Everything you need to know about: The Digital Personal Data Protection Bill 2022 

Introduction 

On November 18, 2022, the Indian government released a revised draft version of India’s data protection law, i.e., The Digital Personal Data Protection Bill, 2022, for public feedback (2022 Bill). The deadline for public comments is up till December 17, 2022. This draft Bill is India’s fourth iteration on its data protection law. The 2022 Bill differs from previous versions, such as the Personal Data Protection Bill, 2018 (2018 Bill), the Personal Data Protection Bill, 2019 (2019 Bill), and the Joint Parliamentary Committee’s Data Protection Bill, 2021. (JPC Bill). The 2022 Bill only applies to ‘digitized’ personal data and says nothing about non-personal data. It does away with the difference between sensitive and critical personal data, as well as non-personal data provisions, algorithmic accountability, data portability, and a governance structure for hardware/software certification.  

The references to data localization have been eliminated, and the central government has been given the right to approve cross-border data transfers to whitelisted countries. The 2022 Bill adds a list of instances where consent may be ‘deemed’ and does not need to be explicit in order to provide flexibility in the data processing. It does, however, obligate the government to notify the residuary processing ground of justified causes as referred in Section 8 of the Bill. With only 30 sections compared to 99 in the JPC Bill, the 2022 Bill is significantly shorter than its predecessors. This looks to be in line with the government’s goal of developing a fundamental, all-encompassing data protection framework for India. As a result, the central government has been given significant discretion and decision-making power as a result of its rule-making task.  

Key Highlights  

 

1. 1.  Legislative Scope: The Bill will apply to personal data gathered from data principals (individuals to whom the personal data relates) in India if collected in one of two ways: (1) online; or (2) offline but later digitized. The Bill also has extraterritorial applicability, which means it will apply to the processing of digital personal data outside of India if it is in connection with profiling data principals in India or offering products or services to data principals in India. While non-personal data is explicitly excluded from Bill’s scope, no mention is made of whether anonymized data is included or not.  

 

2. 2. Prior notice and retrospective application: Data principals must be provided with an itemized notice (i.e., presented as individual items) in clear and straightforward language that describes the personal data intended to be collected from them and the purpose of such collection. This provision will also apply retroactively, requiring all data fiduciaries (i.e., entities determining the purpose and means of processing personal data) to provide data principals with a notice outlining the description of personal data collected from them as well as the purpose for which such personal data was collected.  

 

3. 3. Consent mode: The Bill specifies consent as one of the legal bases for obtaining personal data. Data principals’ consent must be conveyed in the form of explicit affirmative action, demonstrating their agreement to the use of their personal data for a specified purpose. Data fiduciaries must provide data principals with the option of accessing the aforementioned consent request in English or any local Indian language specified in the Indian Constitution’s Eighth Schedule.  

 

4. 4. Deemed consent: The concept of ‘deemed consent’ has been devised to meet the requirement of providing a legal basis for processing personal data where obtaining consent is impracticable or inadvisable due to pressing factors. Deemed consent may apply in some instances, such as when the data principal is expected to willingly submit personal data (for example, when using services), for employment purposes, and for fair and reasonable grounds after taking certain required aspects into account. Contextually, the additional grounds provided by deemed consent for the processing of personal data would prevent excessive data collection requests and could serve as an effective treatment for consent fatigue.  

 

5. 5. Data fiduciary requirements: The Bill specifies specific compliances and obligations for data fiduciaries. Importantly, the Bill states that a data fiduciary will continue to be held accountable for any processing undertaken by it or on its behalf by a data processor (i.e., an entity that processes personal data on behalf of data fiduciaries). Data fiduciaries will be needed to ensure compliance in this environment by adopting proper security measures and grievance mechanisms.  

 

6. 6. Additional obligations for significant data fiduciaries: Data fiduciaries who are classified as “significant data fiduciaries” (based on factors such as the volume and sensitivity of personal data collected, risk of harm to data principals, and so on) are required to comply with additional obligations such as appointing an independent data auditor, conducting data protection impact assessments, and so on.  

 

7. 7. Additional duties in connection with the processing of data pertaining to children: Verifiable parental approval (including guardian consent) must be obtained before processing children’s personal data. Data fiduciaries are not permitted to follow and monitor children’s behaviour or to market to children. Any processing that has the potential to cause significant ‘harm’ to children (as defined) is banned. Furthermore, for the purposes of the Bill’s rights and obligations, parents or legal guardians will be deemed data principals in the case of children.  

 

8. 8. Data processor obligations: The Bill requires data processors to secure personal data in their possession or control by establishing suitable security procedures to prevent personal data breaches.  

 

9. 9. Data Protection Board of India: The Central Government will establish a Data Protection Board of India (Board), which will be in charge of detecting violations of the law and enforcing sanctions. This Board will be a self-contained entity that operates digitally (to the extent possible). The Board may take the actions specified in the Bill on its own initiative or in response to a complaint. Every Board order is enforceable in the same way that a civil court judgement is.  

 

10. 10. Personal data breach: A personal data breach is defined as any unlawful processing of personal data or any inadvertent disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that jeopardizes personal data confidentiality, integrity, or availability. In the event of a personal data breach, the fiduciaries/data processors (as applicable) are required to notify the Board and each affected data principal in the form and manner specified.  

 

11. 11. Cross-border transmission of personal data: Following a thorough investigation, the Central Government may notify specific jurisdictions outside India to whom personal data may be communicated subject to the terms and limits specified.  

 

12. 12. Increased financial penalties: The Bill imposes severe financial penalties for noncompliance as described under Schedule I . Penalties of up to INR 250 crores (about USD 30 million) may be imposed for infractions such as failing to implement proper security safeguards to avoid personal data leaks. However, the sentence cannot exceed INR 500 crores in a single case (approx. USD 60 million).. 
         
        The following is the list of the subject matter of the noncompliance along with the penalties as described under Schedule 1 of the Bill: 
        A. Failure of a Data Processor or Data Fiduciary to implement appropriate security precautions to prevent a breach of personal data under subsection (4) of Section 9 of this Act. Such noncompliance will be liable to a penalty up to INR 250 crore  
        B. Failure to notify the Board and impacted Data Principals of a personal data breach, as required by section 9(5) of this Act. Such noncompliance will be liable to a penalty of up to INR 200 crore.  
        C. Noncompliance with extra requirements relating to children; as defined in Section 10 of this Act. Such an act will be liable to a penalty of up to INR 200 crore.  
        D. Noncompliance with additional requirements of a Significant Data Fiduciary; as defined in Section 11 of this Act. Such an act will be liable to a penalty of up to INR 150 crore.  
        E. Failure to comply with Section 16 of this Act will attract a penalty of up to INR 10 thousand.  
        F. Noncompliance with any provisions of this Act other than those stated in subsections (1) through (5) and any Rule imposed thereunder, will result in a penalty extending up to INR 50 crore.  
         
        The Board has the authority to determine the quantum of punishment: If a person’s noncompliance is deemed serious by the Board, the Board has the authority to determine the quantum of financial penalty to impose, as long as it corresponds to Schedule 1 published by the Government. 
         

 

13. 13. Amendments proposed in the Bill:  
        A. The Information Technology Act of 2000 (“IT Act”) will be changed as follows:(a) Section 43A of the IT Act is repealed.  
        Section 43A predominantly deals with the fact that if a body corporate is negligent in implementing and maintaining reasonable security practises and procedures in a computer resource that it owns, controls, or operates and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages as compensation to the person so affected.  
         
        (b) In section 81 of the IT Act, after the words and figures “the Patents Act, 1970,” the words “or the Digital Personal Data Protection Act, 2022” are inserted; and (c) Clause (ob) of sub-section (2) of Section 87 of the IT Act is repealed. 
         
        B. Clause (j) of sub-section (1) of Section 8 of the Right to Information Act, 2005 shall be amended as follows:  
        (a) The words “the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the individual’s privacy unless the Central Public Information Officer, State Public Information Officer, or appellate authority, as the case may be, is satisfied that the larger public interest is served” shall be deleted. 
        (b) The proviso which states that no one shall be refused information that cannot be withheld from Parliament or a State Legislature has been omitted. 

Conclusion   

In comparison to its predecessors, the Bill is unquestionably simpler and more reader-friendly. The 2022 Bill looks to be a slimmed-down version of its predecessors at first appearance. While prior versions of the Data Protection Bill were more thorough, this Bill largely outlines broad governing principles and leaves certain granular and procedural issues to be addressed through subsequent rules.  

In a notable departure from the 2019 Bill, the Bill does not divide personal data into sensitive and important categories. Furthermore, one of the most commendable aspects of the Bill is that it relaxes data localization restrictions, which would surely benefit India’s booming start-up sector and firms.  

Notably, while the Bill provides for astonishingly enormous financial penalties of INR 250 crores (about USD 30 million), these are the maximum amounts that can be ordered. Furthermore, in determining the quantum of penalty to be imposed, the Board will consider mitigating factors such as the gravity of the contravention, duration, and repetition of the contravention, and efforts made by the entities to limit the damage caused by the contravention, among others, when adjudicating any non-compliance.  

Given the legislative journey thus far, the proposal of this Bill is undoubtedly a progressive step for a country with a young set of data protection laws. Although the Bill in its current form lacks depth and some gold standard elements, public debate and consultation processes may result in a more complete data protection system that meets worldwide standards. 

The Bill ushers in a new age of data protection in India. The government appears to have worked hard to simplify the legislation. A clear, balanced, and forward-thinking regulation will definitely help the sector reach new heights and cement India’s position as an economic giant. 

We at Tsaaro are aware of the necessity of working with compliance for a company to function effectively as well as the inescapable risk of exploitation and misuse of operational, confidential data that goes along with such involvement.

 

With our dedication to cybersecurity and the help of seasoned professionals, we’ll help you identify, analyse, and assess threats so you can determine whether the risk assessment threshold is effective in determining the calibre and dependability of your data. To control your privacy compliance and issues ready before the act becomes effective you may have, get in touch with us.