DPDP Bill 2022: What are the new responsibilities for data fiduciaries?

Key takeaways:

• Bill removed “social media platforms” from its definition of significant data fiduciaries
• Many previous provisions like Privacy By Design removed in new Bill.

The Government of India came out with the fourth version of the data protection Bill, now dubbing it Digital Personal Data Protection Bill, 2022. In this version, the Bill brings removes “social media platforms” from the Significant Data Fiduciary category, mandates parental consent for procession of children’s data and makes data fiduciaries responsible for data breaches.

The feedback on this draft Bill “in a chapter wise manner” can be sent by December 17, 2022 via the MyGov website shared by the government. The notice also specified that “no public disclosure of the submissions will be made.”

Definitions as per the new Bill

The new Bill uses the following terms:

Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

Data Principal: The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;

Definition of Significant Data Fiduciries: The new Bill said that the Centre may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary based on factors like:
“a. the volume and sensitivity of personal data processed;
b. risk of harm to the Data Principal;
c. potential impact on the sovereignty and integrity of India;
d. risk to electoral democracy;
e. security of the State;
f. public order; and
g. such other factors as it may consider necessary”

Advertisement. Scroll to continue reading.

The new definitions have removed the inclusion of “social media platform.”

Obligations of Significant data fiduciaries

As per the new Bill, the Significant Data Fiduciaries will appoint a Data Protection Officer (DPO) who shall represent the Significant Data Fiduciary and be based in India.

Who is a DPO? The Data Protection Officer will be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. “The Data Protection officer shall be the point of contact or the grievance redressal mechanism,” said the Bill.

Further, Significant Data Fiduciaries will appoint an Independent Data Auditor to evaluate the compliance of the Significant Data Fiduciary, work on Data Protection Impact Assessment and periodic audits. There is no mention of “record keeping” obligations as opposed to previous Bills.

Previous provisions on transparency removed: The Bill does not talk at length about transparency. Further, it also does not mention Privacy By Design. Lalit Panda, Senior Resident Fellow at Vidhi Centre for Legal Policy, in a Twitter thread criticised the Bill for its lack of transparency requirements.

7) Data retention obligation made porous by reference to continued retention to "legal or business purposes". This is why purpose spec matters.
8) Notice provision is applicable only to consent!
9) No other transparency requirement like publishing privacy policy.
May update^^.

— Lalit Panda (@somesortofpanda) November 18, 2022

Advertisement. Scroll to continue reading.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Classification of Data Fiduciaries and Significant Data Fiduciaries

What the 2018 Bill said: It identified certain data fiduciaries as significant data fiduciaries based on:

• Volume of personal data processed;
• Sensitivity of personal data processed; 
• Turnover;
• Risks of harm arising from any processing;
• Use of new technologies for processing; 
• Other factors relevant to causing potential harm to the data principal. 

What the 2019 Bill said: Some social media intermediaries were classified as significant data fiduciaries, such as:

• Any social media intermediary with users above a threshold notified by the Centre in consultation with the DPA;
• Whose actions are likely to significantly impact electoral democracy, security of the State, public order, or the sovereignty and integrity of India. 

What the 2021 Bill said: The Bill replaced the term “social media intermediary” with “social media platform“, deleting 2019’s provision on classifying some social media intermediaries as significant data fiduciaries. These platforms were added to the listed criteria for classifying significant data fiduciaries first laid out in 2018. 

• JPC Rationale: “Most of the social media intermediaries are actually working as internet based intermediaries as well as platforms where people communicate through various socializing applications and websites.”

Obligations for Significant Data Fiduciaries

What the 2018 Bill said: All or any of the following obligations only apply to significant data fiduciaries—data protection impact assessments, record keeping, data audits, and appointing data protection officers. However, the DPA may notify these obligations for other fiduciaries if it believes that its processing carries risks of harm.

What the 2019 Bill said: No changes to this section

What the 2021 Bill said: A new provision added that significant data fiduciaries will be regulated by regulations made by respective sectoral regulators. 

• JPC Rationale: None provided.

Data Protection Officer

What the 2018 Bill said: Appointed by the data fiduciary, the Data Protection Officer will: 

• Help the fiduciary fulfil its obligations under the Act and privacy by design measures; 
• Advise on when data protection impact assessments should be carried out (and reviewed once completed). 
• Monitor data processing activities to ensure they don’t violate the Act;
• Assist and cooperate with the DPA on compliance obligations;
• Act as a point of contact for the data principal to raise grievances with;
• Maintain records on the data fiduciary’s activities (specified below). 

The data fiduciary may assign other functions to the Officer. Foreign data fiduciaries processing data must appoint Data Protection Officers based in India to comply with the Act.

What the 2019 Bill said: Data Protection Officers will be appointed by “significant data fiduciaries” not just data fiduciaries. The explicit language for foreign data fiduciaries was removed, and replaced by “the data protection officer appointed (..) shall be based in India and shall represent the data fiduciary”. 

Advertisement. Scroll to continue reading.

What the 2021 Bill said: It specified qualifications for Data Protection Officers: they should be “a senior level officer in the State or a key managerial personnel in relation to a company or such other employee of equivalent capacity in case of other entities”. Key managerial personnel means the Chief Executive Officer, managing director or the manager, company secretary, whole-time director, Chief Financial Officer, or other prescribed personnel.

• JPC Rationale: Previously unspecified.

Data Protection Impact Assessment

What the 2018 Bill said: Processing involving new technologies, large-scale profiling, the use of sensitive personal data (genetic or biometric data), or which carries the risk of significantly harming the data principals will not commence unless the data fiduciary has undertaken a data protection impact assessment. 

The assessment should:

• Detail the proposed processing, its purpose and nature of data processed; 
• Assess potential harm; 
• Propose measures to manage, minimise, or mitigate risks of harm. 

The Data Protection Officer will review the completed assessment and submit it to the DPA. If the DPA believes processing can cause harm, it may direct the data fiduciary to cease processing or subject it to certain specified conditions.

What the 2019 Bill said: The language shifted from processing undertaken by “data fiduciaries”, to processing by “significant data fiduciaries“. The Data Protection Officer will submit the assessment to the DPA with his findings. The rest of the provision remained the same.

What the 2021 Bill said: Barring minor phrasing differences, the provision remained the same.

Record Keeping

What the 2018 Bill said: The data fiduciary should keep records on important operations in the data life-cycle (collection, transfers, and erasure), reviews of security safeguards, data protection impact assessments, and other DPA-specified aspects of processing. The section also applies to the State (as defined under Article 12 of the Constitution).

What the 2019 Bill said: The language shifted to record keeping by “significant data fiduciaries“. New provisions were added, namely:

Advertisement. Scroll to continue reading.

• Social media intermediaries notified as significant data fiduciaries will enable users registering for or using their services in India to “voluntarily verify” their accounts.
•  Users who voluntarily verify their accounts will be provided with a “demonstrable and visible” verification mark, visible to all users of the service.

What the 2021 Bill said: The term “social media intermediaries” was replaced by “social media platforms“.

Obligations for All Data Fiduciaries

Data Audits

What the 2018 Bill said: Data fiduciary compliance with the Act will be annually audited by an independent auditor, registered with the DPA. 

The auditor will evaluate: 

• Clarity and effectiveness of notices issued to the data principal; 
• Effectiveness of privacy by design measures;
• Transparency measures;
• Security safeguards;
• Personal data breaches and responses by the data fiduciary;
• Other specified matters.

If the DPA believes the data fiduciary’s processing may cause harm to the data principal, it may order an audit and appoint an auditor for the purpose.

What the 2019 Bill said: A criterion was added to the data audits, “timely implementation (..) and effective adherence to obligations” of providing users verification services. The 2018 provision that the DPA will specify penalties for data auditor negligence was removed.

What the 2021 Bill said: A new provision stated that the DPA “shall encourage the practice of appropriate concurrent audits”.

• JPC Rationale: Previously unspecified.

Grievance Redressal

What the 2018 Bill said: All data fiduciaries were instructed to have “proper procedures and effective mechanisms” in place to efficiently and quickly address data principal grievances. These could be raised in case of violations of the Act, rules and regulations under it, which caused or were likely to cause harm to the data principal.

Grievances could be raised with the Data Protection Officer (in the case of a significant data fiduciary), or an officer designated for this purpose (in the case of other fiduciaries). The Bill stated that a grievance is to be resolved within 30 days of receipt.

Further, the data principal has the right to file a complaint with the DPA’s adjudication wing if the grievance is unresolved, or if the data principal is unsatisfied with the grievance resolution, or if the data fiduciary has rejected the raised grievance. Persons aggrieved with orders made by the adjudication wing’s officers may appeal to the Appellate Tribunal.

Advertisement. Scroll to continue reading.

What the 2019 Bill said: Instead of the “adjudication wing” specifically, data principals were instructed to simply raise complaints with the DPA . The provision to file appeals to the adjudication wing’s decisions at the Appellate Tribunal was also removed.

What the 2021 Bill said: The revised Bill added the procedure to file a complaint with the Authority under newly-inserted clause 62, which confers the data principal’s right to file complaints with the DPA. “The Authority may forward the complaint (..) to the Adjudicating Officer for adjudging,” the clause adds.

• JPC Rationale: Clause 62 was inserted in the “Penalties and Compensation” chapter keeping in mind “the need to devise a single window system to deal with complaints, penalties and compensation”.

Data Privacy By Design

What the 2018 Bill said: Data fiduciaries should implement policies and measures ensuring that “managerial, organisational, business practices and technical systems” implement privacy by design. 

What the 2019 Bill said: Data fiduciaries will prepare a privacy policy on these measures. The data fiduciary may submit the policy to the DPA, who will certify it if satisfied. 

What the 2021 Bill said: The DPA will certify the privacy by design policy subject to provisions.

• JPC rationale: “Certification (..) should not be a tedious process and must not hamper the growth of Micro, Small and Medium Enterprises. [The amended clause] provide[s] for the Authority to make regulations to grant exceptions to data fiduciaries below a certain threshold.” 

Transparency

What the 2018 Bill said: Data fiduciaries will take “reasonable steps” to enable transparency on personal data processing by publishing easily accessible information on:

• Personal data collected, how it’s collected, and purpose for processing;
• Data processed in exceptional situations (and when significant harm risks are created);
• Cross-border personal data transfers;
• Existence of a procedure to exercise data principal rights, and the right to file complaints before the DPA;
• Any data trust score assigned to them; 
• Any other information specified by the Authority.

What the 2019 Bill said: The language shifted from “reasonable steps” to “necessary steps“—otherwise the provision was unchanged. New provisions on “consent managers” were inserted:

• Registered with the DPA, consent managers are defined as “a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform”;
• The data principal may give or withdraw consent to the data fiduciary through a consent manager. Here, consent will be deemed to have been communicated directly by the data principal.

What the 2021 Bill said: A transparency provision on “fairness of algorithm or method used for processing of personal data” was introduced.

• JPC rationale: “To ensure the transparency of algorithms used by various entities for processing of personal data and to prevent its misuse.” 

Processing of Personal Data By Entities Other Than Data Fiduciaries

What the 2018 Bill said: Such processing can take place provided that the fiduciary appoints a data processor on its behalf through a valid contract. Among other provisions, the data processor, and any employee of the data processor and fiduciary, will only process personal data according to the data fiduciary’s instructions, unless required to do otherwise by law. 

What the 2019 Bill said: “Unless required to do so by law” was dropped from the processing condition mentioned above. 

What the 2021 Bill said: Provision unchanged.

Advertisement. Scroll to continue reading.

Penalties

What the 2018 Bill said: If a data fiduciary contravenes its obligation to take prompt action during a security breach, undertake a data protection impact assessment, conduct a data audit, appoint a data protection officer, or register with the DPA, it will be fined a penalty of up to five crore rupees, or two per cent of its total worldwide turnover for the preceding financial year, whichever is higher.

What the 2019 Bill said: Provision remained the same.

What the 2021 Bill said: While the obligations remained the same, the data fiduciary would be liable to such penalty as may be prescribed.

• JPC Rationale: Flexibility in the imposition of penalties is required given rapidly evolving technology.

Stakeholder concerns

• The age of consent needs to be reduced: During a MediaNama event in January, stakeholders said it should be left to the Data Protection Authority to come up with an appropriate age of consent less than 18 years after consulting relevant stakeholders, Ganesh recommended.
• More grounds are needed for processing without consent: There should be more grounds for companies to process personal data without consent such as legitimate interests, Chaudhari suggested.
• Non-personal data should be dealt with separately at a later stage: Not all financial data should be classified as sensitive personal data. Data already regulated by sectoral regulators should not be covered by the Bill, Dellrud recommended during the MediaNama event.

Security Safeguards, Data Breaches, and other provisions

The “Transparency and Accountability” chapter also contains provisions on security safeguards and data breaches relevant to the role of a Data Protection Officer at a significant data fiduciary. MediaNama chronicles the evolution of these provisions over four drafts here.

Note: Edits were made to this story on 3:58 PM on November 19, 2022 based on editorial input. The link for feedback on the Bill has also been added.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

Advertisement. Scroll to continue reading.

• BREAKING: India releases Digital Personal Data Protection Bill, 2022
• New Data Protection Law May Allow Data Transfers and Processing In “Trusted Geographies”: Report
• “Deemed Consent” May Shape Personal Data Processing in New Draft Data Protection Law: Report
• A Complete Guide To The Data Protection Bill, 2021