once the 2022 Bill is notified. The GDPR mandates that personal data must be stored for a limited period of time or have clear criteria to determine when to stop storing it. Once the purpose for which the data was collected has been fulfilled, it should no longer be retained, which is a much higher threshold than the requirement under the Bill. It remains to be seen whether future versions of the Bill will increase the standards to align with GDPR, or whether the current requirements will remain unchanged to provide some flexibility for corporations.
Data Breach
The 2022 Bill prescribes the requirement for organisations to adopt reasonable safeguards to prevent personal data breaches. In case of such breaches, Data Fiduciaries are required to report the same to the Data Protection Board of India and all affected Data Principals. Failure to notify the Authority and Data Principals in the event of a data breach may attract a penalty upto Rs.200 crore. This compliance obligation can prove to be cumbersome for organisations processing data for millions of Data Principals daily. At present body corporates are required only to report data breach under CERT -IN directions, within 6 hours of becoming aware of such incident. If the present version of the 2022 Bill gains effect, all body corporates that are Data Fiduciaries will have an additional obligation to notify the Data Protection Board and each affected Data Principal about such breach. This is critical for all Data Fiduciaries as the penalty would increase from a mere Rs. 25,000 to Rs. 200 crores. Given that the GDPR also mandates notifying data subjects, organizations can proactively prepare for potential compliance challenges by observing how organizations under the GDPR are currently addressing this requirement.
Some other key concepts
There are many other key concepts that the Digital Data Protection Bill 2022 discusses such as the concept of a Significant Data Fiduciary (“SDF”) for whom additional obligations have been identified. In addition to this the 2022 Bill has also introduces new concepts like Duties of Data Principals and additional rights such as the ‘right to nominate’. It is also pertinent to mention here that certain key concepts such as data anonymization and right to be forgotten, mentioned in the GDPR, as well as earlier iterations of the Bill, have been removed in the recent 2022 draft of the Data Protection Bill. Since, the details to many of the key concepts have been reserved for the rules and/or regulations that may be notified later, it is still unclear whether aforementioned concepts, excluded for the time being, will be incorporated at a subsequent stage.
Parting thoughts
The current Indian cyber regime was failing to tackle the complexities of the huge influx of the data generated by the data principals in this day and age so much so, that the whole regulatory framework needed a change in approach. If this Bill comes into effect, organizations will have to go through significant shifts in the way they handle personal data to be compliant. Especially since Bill does away with the SPDI Rules by omitting Section 43A of the Information Technology Act, 2000, which thereby takes away provisions that stated meeting certain standards would act that safe harbour to the organizations. It will prove critical for organizations if they are held non-compliant under the Bill, since the Bill proposes high penalties for each contravention. This is particularly noteworthy as the Bill lacks any specific guidance on what qualifies as compliance, in contrast to the GDPR’s detailed guidelines[5]. With cybercrime rates rising all over the world, especially in India, the need to evaluate and place a firm structure protecting data protection is now more than ever.
Written by: Vidya Mukherjee
Co-Authored by: Kanishka Bose
Disclaimer
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. This blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion Solutions. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement are the intellectual property of Lexplosion Solutions Private Limited and/or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.
[1] 2022 Data Protection Bill
[2] “Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person
[3] “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
[4] 2022 Digital Protection Bill
[5] For example: Article 32 specifies that taking measures such as pseudonymization of data, maintaining confidentiality, ensuring timely restoration of access and availability, and other similar steps would be considered as meeting the requirement of having appropriate technical and organizational measures to ensure a certain level of security.
