On 18-11-2022, the Ministry of Electronics and Information Technology (MeitY) made the headlines by issuing the much-awaited draft data protection framework titled “Digital Personal Data Protection Bill, 2022” (2022 Bill). The 2022 Bill comes after a series of tumultuous turns in the legislative process starting from the first draft of the Personal Data Protection Bill, 2018 to the Personal Data Protection Bill, 2019 (2019 Bill), which underwent a comprehensive review by the Joint Parliamentary Committee (JPC).
The 2019 Bill was withdrawn in August 2022 and the Government announced that the industry should expect a comprehensive new draft soon. Despite many recommendations by the JPC such as inclusion of non-personal data within the scope, the same have not been incorporated under the 2022 Bill. The Government has introduced many notable changes in the new 2022 Bill which could change the course of the privacy and data protection regime in India. In this article, we have examined the key changes introduced under the 2022 Bill vis-à-vis the erstwhile 2019 Bill.
1. Protecting digital personal data only, no sub-classification
In contrast to the 2019 Bill which applies to all forms of personal data (i.e. in offline and online mode), the 2022 Bill only applies to processing of “digital personal data”. While there is no express definition of “digital personal data”, the 2022 Bill sets out that it applies to personal data collected online and personal data collected offline which is digitised. Specifically, the 2022 Bill does not apply to offline personal data. Also, unlike the 2019 Bill, the 2022 Bill does not sub-classify personal data into sensitive personal data or critical personal data.
Additionally, there is no reference to anonymised data, as a departure from the PDPB, 2019. Anonymisation is a very important concept and aids many companies to deal with personal data without getting impacted. It is unclear how anonymised data will be treated under the proposed framework.
2. Recognition of deemed consent
The 2022 Bill recognises the concept of “deemed consent” as a valid ground for processing personal data. For instance, an individual is deemed to have given consent when the individual provides her/his personal data voluntarily or for employment purposes or where it is required for the performance of any function under any law.
3. Cross border transfer of personal data
The Government has acknowledged that cross-border interactions are a defining characteristic of today’s interconnected world. While the 2019 Bill permitted transfer of “personal data”, it placed conditions on the transfer of “sensitive personal data”. The 2022 Bill envisages that Central Government may (after assessment of relevant factors) notify the jurisdictions outside India where personal data may be transferred. It is possible that the Government may issue further terms and conditions for cross-border data transfers at the time of notifying such jurisdictions.
4. Omission of data localisation requirements
The earlier 2019 Bill envisaged that “critical personal data” (the scope of which was yet to be notified) shall only be processed in India. Notably, the 2022 Bill has done away with the sub-categorisation of critical personal data and has omitted the concerned data localisation requirements in this regard.
5. Duties of data principal
The 2022 Bill has also sought to affix certain duties on data principal (akin to data subject) which include inter alia complying with applicable laws while exercising rights, furnishing only verifiably authentic information while exercising right to correction or erasure, refraining from registering false or frivolous grievances, etc. Importantly, a financial penalty is also envisaged for non-compliance with these duties. This will bring in an element of shared accountability and balancing individual rights with duties. This is a marked departure from the 2019 Bill.
6. Setting up of Data Protection Board of India (Board) instead of an authority
Instead of the Data Protection Authority of India (Authority) under the 2019 Bill, the 2022 Bill envisages setting up of the Board. There is a degree of similarity between the core function of the Board and the authority i.e. monitoring compliance with the provisions of the law and acting in case of derelictions. However, the 2019 Bill was relatively more prescriptive in terms of the constitution of the authority, its powers and functions, etc. On the other hand, under the 2022 Bill, such aspects have been deferred to rules that may be prescribed.
7. Concept of voluntary undertaking
The 2022 Bill also introduces the concept of voluntary undertaking which may be submitted by a person to the Board in respect of any matter related to compliance with the provisions thereunder. The voluntary undertaking may include undertaking to take a specified action within a specified time, to refrain from taking any specified action and/or to publicise the voluntary undertaking. In case of any non-compliance with an accepted undertaking, the Board may also take potential action against such person in accordance with the 2022 Bill after such person is given a reasonable opportunity of being heard.
8. Revised scheme for financial penalties
The financial penalties set out under the 2022 Bill have undergone a substantial change with the maximum financial penalties up to INR 500 crores (approx. USD 60 million) for each instance. The 2022 Bill also clarifies the specific maximum financial penalties for certain types of contraventions (e.g. failure to take reasonable security safeguards to prevent personal data breach, non-fulfilment of additional obligations in relation to children, etc.).
The 2022 Bill beckons a new era in the data protection space in India. It seems that the Government has made a genuine attempt to simplify the legislation. A lucid, balanced and forward-looking law will certainly aid the industry in scaling greater heights. This can be a catalyst to the healthy growth of unicorns and start-ups in India, and they would not have to devote resources on heavy and onerous compliances. With a relatively streamlined process for cross-border transfer of data, the proposed law seeks to open gateways to increase foreign investments as well.
That said, there are certain conundrums and conflicts that will need to be resolved e.g. interplay of data breach related provisions with the recent directions issued by the Indian Computer Emergency Response Team (CERT-In), interplay of data localisation requirements with sectoral laws, missing definitions of terms like “digital” and “offline” to ascertain applicability, etc., will need to be ironed out. Also, a road map for implementation would have brought more certainty for the industry to step up preparations.
Further, while the 2019 Bill delved into each aspect at a very granular level, the 2022 Bill has left most aspects for subordination legislation (providing more powers to the Government to come up with rules and regulations later) in a bid to keep it simple. Therefore, as and when each rule or regulation is framed, its constitutionality will have to be tested.
The public consultation process will be instrumental in demystifying these concerns.
† Partner, Khaitan & Co.
†† Partner, Khaitan & Co.
††† Counsel, Khaitan & Co.