Data Protection in India is set to undergo a transformative change as the Parliament’s Monsoon Session commenced on 20-7-2023. The Digital Personal Data Protection Bill, 20221 (2022 Bill) which had been released for public comments on 18-11-2022, is reported to undergo certain modifications (2023 Draft) prior to being introduced. While the 2023 Draft has not yet been released, it has been enlisted in the expected Government Business2 and is expected to be tabled in the Parliament.
Revisiting the 2022 Bill
The 2022 Bill is proposed to apply to the processing of digital personal data of individuals to whom such data relates (data principals) within India collected online and offline (if digitised) and extends to processing outside India in connection with profiling of or offering of goods or services to data principals in India3. Therefore, entities outside India which offer goods or services to data principals (targeting) or profile individuals in India, are likely to be subject to the Bill’s provisions.
The 2022 Bill permitted processing of personal data based on consent4 or deemed consent5 for a lawful purpose only, in accordance with its provisions. Entities which determined purpose and means of processing (i.e., “data fiduciaries”) would be primarily responsible for data processing6, while limited obligations would apply to entities which process on behalf of such data fiduciaries (data processors). Some of these key obligations include:
(a) providing appropriate notice7 to data principals containing purpose and categories of personal data prior to collection of personal data;
(b) obtaining freely given, specific and informed consent8 for specified purposes;
(c) ensuring accuracy and completeness of personal data, especially if decisions may be made based on the same or if such data is proposed to be shared with third-parties;
(d) implementing technical and organisational measures9 and protecting personal data from breach by taking reasonable security safeguards10;
(e) ceasing to retain information after purpose of collection is fulfilled unless required to be retained for legal or business purposes;
(f) publish details of grievance officer and implement grievance redressal mechanism for addressing concerns and grievances of data principals;
(g) engage data processors or disclose personal data to third parties only under a valid contract with the data fiduciary;
(h) comply with additional obligations applicable to processing of children’s personal data11 and obligations applicable to significant data fiduciaries12; and
(i) comply with restrictions applicable to cross-border transfer of personal data13.
Changes proposed to the 2022 Bill
Pursuant to public consultation, certain changes have been proposed to the 2022 Draft. While the 2023 Draft itself has not been made publicly available, some of the key changes which have been reported include:
(a) Cross-border transfer of personal data.— Under the 2022 Bill, data fiduciaries were restricted to transfer personal data of data principals, except to such territories or countries which have been notified by the Central Government14. In stark contrast, the 2023 Draft is reported15 to have permitted cross-border transfer of personal data by data fiduciaries to all countries or territories, except those which have been notified by the Central Government.
This change is significant as it facilitates the free flow of personal data across borders, further supporting digital trade in goods and services by adopting a “restricted” list, instead of a permitted one. While the countries to which transfers are restricted are yet to be seen, it may be anticipated that this provision may enable the Government to recognise certain jurisdictions, for example where free-trade agreements which provide for free flow of data are concluded, such as proposed UK-India agreement.
(b) Processing of children’s personal data.— The 2022 Bill contemplates additional restrictions or obligations for processing of personal data of children [i.e. individuals below 18 (eighteen) years of age] such as obtaining verifiable parental consent, restriction on undertaking processing likely to cause harm, restriction on undertaking tracking, behavioural monitoring or targeted advertising. On the other hand, the 2023 Draft reportedly16 proposes that children [i.e, individuals below 18 (eighteen) years or a lower age which may be prescribed] may provide personal data, and the requirement to obtain parental consent may be exempt for certain platforms which have been determined “verifiably safe” may not be subject to that obligation.
While it is reported that such “verifiably safe” platforms may be notified by the Ministry of Electronics and Information Technology or the Ministry of Women and Child Development the criteria for evaluation and notification of such platforms would need further clarity. This may bring comfort to entities in healthcare, edtech and other sectors which are more likely to process children’s data.
(c) Notice and grounds for processing.— While the 2022 Bill required certain notice requirements17 i.e. to provide description of personal data and purposes for processing, the 2023 Draft reportedly18 requires disclosure of processing operations, storage locations and possible implications or harm on data principals to be disclosed. Further, it is also speculated that legitimate business interests may be considered as ground for processing.
While the inclusion of legitimate business interests as ground for processing is a welcome step, it must be supplemented with appropriate notices to data principals of such collection and processing. Separately, it may have to be assessed on a case-by-case basis if disclosure of extensive information about processing operations, storage locations and other information may lead to consent fatigue.
(d) Exemptions to startups.— While the 2022 Bill enables the Government to exempt19 certain data fiduciaries from certain obligations relating to notice, accuracy and completeness of personal data, storage limitation, additional obligations of processing children’s personal data and additional obligations of data fiduciaries, it is reported20 that the 2023 Draft specifically includes reference to “startups” which may be exempted from these requirements. This is a welcome move to promote startups, especially those in IT and disruptive technologies sectors, where extensive processing of personal data may be undertaken.
(e) Appeal mechanism.— The 2022 Bill provides that appeals against orders of the Data Protection Board (Board) may be made to High Courts21. It is reported22 that this may be modified to enable an appeal being preferred to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) or to an appellate body that may be constituted for this purpose. The creation of a new body or referring of appeals to TDSAT may be a positive development owing to a specialised tribunal for resolution along with speedier redressals.
(f) Penalties.— While the 2022 Bill proposed that determination of non-compliance may invite penalties which may be imposed by the Board, the maximum penalty had been capped23 to Rs 500 crores in each instance. It is reported24 that this cap has been removed under the 2023 Draft. It is unclear whether this may lead to an implied cap of Rs 250 crores (in view of the penalties specified25) or if it may lead to penalties more than the same, should multiple offences be constituted in a single instance.
Composition and functioning of the Data Protection Board
It has also been reported26 that certain changes may be proposed to further elaborate the composition and functioning of the Board and the Government on rulemaking, adjudication of disputes and other provisions. Further, the “digital by design” nature of the Board may have been dropped. While better delineation of powers of the Board vis-à-vis the Government, especially regarding rulemaking or code of conduct is a positive step in furthering regulatory clarity, the digital nature of the Board may be relevant and the intent behind the reported deletion may have to be examined further.
Transitory provisions
It is also reported27 that where consent has been provided prior to the commencement of the Bill, data fiduciaries must provide information to data principals on the purpose of collection and processing activity undertaken in accordance with the provisions of the Bill. While the finer aspects would be clarified upon examination of the clause, on a primary review, it may be practically difficult for entities to comply with the provisions, especially where processing activity is no longer continuing or where personal data is no longer in the possession of the data fiduciary, such as in case of historical data sets. Further, there is an absence of reportage on adequate transitory periods being provided for implementation of specific provisions.
While much of the proposed changes are aimed to facilitate easier processing of personal data, certain aspects such as penal consequences, transitory provisions and exemptions for processing children’s data may need to be analysed further to assess impact of these changes across different sectors.
In view of its wide-ranging impact, it may be desirable for entities across all sectors to assess their data flows and processes, review notices, consent, policies, and related documentation, reimagine data collection, handling and processing practices and implement appropriate technical and organisational measures in compliance with the proposed law. As the 2023 Draft has been listed in the Government Business expected to be taken up in the ongoing Monsoon Session28, it is widely anticipated in the light of consultations, public debate and discourse, the Draft introduced and presented before the Parliament is likely to see the light of the day.
† Executive Partner, Lakshmikumaran & Sridharan Attorneys
†† Senior Associate, Lakshmikumaran & Sridharan Attorneys
1. Digital Personal Data Protection Bill, 2022, available at <https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf>.
2. Lok Sabha Bulletin — Part II (General Information Relating to Parliamentary and Other Matters) dated 13-7-2023 11-7-2023, available here
3. Digital Personal Data Protection Bill, 2022, Cl. 4.
4. Digital Personal Data Protection Bill, 2022, Cl. 7.
5. Digital Personal Data Protection Bill, 2022, Cl. 8.
6. Digital Personal Data Protection Bill, 2022, Cl. 9(1).
7. Digital Personal Data Protection Bill, 2022, Cl. 6.
8. Digital Personal Data Protection Bill, 2022, Cl. 7(1).
9. Digital Personal Data Protection Bill, 2022, Cl. 9(3).
10. Digital Personal Data Protection Bill, 2022, Cl. 9(4).
11. Digital Personal Data Protection Bill, 2022, Cl. 10.
12. Digital Personal Data Protection Bill, 2022, Cl. 11.
13. Digital Personal Data Protection Bill, 2022, Cl. 17.
14. Digital Personal Data Protection Bill, 2022, Cl. 11.
15. “Personal Data Protection Bill May Have Relaxed Cross-Border Data Transfer Rules”, The Hindu Business Line, available at <https://www.thehindubusinessline.com/info-tech/personal-data-protection-bill-may-have-relaxed-cross-border-data-transfer-rules/article67066688.ece>.)
16. Soumyarendra Barik, “Data Protection Bill May Lower Age of Consent, Ease Related Norms”, The Indian Express, available at <https://indianexpress.com/article/business/economy/data-protection-bill-may-lower-age-of-consent-ease-related-norms-8822435/>.
17. Digital Personal Data Protection Bill, 2022, Cl. 6.
18. Suraksha P. and Aashish Aryan, “Data Bill May Give Govt. Power to Lower the Age of Consent”, The Economic Times, available at <https://economictimes.indiatimes.com/tech/technology/data-bill-may-give-govt-power-to-lower-the-age-of-consent/articleshow/101647708.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>.
19. Digital Personal Data Protection Bill, 2022, Cl. 18(3).
20. “Personal Data Protection Bill May Allow Exemptions for Indian Start-Ups”, The Hindu Business Line, available at <https://www.thehindubusinessline.com/info-tech/personal-data-protection-bill-may-allow-exemptions-for-indian-start-ups/article67067055.ece>.
21. Digital Personal Data Protection Bill, 2022, Cl. 22(2).
22. Aihik Sur, “Data Protection Bill: Users May be Able to Appeal Decisions of Board with Another Body”, Moneycontrol, available at <https://www.moneycontrol.com/news/business/data-protection-bill-users-may-be-able-to-appeal-decisions-of-data-protection-board-with-another-body-10942341.html>.
23. Digital Personal Data Protection Bill, 2022, Cl. 25(1).
24. “Data Protection Bill May Cap the Maximum Penalty for Violations at Rs 250 Crore”, The Hindu Business Line, available at <https://www.thehindubusinessline.com/info-tech/data-protection-bill-may-cap-the-maximum-penalty-for-violations-at-rs-250-crore/article67067128.ece>.
25. Digital Personal Data Protection Bill, 2022, Sch. 1.
26. Suraksha P. and Aashish Aryan, “Data Bill May Give Govt. Power to Lower the Age of Consent”, The Economic Times, available at <https://economictimes.indiatimes.com/tech/technology/data-bill-may-give-govt-power-to-lower-the-age-of-consent/articleshow/101647708.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>.
27. Suraksha P. and Aashish Aryan, “Data Bill May Give Govt. Power to Lower the Age of Consent”, The Economic Times, available at <https://economictimes.indiatimes.com/tech/technology/data-bill-may-give-govt-power-to-lower-the-age-of-consent/articleshow/101647708.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>.
28. Lok Sabha Bulletin — Part II (General Information Relating to Parliamentary and Other Matters) dated July 13, 2023 11-7-2023, available here