Alerts & Updates 25th Nov 2022

Overview of the Digital Personal Data Protection (DPDP) Bill, 2022

Authors

Vinay Butani Partner | Mumbai
Sanjay Notani Partner | Mumbai
Naghm Ghei Principal Associate | Mumbai
Divyashree Suri Senior Associate | Delhi NCR

Latest Thought Leadership

Articles 14th Jun 2024

Digital Bouncers: Navigating the Digital Competition

Read More
Articles 14th Jun 2024

SEBI Imposes Financial Penalties on Market Infrastructure Institutions For Surveillance Failures

Read More
News & Media 13th Jun 2024

Compensation claims plunge as SEBI crackdown intensifies

Read More
News & Media 12th Jun 2024

50% assured pension for central govt staff under NPS: Proposal explained

Read More

The Ministry of Electronics and Information Technology (MeitY) on November 18, 2022, has released its much-awaited personal data protection bill, i.e., the Digital Personal Data Protection (DPDP) Bill, 2022 (DPDP Bill) for public comments until December 17, 2022.

The DPDP Bill, as compared to its predecessor versions is significantly a simpler version and once in force, aims to amend and omit some of the key provisions of the [Indian] Information Technology Act, 2000 (IT Act) and provisions of the Right to Information Act’ 2005.

Summarized below is our note addressing some of the key questions which the DPDP Bill addresses.

  • What is the legislative scope of the DPDP Bill?

    Applies: The DPDP Bill applies to personal data[1] that iscollected within India (i) through online mode; and (ii) offline mode but is then digitized; and collected outside India, if such processing is in connection with profiling of, or activity of offering goods or services to data principals [2] within India.

    Does not apply: The DPDP Bill, presently, does not seek to cover (i) non-personal data or anonymized data; (ii) offline personal data; (iii) nonautomated processing of personal data; (iv) personal data processed by an individual for any personal or domestic purpose; (v) and personal data about an individual that is contained in a record that has been in existence for at least 100 years.

    The DPDP Bill also clarifies that even if (pursuant to a contract) the processing of personal data is happening in India BUT (i) the data principal does not belong to the Indian territory, (b) the personal data does not belong to the Indian territory and (c) the transaction is taking place outside the Indian territory; the Bill shall not be applicable

  • Are data principals required to be provided with prior notice for collection of their personal data?

    Yes, the DPDP Bill states that, unless where obtaining consent is not practicable or inadvisable due to pressing concerns, data principals are required to be provided with an itemized notice/request in clear and plain language that describes the personal data that is sought to be collected along with the purpose of such collection.

    The request by the data fiduciaries [3], as per the DPDP Bill, is required to be either in English or any local Indian language specified under the Eighth Schedule to the Constitution of India (as understood by the data principal).

    In situations where obtaining such personal data is impracticable or inadvisable due to pressing concerns, the DPDP Bill has introduced the concept of ‘deemed consent’ wherein this concept may apply in situations such as (i) when a user shares their name and number when reserving a table; (ii) for the state to perform its function under any law; (iii) court orders; (iv) medical emergency; (v) epidemics; (vi) disasters; (vii) employment; (viii) public interest (and which includes for mergers, acquisitions, any other similar combinations) etc., and (ix) fair and reasonable cases.

  • Will the requirement to obtain consent from data principals be applicable retrospectively to cases where the personal data was already collected from data principals?

    Yes, the DPDP Bill states that the requirement to obtain consent in accordance with the DPDP Bill will be applicable retrospectively where, if data principals have provided their consent to collection of their personal data prior to commencement [of the DPDP Act], then all data fiduciaries would be required to furnish a notice to such data principals setting out the description of personal data [already] collected from them and the purpose for which such personal data was processed. However, it is pertinent to note that presently, the DPDP Bill does not prescribe a

    timeline within which the data fiduciary is required to comply with the said requirement but all it requires is that the same be obtained “as soon as reasonably practicable”.

  • What are the obligations of data fiduciary(ies)under the DPDP Bill?

    The DPDP Bill sets out a specific provision listing all obligations of data fiduciary and holds the data fiduciary ultimately responsible for processing personal data. The DPDP Bill further requires the data fiduciary(ies) to ensure that all reasonable safeguards are taken to prevent personal data breach, including for any processing undertaken on its behalf by data processors[4].

    The DPDP Bill also sets out the concept of a ‘significant data fiduciary(es)’ based on the significant volume and sensitivity of personal data that will be collected by such data fiduciary including risk of harm to data principals. The DPDP Bill requires that such significant data fiduciary is required to comply with additional obligations such as appointment of a data protection officer residing in India, appointment of an independent data auditor, undertake data protection impact assessments and ensure compliance with other measures as may be prescribed.

  • What are the obligations of data fiduciary(ies) when collecting personal data from children?

    The DPDP Bill states that in case personal data from individuals, who are less than 18 years of age, is proposed to be processed, then a prior verifiable parental consent (including consent of a guardian) shall be required to be obtained. The DPDP Bill also states that data fiduciaries are not permitted to undertake tracking and behavioral monitoring of children or sending targeted advertisements directed at children and any kind of processing that may cause significant ‘harm’ to children (as may be prescribed) is barred.

  • What are the obligations of data processors under the DPDP Bill?

    Whilst the responsibility always remains on the data fiduciary (vis-à-vis the data principal), the DPDP Bill provides that data processors have a duty to protect personal data in their possession or control by taking reasonable security safeguards to prevent breach of personal data.

  • Who has the authority to determine non-compliances and impose penalties under the legislation?

    The DPDP Bill proposes to establish a Data Protection Board of India (Board), which will be an independent body operating digitally (to the extent possible) and be responsible for determining non-compliances under the legislation and imposing penalties. The DPDP Bill gives powers to the Board to take actions (as prescribed under the DPDP Bill) either on suo moto basis or on receipt of complaint. The DPDP Bill clarifies that every order made by the Board will be enforceable akin to a decree made by the civil court and any appeal against an order of the Board would lie before the jurisdictional High Court.

  • Can personal data of data principal be transferred outside India?

    Yes, the DPDP Bill permits cross-border transfer of all personal data, however, to countries or territories which are only notified by the Central Government. The DPDP Bill stipulates that while notifying these territories, the Central Government may assess any factors that it may consider necessary.[5]

  • In which case, does the DPDP Bill set out any provision(s) regarding data localization?

    Presently, the DPDP Bill does not contain any provisions relating to data localization and is silent on whether the storage of data outside India would be permitted by law. Separately, the provisions on cross-border transfer contained in the DPDP Bill would also be subject to other laws governing data transfer in the country[6] and therefore, an assessment of relevant factors by the Central Government would precede such a notification.

  • How different is the DPDP Bill from its 2019 version in respect of the provisions relating to cross border data transfer?

    Tabulated below is the comparison between the DPDP Bill and the 2019 version of the data protection bill in relation to cross-border data transfer clauses:

    S. No. Particulars DPDP Bill (2022)[7] PDP Bill (2019)[8]
    1.  Nature of Personal Data allowed to be transferred across borders All personal data Sensitive personal data and Critical personal data[9]
    2.  Countries to which cross-border transfer of personal data is permitted Countries or jurisdictions notified by the central government Country or such entity or class of entity in a country or, an international organisation notified by the central government, after consultation with the Data Protection Authority
    3.  Factors to be considered while notifying eligible countries or entities Any factors that the central government may consider necessary On the basis of its finding that sensitive personal data shall be subject to an “adequate level of protection”, having regard to the applicable laws and international agreements.

    Given the substantial discretion the DPDP Bill has granted to the Central Government, India has large scope of negotiations on cross-border data transfers with its trading partners where it may negotiate ‘adequacy’ agreements with its trading partners as part of the free trade agreements and may also enter into digital economy agreements with different countries of strategic importance.

  • What are the penalties that are prescribed for non-compliance under the DPDP Bill?

    The penalties under the DPDP Bill range from up to INR 10,000 to up to INR 250 Crores for different offences. However, the DPDP Bill also sets out the factors that needs to be considered while determining the penalty.

  • Conclusion

    Unlike the 2018 version of the bill which had set out a definite implementation period, the DPDP Bill states that different dates may be appointed for different provisions and therefore some provisions may be implemented in a phased manner. At the outset, it is also important to note that whilst MeitY in its explanatory note[10] to the DPDP Bill claims to have incorporated the best practices adopted from various international personal data protection laws, the DPDP Bill, in relation to some of the significant obligation(s), continues to have clauses saying “as may be prescribed” or its equivalence.  Therefore, no doubt the DPDP Bill tones down some contentious clauses which caused industry pushback, particularly data mirroring and data localization requirements. One will have to, however, wait and watch MeitY’s responses and clarifications and clauses which the MeitY has yet to prescribe.

    We trust you will find this an interesting read. For any queries or comments on this update, please feel free to contact us at insights@elp-in.com or write to our authors:

    Sanjay Notani, Partner –SanjayNotani@elp-in.com ;
    Vinay Butani, Partner- VinayButani@elp-in.com ;
    Naghm Ghei, Principal Associate – NaghmGhei@elp-in.com;
    Divyashree Suri, Associate- DivyashreeSuri@elp-in.com

  • References

    [1] The DPDP Bill defines ‘personal data’ as any data about an individual who is identifiable by or in relation to such data
    [2] The DPDP Bill defines ‘data principals’ as the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child
    [3] The DPDP Bill defines ‘data fiduciaries’ as entities determining the purpose and means of processing of personal data
    [4] The DPDP Bill defines ‘data processors’ as any person who processes personal data on behalf of a data fiduciary
    [5] Clause 17, Draft Digital Data Protection Bill, 2022
    [6] For example, the payments data localization requirement notified by RBI vide circular DPSS.CO.OD.No 2785/06.08.005/2017-18 dated April 06, 2018
    [7] Clause 17, Draft Digital Data Protection Bill, 2022
    [8] Clause 33 and 34,
    [9] Only to persons or entities engaged in health or emergency services, and such transfer is necessary for prompt action
    [10]https://www.meity.gov.in/writereaddata/files/Explanatory Note 2022.pdf

Disclaimer: The information contained in this document is intended for informational purposes only and does not constitute legal opinion or advice. This document is not intended to address the circumstances of any individual or corporate body. Readers should not act on the information provided herein without appropriate professional advice after a thorough examination of the facts and circumstances of a situation. There can be no assurance that the judicial/quasi-judicial authorities may not take a position contrary to the views mentioned herein