This fourth iteration of India’s draft data protection law is a significantly shortened and revised version, which does away with or dilutes many of the earlier provisions. While companies are likely to welcome this simpler version, privacy advocates are expected to push back. MeitY has invited feedback from the public on the Bill by December 17, 2022. The feedback may be submitted on the MyGov website.
Note that many provisions in the Bill, and consequentially in this summary, have a clause saying “as may be prescribed” or its equivalence. This Bill essentially relies on—and gives the powers to—the central government to issue Rules later on to clarify these provisions.
For a section-by-section summary of the Bill as well as comparisons to previous iterations of the Bill, check out our Guide To India’s Digital Personal Data Protection Bill, 2022
Key definitions in the Bill
- Personal data: “Any data about an individual who is identifiable by or in relation to such data.”
- Data Fiduciary: “Any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data.”
- Processing: “An automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
- Data Principal: “The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.”
- Data Processor: “Any person who processes personal data on behalf of a Data Fiduciary.”
- an individual
- a Hindu Undivided Family
- a company
- a firm
- an association of persons or a body of individuals, whether incorporated or not
- the State
- every artificial juristic person, not falling within any of the preceding sub-clauses
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Applicability of the Bill
- Processing of personal data collected within the territory of India when the data is collected online or is collected offline and digitised.
- Processing of personal data outside of India, if the processing is in connection with profiling people in India or offering goods and services to people in India. Profiling here means “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.”
- Does not apply to:
- non-automated processing of personal data
- offline personal data
- personal data processed by an individual for any personal or domestic purpose
- personal data about an individual that is contained in a record that has been in existence for at least 100 years.
What are the obligations of Data Fiduciaries?
1. Personal data can only be processed with consent or deemed consent: Fiduciaries can only process personal data for lawful purposes for which the Data Principal has given or is deemed to have given consent. The processing must be in accordance with this Act.
2. Notice must be issued when seeking consent: When seeking consent, or as soon as it is reasonably practicable, Fiduciaries must give the users a notice that describes what personal data will be collected and for what purpose. The notice must be presented in a form “as may be prescribed.”
3. Measures to adhere to while obtaining consent:
- Free, specific, informed, affirmative: The consent given by users must be freely given, specific, informed, and must be a clear affirmative action agreeing to the processing of their personal data for the purpose specified in the notice.
- Cannot seek consent for infringing this Act: Fiduciaries cannot seek consent for anything that will infringe provisions of this Act. For example, Fiduciaries cannot seek consent from users asking them to waive their right to file a complaint with the Data Protection Board.
- Contact details of Data Protection Officer or other officer: When seeking consent, the contact details of a Data Protection Officer (for significant data fiduciaries) or any other contact person (for other fiduciaries) must be mentioned.
- Withdrawal of consent: Users should have their right to withdraw consent at any time with the same ease as they were able to give consent. The Fiduciary can stop providing the services which it was earlier providing if those services can only be provided based on the processing of personal data that the user had consented to. Furthermore, Data Fiduciaries must ensure that their data processors stop processing the personal data of the concerned user.
- Consent Manager: The Data Principal can “give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager,” which is defined as a Data Fiduciary that maintains an accessible, transparent and interoperable platform for this purpose. Consent Managers are accountable to the users and must be registered with the Data Protection Board of India. The rules for Consent Managers will be prescribed. Nothing in the Bill that mandates fiduciaries to work with Consent Managers.
- Cannot make services conditional on consent when not required: If a Data Fiduciary has a contract with a user to deliver a service or good, the same cannot be made conditional on the consent to the processing of any personal data not necessary for performing that contract.
- Proof of burden lies with the Data Fiduciary: If challenged in the courts, Data Fiduciaries will have to prove that a notice was given and consent was obtained to carry out the processing of personal data.
4. When is it considered deemed consent: A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary for the following purposes:
- Voluntary provision of data: When the user voluntarily provides their personal data to the Data Fiduciary and it is reasonably expected that they would provide such personal data. For example, when a user shares their name and number when reserving a table. In this case, the user “shall be deemed to have given her consent to the collection of her name and mobile number by the Data Fiduciary for the purpose of confirming the reservation,” the Bill illustrates.
- For the State to perform its function under any law: When the state or its agencies need to perform any function under any law, provide any service or benefit to the Data Principal, or issue any certificate, license, or permit for any action or activity of the Data Principal. For example, “‘A’ shares her name, mobile number and bank account number with a government department for direct credit of agricultural income support. ‘A’ shall be deemed to have given her consent to the processing of her name, mobile number and bank account number for the purpose of credit of fertilizer subsidy amount to her bank account,” the Bill illustrates.
- Court orders: “For compliance with any judgment or order issued under any law.”
- Medical emergency: “For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.”
- Epidemics: “For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health”.
- Disasters: “For taking measures to ensure the safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order.”
- Employment: “For the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance.”
- Public interest: For the sake of public interest as defined in the Bill, including for:
- prevention and detection of fraud
- mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws
- network and information security
- credit scoring
- operation of search engines for processing of publicly available personal data
- processing of publicly available personal data
- recovery of debt
- Fair and reasonable cases: For any fair and reasonable purpose “as may be prescribed” after taking into consideration:
- “whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal
- any public interest in processing for that purpose; and
- the reasonable expectations of the Data Principal having regard to the context of the processing.”
5. Maintaining the accuracy of data: Data Fiduciaries must make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete, especially if the personal data is to be used to make a decision that affects the Principal or if it is to be disclosed to another Data Fiduciary.
6. Preventing and notifying data breaches: Data Fiduciaries and Data Processors must “protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.” In case of a data breach, the Data Protection Board and concerned Data Principals must be notified in such as manner “as may be prescribed.”
7. Retention of personal data: Data Fiduciaries must stop retaining personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that:
- the purpose for which such personal data was collected is no longer being served by its retention; and
- retention is no longer necessary for legal or business purposes.
For example, if a user deletes a social media account, the personal data shared with the platform must be removed. However, this does not apply if required for legal purposes. For example, if a person opens a bank account and closes it within 6 months, the bank can store the KYC data for longer because they are required to do so under other laws.
8. Appointing a Data Protection Officer or contact person: Data Fiduciaries must publish the “business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data” in a format “as may be prescribed.” For significant fiduciaries it’s DPO, for others it can be any other officer.
9. Grievance redressal mechanism: Data Fiduciaries must have in place “a procedure and effective mechanism to redress the grievances of Data Principals.”
10. Measures to adhere to the provision: Data Fiduciaries must implement “appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act.”
What are the obligations of Significant Data Fiduciaries?
The government will notify the criteria for Significant Data Fiduciaries based on the following factors:
- the volume and sensitivity of personal data processed
- risk of harm to the Data Principal
- potential impact on the sovereignty and integrity of India
- risk to electoral democracy
- security of the State
- public order
- such other factors as the government may consider necessary
In addition to complying with obligations applicable to all Data Fiduciaries, a significant Data Fiduciary is required to:
- Appoint a Data Protection Officer who will represent Data Fiduciary under the provisions of this Act and be based in India. “The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. The Data Protection officer shall be the point of contact for the grievance redressal mechanism under the provisions of this Act.”
- Appoint an Independent Data Auditor “who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act.”
- Undertake Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act, and other measures “as may be prescribed.” Data Protection Impact Assessment is defined as “a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data.”
What are the obligations of Data Fiduciaries processing children’s data?
In addition to complying with obligations applicable to all Data Fiduciaries and Significant Data Fiduciaries, if applicable, a Data Fiduciary processing data of anyone under the age of 18 is required to:
- Parental consent: Obtain verifiable parental consent before processing any personal data of a child, in such manner “as may be prescribed.”
- No harm to the child: Not undertake any processing of personal data that is likely to cause harm to a child, “as may be prescribed.” Harm, as defined in the Bill, includes:
- any bodily harm
- distortion or theft of identity
- prevention of lawful gain or causation of significant loss
- No targeted advertising or behavioural monitoring: Not undertake “tracking or behavioural monitoring of children or targeted advertising directed at children.”
- Exemptions: (1) and (3) will not be applicable when the processing of personal data of a child for such purposes “as may be prescribed” later.
What are the rights and duties of Data Principals?
1. Right to information about personal data: The user has the right to know
- if a Data Fiduciary is processing or has processed their personal data
- if yes, a summary of the personal data being processed and the processing activities undertaken by the Data Fiduciary
- the identities of all those with whom personal data has been shared and what categories of personal data
- any other information “as may be prescribed”
2. Right to correction and erasure of personal data: The Data Principal has the right to request for correction and erasure of her personal data “in accordance with the applicable laws and in such manner as may be prescribed.” Erasure requests can be denied if data must be retained for legal purposes.
3. Right of grievance redressal: Users have the right to register a grievance with a Data Fiduciary. And if the response from the Fiduciary is not satisfactory or a response is not received in seven days or “as may be prescribed”, the user may register a complaint with the Data Protection Board in a manner “as may be prescribed.”
4. Right to nominate: A Data Principal has the right to nominate any other individual to exercise their rights in the event of the Principal’s death or if the Principal is incapacitated, in such manner “as may be prescribed.”
5. Duties of Data Principals:
- Users must comply with all applicable laws while exercising rights under the provisions of this Act.
- Users should not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board.
- Users should not furnish any false particulars or suppress any material information or impersonate another person.
- Users should only provide information that is verifiably authentic while exercising their right to correction or erasure.
Transfer of personal data outside India
Data Fiduciaries can transfer personal data outside of India to countries or territories that have been approved by the central government “in accordance with such terms and conditions as may be specified.”
Government access to data
The central government can issue a notification to exempt any “instrumentality of the state” from the provisions of the Bill in the interests of the:
- sovereignty and integrity of India
- security of the State
- friendly relations with foreign States
- maintenance of public order; or
- preventing incitement to any cognizable offence relating to any of the above
Additionally, the government and its agencies can retain personal data for an unlimited period of time regardless of whether the purpose for which data was collected has been served.
Other exemptions from the Act
1. Exemptions for a class of data fiduciaries: The central government has the power to exempt certain Data Fiduciaries or a class of Data Fiduciaries, based on the volume and nature of personal data they process, from certain provisions of the Bill. Specifically, these Fiduciaries will be exempt from:
- Section 6 (issuing notice before consent)
- Sub-sections 2 (ensuring accuracy of personal data) and 6 (deleting personal data after the purpose is served) of section 9
- Section 10 (obligations when processing personal data of children)
- Section 11 (obligations of Significant Data Fiduciaries)
- Section 12 (Data Principal’s right to information about personal data)
While this could be used to exempt smaller data fiduciaries from some onerous obligations, there is no limitation on who can be exempt.
2. Exemptions for certain use cases: The Bill exempts entities from provisions of Chapter 2 (obligations of Data Fiduciaries) except sub-section 4 (provision related to securing data) of section 9, Chapter 3 (rights and duties of Data Principals), and Section 17 (transfer of personal data outside India) of this Act when:
- Law enforcement purposes: “Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.”
- Legal right or claim: “The processing of personal data is necessary for enforcing any legal right or claim.”
- Judicial purposes: “The processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function.”
- Personal data of those outside India: “Personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.”
3. Exemption for research and statistical purposes: The central government can exempt entities when the processing of personal data is “necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards specified by the [Data Protection] Board.”
Data Protection Board of India
Establishment of the Data Protection Board of India (DPBI): The central government will establish the DPBI by issuing a notification.
- Members of the board: The number of people on the Board and the process for selecting its members including its Chairperson as well as the terms and conditions of appointment and service will be prescribed.
- Chief executive: The management of the affairs of the Board will be entrusted to a chief executive whose appointment and terms of service will be determined by the central government.
- Officers and employees: The Board will consist of officers and employees whose terms and conditions of appointment and service will be prescribed.
- Public servants: The Chairperson, Members, officers and employees of the Board will be deemed as public servants.
- Lawsuits against the Board: “No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee or officer for anything which is done or intended to be done in good faith under the provisions of this Act.”
Functions of the Board:
- Determining non-compliance: to determine non-compliance with provisions of this Act and impose appropriate penalties.
- Issuing directions: To discharge its functions under the Act, the Board may issue directions from time to time after giving the concerned persons a reasonable opportunity of being heard and after recordings its own reasons in writing. The Board also can also modify, suspend, withdraw or cancel any direction it has issued.
- Data breach mitigation: In the event of a personal data breach, the Board can direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.
- Following other government orders: to perform such functions that the Central Government may assign under the provisions of this Act or under any other law by an order published in the Official Gazette
Investigations by the Data Protection Board of India
Process for the Board to follow while conducting inquiries:
- The Board should function as an independent body and “employ such techno-legal measures as may be prescribed.”
- The Board can take action based on a complaint received from an affected user or on a reference by the government or in compliance with court directions or if a user did not fulfil their duties as laid out in the Act.
- If there are sufficient grounds for inquiry, the Board must record the reasons in writing, and launch an inquiry into the affairs of the concerned person to ascertain whether they are complying with the Act or not. If there are no sufficient grounds for inquiry, the Board must record the reasons in writing and close the proceeding.
- Proceedings related to complaints can be conducted by individual Members or a group of Members.
- The inquiry must be conducted following the principles of natural justice including giving reasonable opportunity of being heard and the Board should record reasons for its actions during the course of any inquiry.
- To conduct an inquiry, the Board shall have powers to summon and enforce the attendance of persons, examine them on oath and inspect any data, book, document, register, books of account or any other document.
- The inquiry must be completed at the earliest and the Board cannot prevent access to or confiscate any thing that may adversely affect the day-to-day functioning of an entity.
- The Board can seek the services of any police officer or any officers of the Government to assist it and it is the duty of every such officer to comply with such requests.
- The Board can issue interim orders if it considers it necessary for preventing non-compliance with the provisions of this Act, but the reasons for the same must be recorded in writing and the concerned persons must have been given a reasonable opportunity of being heard.
- If the Board concludes that non-compliance by a person is not significant, it may, for reasons recorded in writing, close such inquiry. If the Board determines that the non-compliance by the person is significant, it shall issue financial penalties as allowed under this Act.
- At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.
- Every person is bound by the orders of the Board. “Every order made by the Board shall be enforced by it as if it were a decree made by a Civil Court. For the purpose of this subsection, the Board shall have all the powers of a Civil Court as provided in the Code of Civil Procedure, 1908.”
Review and appeal of Board orders:
- Reviewing orders: Board can review any order it has issued, on a representation made to it, or on its own, and for reasons to be recorded in writing, modify, suspend, withdraw or cancel any order issued. The review must be done by a group that is larger than the group that issued the order.
- Appeals in High Court: Any appeals against orders issued by the Board will be heard in the High Court and the appeal will be preferred within a period of sixty days from the date of the order.
- Jurisdiction of civil courts and other authorities: No civil court will have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act.
Alternate Dispute Resolution: If the Board is of the opinion that any complaint can be more appropriately resolved by mediation or other processes of dispute resolution, the Board may direct the concerned parties to the alternative dispute resolution option.
Voluntary undertaking: The Board can accept voluntary undertakings from entities in respect of any matter related to compliance with provisions of this Act. The undertaking must include specific actions and timelines, and must be publicised. Board can request for the terms of the undertaking to be modified. If accepted, any ongoing relevant proceedings against the concerned entity must be barred unless the terms of the undertaking and not complied with.
Penalties for offences
Applicable penalties according to Schedule 1 of the Bill:
- Failure to take reasonable security safeguards to prevent personal data breach: Up to ₹250 crores
- Failure to notify the Board and affected Data Principals of a personal data breach: Up to ₹200 crores
- Non-fulfilment of additional obligations in relation to processing data of children: Up to ₹200 crores
- Non-fulfilment of additional obligations of Significant Data Fiduciary: Up to ₹150 crores
- Violation of user duties: Up to ₹10,000
- For all other non-compliances under this Act: Up to ₹50 crores
Board gets to determine the quantum of penalty: If the non-compliance by a person is deemed significant by the Board, the Board can determine the quantum of financial penalty to issue as long as it adheres to Schedule 1 published by the government. To determine the amount, the Board should consider the following factors:
- the nature, gravity and duration of the non-compliance
- the type and nature of the personal data affected by the non-compliance
- repetitive nature of the non-compliance
- whether the person, as a result of the non-compliance, has realized a gain or avoided any loss
- whether the person took any action to mitigate the effects and consequences of the non-compliance and the timeliness and effectiveness of that action
- whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the provisions of this Act; and
- the likely impact of the imposition of the financial penalty on the person.
Penalties cannot be greater than ₹500 crores: The central government has the power to amend Schedule 1 by issuing a notification. But the Schedule cannot be modified by the government to exceed ₹500 crores in any instance of non-compliance and the amendment must be presented to the parliament for debate after it’s notified.
Government’s power to remove any hindrances to the Act
If any difficulty arises in giving effect to the provisions of this Act, the Bill allows the government to, within 5 years of the Act going into effect, issue an order to add provisions to the Act to remove the difficulties as long as the new provisions are not inconsistent with the existing provisions of the Act.
Note (21 November, 10:50 am): Earlier we stated that a notification to update the schedule of penalties must be presented to the parliament “before” it’s issued. It is, in fact, only required to be presented for debate “after.” The error is regretted.
Note (24 November, 10:00 am): Changed the header and content for exemption no. 1 under “Other exemptions from the Act” to clarify that it can be any class of data fiduciaries and that smaller data fiduciaries are just an example.
Note (1 December, 9:00 am): Clarified the provisions around appointment of DPO or other officers by fiduciaries and provision around Consent Managers.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- A Complete Guide to The Digital Personal Data Protection Bill, 2022
- A Complete Guide To The Data Protection Bill, 2021
- A Complete Guide To The Personal Data Protection Bill, 2019