India's Revisit to its Privacy Law Draft

Introduction

Nearly four months after the withdrawal of the Personal Data Protection Bill, 2019, (the “2019 Bill”) the Minister of Electronics and Information Technology, India, has come up with yet another draft of the much-awaited privacy law in India. The bill is called the Digital Personal Data Protection Act, 2022 (the “Draft Bill”), released on November 18, 2022. The Draft Bill deviates from the 2019 Bill, which had received significant backlash from the privacy experts. However, it has again opened a debate in the privacy landscape of India.

Scope of the law

The Draft Bill limits the territorial scope of the Act to the processing of digital personal data within India where such personal data is in digitized form i.e., either collected online, or offline but subsequently digitized. The Act also contemplates extra-territorial application where processing takes place outside India, but it is in connection with any profiling of, or activity of offering goods or services to Data Principals within India.

The material scope of the Act has been proposed to exclude non-automated processing, offline personal data, where the purpose of the processing is for household purposes or the personal data relates to an individual who has been in the record that has been there for 100 or more years.

Data Fiduciary, Data Principal and Data Protection Board of India

The terms Data Fiduciary and Data Principal have been borrowed from the 2019 Bill itself and are similar to the concepts of data controller and data subjects respectively under the GDPR. Data fiduciary is the key decision maker, who determines the means and purpose of the processing of the personal data. The data fiduciary may engage Data Processors who shall process personal data on behalf of the Data Fiduciary.

The central government has been entrusted to identify and notify Significant Data Fiduciary (“SDFs”) on the basis of certain factors including, volume and sensitivity of personal data processed, risks involved to the Data Principal, potential impact on the sovereignty and integrity of India, democracy, security or public order of the State.

Roles and responsibilities of the Data Fiduciary:

The following roles and responsibilities have been assigned to the data fiduciaries:

(i) Maintain accuracy and completeness of the personal data (accuracy principle);

(ii) Implement appropriate technical and organizational measures (security of processing);

(iii) Ensure the protection of personal data by appropriate safeguards (integrity and confidentiality);

(iv) Notify the Data Protection Board of India (“DPBI”) in the event of a personal data breach (notification);

(v) Cease to retain data once the purpose is served or once the retention is no longer necessary (purpose limitation and storage limitation);

(vi) Publish contact information of a point of contact for queries from Data Principals.

In addition to the above, the SDFs shall have the following responsibilities:

(i) Appoint a Data Protection Officer (“DPO”) based in India, who will report to the Board of Directors or similar governing body of the SDF and shall be the point of contact for grievance redressal

(ii) Publish contact information of the DPO

(iii)?appoint an independent Data Auditor

(iv) perform Data Protection Impact Assessment and periodic audit

Data Principal has been defined as an individual to whom the personal data relates including parents or lawful guardian where the data relates to a child. Similar to some of the international practices, data subject rights have also been proposed which include:

(i) Right to information to the personal data being processed, processing activities, recipients and categories of personal data shared;

(ii) Right to correction and erasure of the personal data;

(iii) Right to grievance redressal within seven days, which can be escalated to the DPBI after seven days or upon dissatisfaction from the data fiduciary;

(iv)?Right to nominate an individual to exercise the rights in place of the Data Principal if the data principal dies or becomes unable to exercise the rights;

(v)?Right to withdraw consent.

Interestingly, in addition to empowering the data subjects with the rights, the Draft Bill also imposes certain obligations on them under Article 16 and contemplates a penalty up to 10,000 in case of non-compliance. It includes the duty to comply with the laws, avoid frivolous complaints or furnishing false information and furnish verifiably authentic information while exercising the right to correction or erasure.

The Draft Bill has also proposed the constitution of a Data Protection Board of India (DPBI), an independent body, established by the central government which will function as a digital office. The DPBI will be responsible for the determination of non-compliances and imposition of penalties up to ?500 crores, direct data fiduciary to remediate personal data breaches, and issue binding directions pursuant to the hearings.

There is more clarity to follow with respect to the DPBI as the Draft Bill leaves most of the powers and functions to be determined by the executive such as techno-legal measures, strength, and composition of the DPBI, selection, appointment, and removal of the chairman, and the members etc.

Processing based on consent

Processing of personal data, as proposed under the Draft Bill, shall have to be only for a lawful purpose and on the basis of express or deemed consent. The request for consent should be in clear and plain language, along with the contact details of the DPO or any other person authorized person for the purpose of the exercise of data principal rights.

The Draft Bill introduces a novel concept of Consent Manager which may act on behalf of the Data Principal for giving, managing, reviewing or withdrawing consent. It will be mandatory for the Consent Manager to register with the Board. Further technical, operational, financial and other conditions are to follow with the executive rules.

Deemed consent

Apart from express consent, the Draft Bill contemplates certain situations where the Data Principal will be deemed to have given consent to the processing. Some of these necessary circumstances include:

a) Data Principal provides personal data to the Data Fiduciary voluntarily;

b)?Personal data is necessary for the performance of any legal function or in the benefit of the data principal for the provision of government services;

c)?Personal data is necessary for compliance with any judicial order;

d)?There exists a medical emergency, epidemic, outbreak of disease, threat to public health, any disaster, or any breakdown of public order;

e)?Processing is a part of employment;

f)?Public interest.

The scope of public interest

The Draft bill broadens the scope of public interest and also leaves certain grey areas in the same, leaving wide powers in the hands of the executive. Section 2 (18) of the Bill defines public interest as

““public interest” means in the interest of any of the following:

(a)?????sovereignty and integrity of India;

(b)?????security of the State;

(c)?????friendly relations with foreign States;

(d)?????maintenance of public order;

(e)?????preventing incitement to the commission of any cognizable offence relating to the preceding sub-clauses; and

(f)???????preventing dissemination of false statements of fact.”

Similarly, Section 8 includes “for any fair and reasonable purpose as may be prescribed” for processing based on deemed consent. Evidently, the Draft Bill has expanded the definition of public interest as compared to any of the previous legislative or judicial interpretations. Sovereignty, security, public order, etc. are also loosely defined concepts which are bound to increase the clouds of uncertainty in the future.

Cross-border transfers

The proposed law does not envisage data localization, allowing the data to be transferred and processed outside the territory of India. However, the countries to which this data can be transferred will be based on the adequacy decision from the central government. This may arrive based on the assessment of certain factors that the central government may determine once the law is enacted.

Proposed amendments to the IT Act and the RTI Act

The draft bill proposes to amend the Information Technology Act, 2000 (IT Act) and the Right to Information Act, 2005 (RTI Act). Once the law is enacted, section 43A of the IT Act will be removed as it also provides for compensation for failure to protect personal data which has been separately addressed under the present draft bill.

The proposed amendment to Section 8 of the RTI Act will entirely remove personal information from the scope of RTI, which could be disclosed earlier if it justified larger public interests.

Comments & Conclusion

The new Draft Bill exhibits improvements from the 2019 Draft and in a major move leaves out non-personal data from the scope of the law which was on of the most prominent suggestions from the privacy experts earlier. In a welcome move, the Bill does get away from data localization and proposes to allow cross-border transfers with jurisdictions on adequacy decisions from the central government, the basis of which is yet to unfold.

The Draft Bill also misses out to incorporate some of the international approaches such as the right to data portability, which facilitates the data principals from getting their data transferred from one organization to another in a machine-readable form. Similarly, it does distinguish sensitive personal data from personal data except for children’s data, nor does it apply to offline data.

Another major concern that the Draft Bill has attracted is the excessive delegation of legislation to the executive. The central government has been vested with a lot of powers in terms for notifying rules, including the functions of the DPBI and the appointment of its members and the chairperson. However, in the broader context, it appears to follow the international practices such as the EU or the US. The exemption of personal data from the purview of RTI may also attract backlash from the activists as it may be misused by the people in influence such as politicians.

However, there are some welcome moves from the drafters that must be appreciated. The Digital Personal Data Protection Act aims to embrace linguistic diversity by requiring the organizations to make the basic information available to the individuals in 8th schedule languages so that the individuals are in the position of taking well-informed decisions. The Bill is also proposed to be the first legislation in the country that uses female pronouns instead of male ones. A novel concept of consent manager has also been introduced which will not only provide convenience to the individual but also create avenues of opportunities for the businesses. As an upgrade from the 2019 Bill, the penalty has been exponentially increased to ?500 crores which will create a deterrent among the organizations with considerable seriousness.

The Draft Bill is largely in line with international practices and bridges the earlier gaps that the 2019 Bill had. The window to submit public comments closed on December 17th, 2022. The Bill may see further changes if they are considered, and we may see a refined version.

- Gaurav Kumar

The author is an Associate Consultant with the Data Privacy team of Paramount, a CIPP/E certified privacy professional and ISO 27701 certified Lead Auditor.