In the current technology driven era, data[1] is the oil which runs innumerable units of individuals and is the greatest weapon in the hands of any entity, individual or a government body, especially the personal data[2] of any individual. The entire gambit of activities undertaken by an individual can be traced via a single click. As the significance and use of data has tremendously increased in the modern day, the impressing need for a legislation to protect and safeguard such data and the privacy of an individual cannot be undermined.
The journey of drafting a legislative framework for protection of personal data in India commenced in 2017 when Srikrishna Committee was constituted with the dual object of reviewing the existing data protection norms in India and making appropriate recommendations for the regulations. It has been indeed a long and arduous one and the recent development on this front is the tabling of the “Digital Personal Data Protection Bill, 2013” (“Bill”) in the Lok Sabha on 3rd August 2023.
Below summarised are the significant provisions of the newly drafted and presented Bill –
1. Applicability of the Bill
1.1. The Bill shall apply to the processing of digital personal data[3] within the territory of India where the personal data is collected (i) in digital form; or (ii) in non-digital form and digitized subsequently. The Bill, also has extra-territorial jurisdiction and shall apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals[4] within the territory of India.
1.2. Notwithstanding anything contained herein, the Bill shall not apply to personal data processed by an individual for any personal or domestic purpose and personal data that is made or caused to be made publicly available by (i) the Data Principal to whom such personal data relates; or (ii) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. In light of the same, any data uploaded by any individual on any social media platform shall not be protected under the provisions the Bill.
2. Obligations of Data Fiduciary[5]
2.1. Data Fiduciary may process the personal data for a lawful purpose and for which consent has been obtained.
2.2. Consent shall deem to be obtained when accompanied or preceded by a notice, informing the Data Principal, (i) the personal data being collected; (ii) the purpose for processing; (ii) the manner in which the Data Principal may exercise her rights; and (iv) the manner in which a complaint may be made to the Board[6]. In the event of any such consent received by a Data Fiduciary before the commencement of the Bill, such a Data Fiduciary shall, as soon as it is reasonably practicable, render a notice to the Data Principal informing of the above-mentioned. Provided however, the Data Fiduciary may continue to process the personal data unless the Data Principal withdraws her consent. Such notice may be presented in English or any other language specified in the 8th Schedule as the Data Principal may choose and shall include the details of a Data Protection Officer[7], or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Bill. The burden of proving that such a notice was given lies on the Data Fiduciary.
2.3. The consent obtained should be in a clear and plain language, free, specific, informed, unconditional and unambiguous with a clear affirmative action, and should signify an agreement to the processing of her personal data for the specified purpose and should be limited to such personal data as is necessary for such specified purpose.
2.4. In the event Data Fiduciary obtained explicit consent for processing certain personal data which is not required for the specified purpose, even though the express consent is obtained, it shall still be limited to processing of such personal data that is required for the specified purpose.
2.5. Any part of consent obtained which constitutes an infringement of the provisions of the Bill or the rules made thereunder or any applicable law shall be invalid to the extent of such infringement.
2.6. Data Principal may withdraw consent for processing of personal data at any time and such withdrawal shall be done with such ease as the such consent was given. Further, if the consent to process the personal data is withdrawn at any time, the withdrawal shall not affect any activity which was undertaken before the consent was withdrawn, however, Data Fiduciary may not provide any further services after the consent is withdrawn.
2.7. Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager[8] who shall be accountable to the Data Principal and shall act on her behalf. Such Consent Manager shall be registered with the Board and should fulfil the requisite technical, operational, financial and other conditions as may be prescribed.
2.8. Data Fiduciary may process personal data of a Data Principal for any of following uses, namely, (a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary; (b) for the State and any of its instrumentalities (i) to provide or issue such subsidy, benefit, service, certificate, license or permit as may be prescribed; and (ii) of any function under applicable law or in the interest of sovereignty and integrity of India or security of the State; (c) for fulfilling any obligation under applicable law on any person to disclose any information to the State or any of its instrumentalities; (d) for compliance with any judgment or decree or order issued, or any judgment or order relating to claims of a contractual or civil nature under applicable law outside India; (e) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; (f) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; (g) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order; and (h) for the purposes of employment or those related to safeguarding the employer from loss or liability.
2.9. Data Fiduciary shall be responsible for the acts and omissions of the Data Processor[9].
2.10. In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach.
2.11. Data Fiduciary shall, unless retention is necessary for compliance with any law, erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.
2.12. A Data Fiduciary shall not undertake tracking or behavioral monitoring of children or targeted advertising directed at children.
2.13. Additionally, a Significant Data Fiduciary[10] shall (a) appoint a Data Protection Officer; (b) appoint an independent data auditor; and (c) undertake other measures, namely, (i) periodic Data Protection Impact Assessment, (ii) periodic audit; and (iii) such other measures, as may be prescribed.
3. Rights and Duties of Data Principal
3.1. Data Principal has the right to obtain from the Data Fiduciary, (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing. Provided however, the same shall not be applicable in the event of sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
3.2. Additionally, Data Principal shall have the right to correction, completion, updating and erasure of her personal data. A Data Fiduciary shall, upon receiving such a request (a) correct the inaccurate or misleading personal data; (b) complete the incomplete personal data; and (c) update the personal data.
3.3. Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager. In the event the Data Principal is unsatisfied with the grievance redressal, she may approach the Board.
3.4. Data Principal shall have the right to nominate any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal.
3.5. Data Principal is required to perform the following duties, (a) comply with all applicable laws; (b) not to impersonate another person while providing her personal data; (c) not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities; (d) not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and (e) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure.
4. Processing of Personal Data outside India
4.1. The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. In event of any other legislation with higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India, the same shall apply.
4.2. The provisions shall not apply where (a) the processing of personal data is necessary for enforcing any legal right or claim; (b) the processing of personal data is by any court or tribunal or any other body in India which is entrusted with the performance of any judicial or quasi-judicial or regulatory or supervisory function; (c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any applicable law; (d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; (e) the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so; and (f) the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution.
4.3. Provided however, the provisions shall not apply in respect of the processing of personal data (a) by such instrumentality of the State, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and (b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal.
4.4. The Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, as Data Fiduciaries to whom the provisions shall not apply.
4.5. The Central Government may, before expiry of 5 years from the date of commencement of this Bill, declare that any provision of this Bill shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification.
5. Data Protection Board of India
A Data protection Board of India shall be established by the Central Government which shall inquire into any personal data breach brought to its attention and impose penalty accordingly.
6. Appeal and Alternate Dispute Resolution
6.1. Any person aggrieved by an order or direction made by the Board may prefer an appeal before the Appellate Tribunal within a period of 60 days from the date of receipt of the order or direction of the Board. The appeal is to be disposed within 6 months.
6.2. If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon.
7. Penalties
The Bill proposes a maximum penalty of Rs 250 crore and minimum of Rs 50 crore on entities violating the norms. The penalty for each contravention is sated as below –
1. | Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach. | May extend to INR 250 crores. |
2. | Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach. | May extend to INR 200 crores. |
3. | Breach in observance of additional obligations in relation to children. | May extend to INR 200 crores. |
4. | Breach in observance of additional obligations of Significant Data Fiduciary. | May extend to INR 150 crores. |
5. | Breach in observance of the duties of Data Principal. | May extend to INR 10,000/- |
6. | Breach of any term of voluntary undertaking accepted by the Board. | Up to the extent of proceedings. |
7. | Breach of any other provision of this Act or the rules made thereunder. | May extend to INR 150 crores. |
Upon our review of the Bill, we observe that certain provisions such as appointment of Data Protection Officer, provisions relating to processing of data of a child and right to correction, completion, updating and erasure of personal of Data Principal are a replication of the provisions contained in the Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules, 2011 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Provided however, the concept of deemed consent, which was part of the Digital Personal Data Protection Bill, 2022, has been done away with.
Additionally, provisions such as non-applicability of the Bill to personal data processed by an individual for any personal or domestic purpose or which is made publicly available by the Data Principal; instance where personal data may be processed outside India and levying of hefty sums as penalty for non-compliance with the Bill, are peculiar to this Bill.
The Bill is a founding stone for data protection law in India and once implemented, we foresee that the same shall undergo certain changes in light of the practical difficulties that may arise. The Bill has been passed by the Lok Sabha on 7th August 2023 and shall now be tabled before the Rajya Sabha.
[1] Section 2 (h) of the Bill defines “data” as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. [2] Section 2 (t) of the Bill defines “personal data” as any data about an individual who is identifiable by or in relation to such data. [3] Section 2 (n) of the Bill defines “digital personal data” as personal data in digital form. [4] Section 2 (j) of the Bill defines “Data Principal” as an individual to whom the personal data relates and where such individual is (i) a child, includes the parents or lawful guardian of such a child; or (ii) a person with disability, includes her lawful guardian, acting on her behalf. [5] Section 2 (i) of the Bill defines “Data Fiduciary” as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. [6] Section 2 (c) of the Bill defines “Board” as the Data Protection Board of India established by the Central Government under Section 18 of the Bill. [7] Section 2 (l) of the Bill defines “Data Protection Officer” as an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10. [8] Section 2 (g) of the Bill defines ‘Consent Manager’ as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. [9] Section 2 (k) of the Bill defines “Data Processor” as any person who processes personal data on behalf of a Data Fiduciary. [10] Section 2 (z) of the Bill defines “Significant Data Fiduciary” as any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10.