On August 7, 2023, the Lok Sabha passed the new Digital Personal Data Protection Bill, 2023 (“Data Protection Bill“) to provide for the processing of digital personal data. Currently, India does not have a standalone law on data protection. Use of personal data is currently regulated under the Information Technology (IT) Act, 2000. India has, since the introduction of the first Draft Personal Data Protection Bill, 2018, been in the process of formulating a comprehensive data privacy law to regulate the collection, processing, and storage of personal data. Data Protection Bill, which was reintroduced in the lower house last week (nearly a year after the abrupt withdrawal of a previous proposal), was greenlit amid continuous sloganeering from the Opposition benches. In this Article, we have illustrated some of the key highlights of the Data Protection Bill.
Applicability: The Data Protection Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised. Both non-personal data and data in non-digital formats are excluded from the ambit. The Data Protection Bill also applies to the processing of personal data outside India if it is for offering goods or services in India. Personal data is defined as any data about an individual who is identifiable by or in relation to such data. Processing has been defined as wholly or partially automated operation or set of operations performed on digital personal data. It includes collection, storage, use, and sharing. The Data Protection Bill provides for certain exemptions for Government and law enforcement agencies.
Consent: The Data Protection Bill as its predecessors (The Draft Personal Data Protection Bill, 2018 and The Personal Data Protection Bill, 2019) explicitly provides that data may be processed only for a lawful purpose after obtaining the consent of the individual. Consent also needs to be free, specific, informed, and unambiguous. A notice containing details about the personal data to be collected and the purpose of processing must be given before seeking consent. Consent may be withdrawn at any point in time and is also not required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment. For individuals below 18 years of age, consent is to be taken/ provided by the parent or the legal guardian.
Rights and Duties of Data Principal: An individual whose data is being processed (“Data Principal“), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal. The Data Protection Bill deviates from the previous bills and the GDPR and fails to provide Data Principals with a “Right to be Forgotten” and “Right to Data Portability”.
Obligations of Data Fiduciaries: The entity determining the purpose and means of processing (“Data Fiduciary“) is obligated to: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach, (iii) inform the Data Protection Board of India and affected persons in the event of a breach, and (iv) erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).
Transfer of Personal Data Outside India: The Data Protection Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.
Protection of Children’s Data: The Data Protection Bill has included a mechanism to process data of children (defined as individuals below the age of 18 years). In the case of children, entities are required of take the consent of a guardian.
Exemptions: Rights of the Data Principal and obligations of Data Fiduciaries (except data security) will not apply in specified cases. These include: (i) prevention and investigation of offences, and (ii) enforcement of legal rights or claims. The Data Protection Bill empowers the central government to exempt processing by government agencies from any or all provisions, in the interest of aims such as the security of the state and maintenance of public order. The Data Protection Bill does not require government agencies to delete personal data, after the purpose for processing has been met. The Data Protection Bill faced intense backlash for the exemptions that have been made available to the government.
Data Protection Board of India: The Data Protection Bill introduces the concept of the Data Protection Board of India (“Board“), to be established by the central government. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons. Appeals against the decisions of the Board will lie with Telecom Disputes Settlement and Appellate Tribunal.
Penalties: The Data Protection Bill contains severe financial penalties for those that do not comply with it. Transgressions could potentially cost businesses dearly, and the Board is empowered to come down heavily on errant businesses, especially repeat offenders. Specifies penalties for various offences such as up to: (i) Rs. 200 crore for non-fulfilment of obligations for children, (ii) Rs. 250 crore for failure to take security measures to prevent data breaches, and (iii) Rs. 500 crore on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering, or destroying personal data.
The Data Protection Bill, a seemingly forward-looking legislation in terms of substance, has taken into account critical stakeholder comments and seeks to strike a unique balance between the fundamental right to privacy guaranteed to Indian citizens, reasonable restrictions associated with such right and also the global requirements for being considered an adequate jurisdiction for data processing and protection. Much however remains to be done in detailing the provisions of the new law, including in terms of rule making, formulation of policies and the creation of a guidance code that both the government and private sector can rely on for proper compliance. Nonetheless, this is a welcome step and 5 years in the making.
The Data Protection Bill has subsequently been passed by the Rajya Sabha on August 9, 2023.