The Ministry of Electronics and Information Technology (“MEITY”) has released a draft of the Digital Personal Data Protection Bill, 2022 (“The Bill”) for public consultations along with an explanatory note for each provision and the underlying principles that guide the drafting[1]. The public consultations are open till December 17, 2022[2]. This is Part II of our analysis on the Bill. Click here to read Part I of this post
Data Principal Rights
Retention
The Bill requires Data Fiduciaries to cease retention of personal data or de-identify it as soon as it is reasonably clear that the purpose for its collection is no longer served by retention, and where retention is not required for any legal or business purpose.[3]
Interestingly, the Bill varies for the Previous Drafts[4] on two counts; (i) it permits retention of personal data after the conclusion of the purpose for its collection, not only when required under a legal obligation, but also for business purposes, and (ii) it keeps the term ‘business purposes’ broad and undefined and does not provide a standard for ‘de-identification’.
Correction
The Bill dilutes the requirement for ensuring accuracy of personal data by Data Fiduciaries, and makes this mandatory on a reasonable efforts basis only where data is likely to be used to make a decision affecting the concerned individual, or is likely to be disclosed to another Data Fiduciary.[5]
Portability and Erasure
While Data Principals have a right to seek broad heads of information like confirmation of processing, summary of data being processed, other data fiduciaries with whom data is being shared,[6] the right of the Data Principal to seek copies of personal data in portable form, potentially allowing them to switch platforms, has been diluted[7]. There may be additional heads of information prescribed in the rules under the Bill.
Further, the right to be forgotten (“RTBF”) under the Previous Drafts,[8] has now been subsumed within a right to erasure,[9] restriction on processing upon withdrawal of consent,[10] and restriction on retention of data.[11] The separate adjudicatory mechanism for resolution of RTBF disputes has also been done away with, and now disputes related to existing provisions would be decided by the Board if the resolution by data protection officer or any other authorised officer fails.
Nominees
The Bill has expanded the right to nominate a representative to instances of incapacity in addition to the event of death.[12]
Grievance Redressal
The Bill gives Data Principals an enhanced right to file a complaint with the Board in case they do not receive a satisfactory response from the Data Fiduciary[13] within seven days.[14]
Further, unlike the Previous Drafts,[15] the Bill does not allow Data Fiduciaries to refuse Data Principal’s request on grounds that they may harm the rights of any other Data Principal.
Security Standards
Though the Bill requires implementation of reasonable security safeguards[16] and appropriate technical and organisational measures,[17] these requirements are not as extensive as those provided in the Previous Drafts with respect to security safeguards,[18] privacy by design,[19] and transparency requirements.[20]
Significant Data Fiduciary
The Bill retains the concept of Significant Data Fiduciaries (“SDFs”), to be determined based on specified criteria. While removing certain potentially objective criteria (volume and turnover) the Bill has introduced more subjective factors such as ‘risk to electoral democracy’, ‘security of State’ and ‘public order’[21] and moved the power to notify SDFs to the Central Government[22].
As before, Significant Data Fiduciaries are subject to additional obligations like appointing a data protection officer, conducting audits and potentially data protection impact assessments.
Given these material consequences, it will be important to demonstrate rational and coherent criteria for the designation of SDFs.
Cross Border Data Transfers
Finding a balance between the imperatives of data sovereignty on the one hand, and enabling free flow of data on the other, has proved difficult and was hotly debated following the Previous Drafts.
The Previous Drafts proposed a local storage obligation for sensitive personal data and a “hard” localization obligation for an undefined category of critical personal data[23]. The Bill seeks to permit transfers of personal data outside India, only to jurisdictions which will be notified by the Government subject to conditions that will be prescribed[24].
While reciprocal data sharing, and data equivalence are certainly not new concepts, the extremely broad extent of data covered, and the lack of clarity on the manner and extent of sharing permitted, can create much uncertainty in the days leading up to the enactment of the Bill.
Children and their Data
Under the Bill, everyone below the age of 18 years is treated as a child[25], and the Bill requires Data Fiduciaries to obtain verifiable consent from the parent/lawful guardian prior to processing any personal data pertaining to a child[26]. More problematically, the Bill restricts entities from tracking or behavioural monitoring of children, or targeting advertising at them.
Practically, much of the internet is aimed at teens, and several products and services are marketed and sold to people below the age of eighteen. A more nuanced approach may stand a better chance here than a blanket ban. The Bill already creates a restriction on processing that can ‘harm’[27] a child. Limiting restrictions to this and providing for a reasonable standard for age gating/verification may prove to be a more practical approach.
Another significant change is the definition of parents and guardians as ‘Data Principals’ in place of their children[28]. While it is common for parental consent to be needed for contracting involving minors, treating the parent as the child for the purposes of data protection legislation is more uncommon.
Exemptions
The Bill provides for certain general exemptions, similar to the Previous Drafts[29]. Additionally, the Government has been provided with broad powers to notify certain Data Fiduciaries (based on volume and nature of personal data processed by the Data Fiduciaries) to whom provisions in relation to notice[30], obligations in relation to processing of accurate information[31] and data retention[32] will not apply. Further, the State and its instrumentalities also enjoy relaxations in relation to data minimalization and data retention, i.e., states are permitted to retain personal data beyond the purpose of such retention.[33]
While the powers of the Central Government include creating exemptions for processing of personal data necessary for research, archiving or statistical purposes as were provided in the Previous Drafts,[34] the Bill does not include exemptions in relation to journalistic purposes as was provided in the Earlier Bill.[35]
Enforcement and Regulation
The Previous Drafts contemplated an extensive data protection authority with wide ranging functions including from prescribing standards, making recommendations to Government, approving polices and formats, and adjudication[36]. It was to be a multi-layer structure with dedicated adjudicating officers and an appellate body.
The Bill proposes a much simpler Data Protection Board (“Board”), with primarily adjudicatory functions[37]. Much about this body, including its composition and the qualifications of members who will need to discharge functions of a quasi-judicial nature, is unclear. Particularly unclear is the manner in which the Board will operate with the existing judicial system. While appeals against the Board’s orders are to lie to “the High Court:” (sic.)[38], this provision will need to be clarified to determine whether the Board will have branches in each state (and whether orders issued by it will be appealable to the respective High Courts), or whether appeal will lie to a different court. Additionally, the Board has the power to prescribe alternative dispute resolution[39], and accept voluntary undertakings in relation to compliance.[40]
While these types of provisions have also been proposed in relation to the Indian Telecommunications Bill, 2022[41], they may be less well suited for legislation which is to govern a far more diverse set of users and service providers. In any event, it will be important to ensure that the mechanism of undertakings is transparent, to prevent any discrimination between similarly situated parties.
Penalties and Reporting
The Bill prescribes financial penalties ranging from INR 10,000 to INR 250,00,00,000, with an upper limit of INR 500,00,00,000 for each instance.[42] This is in contrast to a more nuanced fine based on percentage of relevant worldwide turnover which was proposed earlier[43]. While the Bill provides for criteria to evaluate penalties, one risk that remains here is that of the Board feeling constrained to align with the numerical threshold stipulated, rather than treating it as a true cap.
Reporting obligations under the Bill are more onerous than those under Previous Drafts. While there has always been a requirement to report breaches to the regulator[44], there is now a mandatory obligation proposed to report all breaches to affected users as opposed to the previous requirement to report only breaches that are likely to cause harm to the Data Principal.[45]
Other Laws
Unlike Previous Drafts, the Bill is to have overriding effect in case of a conflict with any other law.[46] The Bill also omits the concept of MOUs which were to be used to enable regulatory co-ordination. This will make it imperative for standards under the Bill to be aligned with sector regulation to avoid overwriting them.
In addition to changes to the Information Technology Act 2000, the Bill also proposes amendments to the Right to Information Act, 2005 to delete certain exceptions.[47]
Timeline
The Bill allows for implementation in phases[48], it however does not provide for a clear timeline like some Previous Drafts. While this may be less problematic given the less detailed compliance requirements, a clear timeline for implementation will enable companies prepare for its implementation.
Regulatory Sandbox and Small Entities
While the Bill does not provide for an express regulatory sandbox or small entity exception[49], it does include a provision that authorizes the Central Government to exempt applicability of certain sections.[50]
[2] Notice issued by MEITY, available here
[4] Clause 3(16) and Clause 9, Earlier Bill
[7] Clause 19, Earlier Bill
[9] Clause 13(2)(d), Bill
[10] Clause 7(5), Bill
[11] Clause 9(6), Bill
[12] Clause 17(4), Earlier Bill (amendment recommended by Joint Parliamentary Committee)
[13] Clause 32(3), Earlier Bill
[14] Clause 14(2), Bill
[15] Clause 22(5), Earlier Bill
[16] Clause 9(4), Bill
[17] Clause 9(3), Bill
[18] Clause 24, Earlier Bill
[19] Clause 22, Earlier Bill
[20] Clause 23, Earlier Bill
[21] Clause 11(1), Bill
[22] Clause 11(1), Bill
[23] Clause 33 and 34, Earlier Bill
[24] Clause 17, Bill
[25] Clause 2(3), Bill
[26] Clause 10, Bill
[27] Clause 10(2), Bill
[28] Clause 2(6), Bill
[29] Clause 18, Bill
[30] Clause 6, Bill
[31] Clause 9(2), Bill
[32] Clause 9(6), Bill
[33] Clause 18(4), Bill
[34] Clause 38, Earlier Bill
[35] Clause 36(e), Earlier Bill
[36] Clause 41, Earlier Bill
[37] Clause 19, Bill
[38] Clause 22, Bill
[39] Clause 23, Bill
[40] Clause 24, Bill
[42] Clause 25, Bill
[43] Clause 57, Earlier Bill
[44] Clause 25, Earlier Bill
[45] Clause 9(5), Bill
[46] Clause 29, Bill
[47] Clause 30, Bill
[48] Clause 1(2), Bill
[49] Clause 40, Earlier Bill
[50] Clause 18(3), Bill