In the culmination of a decade long process,[1] the Digital Personal Data Protection Bill, 2023(“Bill”) [2] was introduced in Parliament on August 3, 2023.
While the important subject matter of the Bill, its long legislative history, and the widely publicised dissents in the Parliamentary Standing Committee[3] portend that it may not pass unchanged, its enactment seems likely within the next few weeks or months.
Further, given its relatively concise nature and the limited rulemaking and regulatory framework that is needed to enable it, it seems likely that while the Bill will be brought into force in a phased manner,[4] operative portions of it may come into effect relatively quickly.
While the current form of the Bill is by no means certain to be final, and both exemptions from,[5] and rules around,[6] several key provisions will be notified post the enactment of the Bill, it is clear at this time that upon coming into effect, the Bill will require businesses to rethink how they evaluate, collect, protect, and value data which can either identify or relates to an individual (hereinafter, “Data”).
In this, our second article on the Bill, we examine what some key questions that businesses who process personal data (“Data Fiduciaries”) can ask themselves.
What (What Personal Data Do You Hold)?
India’s current general data protection regime, under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) is antiquated, poorly enforced, and followed more in breach than in observance by the majority of businesses. As a result, general perception is that data is an asset, and more of it is better.
Even read widely, current law only offers substantial protection for sensitive personal data,[7] a distinction which is no longer relevant under the Bill, which regulates all personal data uniformly.[8] This combined with any real market practice on data retention (except where mandated under law), businesses in India tend to have large volumes of heterogenous, unstructured, and inconsistently stored data of varying vintage.
Therefore, the first step for many of them to begin complying with a modern data protection regime, will be to understand what data they hold.
Data Mapping
Simply put, this will involve understanding:
(a) the extent and nature of Data held, the nature of consent that was taken at the time of its collection, and whether such consent can be retrieved and proved in an auditable manner;
(b) whether the data principal to whom this data relates is contactable for the purposes of updating consent of giving them mandatory re-notice under the Bill, and to enable them to exercise their data subject rights;
(c) how and in what form data is held and secured, and whether the manner in which it is secured can be considered reasonable;
(d) whether the personal data continues to be relevant and necessary for the purpose of its collection or any other legally mandated purpose; and
(e) whether the nature and purposes for the processing of this data are still relevant and covered by the original consent.
This may prove crucial given the prevailing market practice of obtaining vague, broad, browse wrap consents for sensitive data. Many of these “consents” will not meet the standard of the Bill, and the continued processing of much of this data will require fresh consent, especially since the onus on proving clear consent lies on the Data Fiduciary.9
Even where there is valid consent, fresh itemized notice will have to be provided in manner that will be prescribed10 to individuals whose personal data continues to be stored, or otherwise processed (“Data Principals”).
As a practical measure, Data Fiduciaries may also consider creating segregated data repositories for all personal data that is validly consented, and other data to ensure that appropriate action may be taken based on the guidance that will be provided under the rules, upon the Bill coming into effect.
To the extent that key business processes are dependent on unconsented data, Data Fiduciaries may have to think about re-architecting them, or consider technological measures to enable continued use of data. This is an exercise in judgement, requiring finding a balance between legal principles surrounding the use of data, and business needs.
Action
Companies should immediately commence a comprehensive data mapping exercise of their legacy Data, correlate this Data with consent and contact details of Data Principals and start preparing an itemized consent framework based on processing practices.
Companies should also start looking at processing activities with respect to personal data where user’s have been inactive for a defined period and start the process of formulating a data retention policy.
How you collect Data (and Process it)?
The Bill (unlike the Draft) clearly codifies two key principles of data protection, i.e.:
(a) Consent and Data Autonomy: Data of persons can only be processed based on their freely given, specific, informed and unambiguous, express consent, and such processing can only be done for the specific itemised purposes to which they have consented;
(b) Purpose Limitation and Data Minimization: Data Fiduciaries can only collect or otherwise process, and indeed, receive consent for processing11 only such Data as is necessary for the purpose for which consent has been taken, or a reasonably related purpose;
(c) Data Minimization: Data Fiduciaries must erase (and cause their processors to erase) Data when the purpose for which it was collected, is no longer served by its retention[12].
Today, companies, other than where specifically regulated in spaces such as digital lending, collect more data than they need, and do so using broadly worded consents.
Consent notices and obtaining Consents
Going forward, for consents to be valid, privacy notices will need to clear and precise, while being descriptive enough to describe the nature of processing activities proposed to be carried out, as well as third parties who may have access to the personal data. Data Principals will also be more aware of their rights and have the ability to find out exactly what Data businesses hold, and how they use it.
Entities which hold or otherwise process large volumes of data, do so in unusual ways, or otherwise have significance or impact may find themselves classified as significant data fiduciaries and made subject to a much more onerous and granular regulatory regime.[14]
How (do you keep Data safe)?
Like the SPDI Rules, the Bill requires Data Fiduciaries to implement “reasonable security standards” (which a double quote after standards) and like the GDPR, to adopt “technical and organizational measures” to safeguard Data. Unlike the SPDI Rules[15] or the GDPR[16] though, the Bill does not prescribe a bright line standard for such reasonable security standards or technical and organization measures.
While SPDI Rules recognized ISO 27001 as an appropriate reasonable standard, and specific sectoral standards such as PCI-DSS,[17] SOC2 and the EHR[18] standards are common, and arguably, reasonable (at least as on date), Data Fiduciaries will still need to demonstrate this before the Data Protection Board, and potentially, in the context of a data breach, facing down a Rs. 250 crores fine.[19]
Data Fiduciaries will now need to ensure they have certain standards and compliances in place, and also obtain certification from a third-party independent auditor (preferably CERT-In empanelled) to demonstrate compliance along with appropriate policies like those dealing with breach notification, and retention. This will also include a system of periodic audits, and potentially, vulnerability and penetration testing.
The other limb of the requirement is technical and organizational measures, while these may be new for domestic companies, entities that have previously interfaced with GDPR compliance may be familiar with the construct. These measures include affirmative and clearly auditable steps on role-based access, limiting visibility of personal data to a wider audience, encryption in transit and rest, policies on data protection, along with periodic training, sensitization and review of the processes.
Action
Given that most of these actions will require substantial deployment of management time and require changes to existing IT infrastructure and processes, Data Fiduciaries may be well advised to onboard advisors and experts to initiate the process of navigating the requirement.
Where (do you send Data)?
While the Bill prescribes a blacklist rather than a whitelist, companies will be well advised to understand the various jurisdictions where the personal data collected by them resides, either on their own servers or infrastructure of their third-party service provider.
While this regime is generally permissive, a general focus on data, and its safety will mean enterprises must be mindful of how they make data available to third parties, whether they are processors or controllers both within and outside India.
Action
Accordingly, companies may start looking at their contracts with third party service providers to ensure appropriate data security measures and practices are put in place along with the requirement to certify compliance or provide warranties on adequacy of legal practices and obligations.
Further, companies with business contracts with countries sharing land border with India,[20] may also need to think about actions to move personal data out of such jurisdictions if they are blocked going forward.
Whom (are you answerable to)?
Till date, entities which collect, store and process Data in India have focussed on regulatory action, courts, their own boards, shareholder action, and even market perception. However, given the very poor enforcement mechanism (and low fines) under the SPDI Rules, entities have spen, have spent very little time thinking about the persons to whom this Data belongs. Indeed, some have tritely sought to classify themselves as “owners” of data they collect, with the freedom to do what they want with it.
Data Principals: what rights do they have?
The Bill creates substantial, enforceable rights, in favour of Data Principals. These include, seeking information on what data is held, the manner in it is processed,[21] grant or withdraw specific consent,[22] require correction or erasure of data,[23] and have grievances resolved within a period which will be prescribed.[24]
Data Principals, an aware, vocal, empowered group who may have little or no commercial alignment with the Company, can, where unhappy with the remedies they get, approach the Data Protection Board.
Notifying personal data breach
Under the Bill, Data Fiduciaries are also required to notify personal data breaches to both the Data Protection Board and the affected Data Principal.[25] This is a significant and material deviation from the current environment under the SPDI rules, where reporting is confidential and only made to CERT-In or the sector regulator and is poorly enforced. The Data Protection Board may now, in addition to handing down significant fines, also write to the Government and require the blocking of applications and services or repeat offenders[26].
Action
In order to avoid conflict with these newly empowered and important stakeholders, companies will need to create data protection teams and advisors, have appropriate processes and measures to deal with Data Principal requests. This will also translate into requirements for processes in relation to internal and external reporting and cybersecurity incident management and response, especially since non-compliance may also trigger sectoral regulators imposing additional fines and penalties.
Given the consequence for non-compliance may be both significant monetary fines and business disruption, companies will need to perhaps prioritize data compliance significantly in the coming days.
Conclusion
While enforcement is practically non-existent today, the significant penalties for non compliance[27] and the threat of business interruption and an app ban, will mean that storing and protecting Data will become more expensive, and that acquirers will be more sensitive about “toxic” data assets which may result in fines on the acquirer, as has been the case internationally.[28] Taken together, the above factors will force Data Fiduciaries to hard look at why they collect, store, share other otherwise process Data.
[1] The first comprehensive data protection legislation was the proposedPersonal Data Protection Bill, 2013, available here
[2] The Digital Data Protection Bill, 2023 (“Bill”) available here.
[3] MediaNama, Parliamentary Committee Reportedly Approves India’s Proposed Data Protection Bill, but Congress MP Disputes Claim, April 3, 2023, available here; The Print, Oppn MPs walk out of IT panel meet over bid to push data protection bill before it reaches Parliament, July 26, 2023, available here.
[4] Section 1(2), Bill.
[5] Section 17, Bill.
[6] Section 40, Bill.
[7] Rule 5, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), available here.
[8] Section 2(n), Bill
[9] Section 6(10), Bill.
[10] Illustration to Section 5(2), Bill.
[11] Section 6(1), Bill.
[12] Section 8(7), Bill
[13] Reserve Bank of India, Guidelines on Digital Lending, RBI/2022- 23/111, available here.
[14] Section 10, Bill.
[15] Rule 8(2), SPDI Rules.
[16] GDPR, Encryption, available here.
[17] Reserve Bank of India, Security and Risk Mitigation Measures for Electronic Payment Transactions, RBI/2012-13/424, available here.
[18] Electronic Health Record (EHR) Standards For India 2016, Standards Set Recommendations v2.0, Ministry of Health and Family Welfare, December 30, 2016, available here.
[19] Schedule, Bill
[20] See Department for Promotion of Industry and Internal Trade,
Press Note No. 3 (2020 Series), available here.
[21] Section 11, Bill.
[22] Section 6(10), Bill.
[23] Section 13, Bill.
[24] Section 13(2), Bill.
[25] Section 8(6), Bill.
[26] Clause 37(1), Bill
[27] Schedule, Bill.
[28] TechCrunch, France fines Clearview AI maximum possible for
GDPR breaches, October 20, 2022, available here.
