The Ministry of Electronics and Information Technology has published on its website the new personal data protection bill under the moniker “Digital Personal Data Protection Bill, 2022” (“DPDPB 2022”).  The DPDPB 2022 is much simpler than the previous versions of the much awaited data privacy statute and focuses on personal data. Provisions relating to non-personal data are missing. Here are some of the key features of the new bill, on which the public has been invited to comment on or before December 17, 2022.

1. Scope: The DPDPB 2022 shall apply not only within India, but also outside India, to the extent digital personal data is processed outside India, if such processing is in connection with any profiling of, or activity of offering goods or services to data principals within India. The DPDPB 2022 shall not apply to non-automated processing of personal data, offline personal data, personal data processed by an individual for any personal or domestic purpose or personal data about an individual that is contained in a record that has been in existence for at least 100 years.

2. Sensitive Personal Data: The term “sensitive personal data” is conspicuously absent in the DPDPB 2022. All personal data is afforded the same degree of protection.

3. Grounds for processing digital personal data:  A person may process the personal data of a data principal only in accordance with the DPDPB 2022  and rules made thereunder and for a lawful purpose for which the data principal has given or is deemed to have given his/her consent in accordance with the provisions of the DPDPB 2022.

On or before requesting a data principal for his/her consent, a data fiduciary shall give to the data principal an itemised notice in clear and plain language containing a description of personal data sought to be collected by the data fiduciary and the purpose of processing of such personal data.  If a data principal has given consent to the processing of his/her personal data before the DPDPB 2022 comes into effect, the data fiduciary must give to the data principal an itemised notice in clear and plain language containing a description of personal data of the data principal collected by the data fiduciary and the purpose for which such personal data has been processed, as soon as it is reasonably practicable.

Where consent given by the data principal is the basis of processing of personal data, the data principal shall have the right to withdraw his/her consent at any time. The consequences of such withdrawal shall be borne by such data principal. The data fiduciary must ensure that the ease of such withdrawal shall be comparable to the ease with which consent may be given.

4. Consent manager: A "consent manager" is a data fiduciary which enables a data principal to give, manage, review and withdraw his/her consent through an accessible, transparent and interoperable platform. The data principal may give, manage, review or withdraw his/her consent to the data fiduciary through a consent manager.  The consent manager shall be an entity that is accountable to the data principal and acts on behalf of the data principal. Every consent manager shall be registered with the Data Protection Board (described below).

5. Deemed Consent: A data principal is deemed to have given his/her consent in a number of circumstances, some of which are:

• in a situation where the data principal voluntarily provides his/her personal data to the data fiduciary and it is reasonably expected that he/she would provide such personal data;
• for the performance of government functions or to provide any service or benefit to the data principal;
• for compliance with any judgment or order issued under any law;
• for responding to emergencies, such as a medical emergency or to provide disaster relief;
• for purposes related to employment
• in public interest, including prevention and detection of fraud, mergers, acquisitions, network and information security, credit scoring; operation of search engines for processing of publicly available personal data processing of publicly available personal data and recovery of debt.

The Central Government has reserved for itself the power to make rules to prescribe deemed consent for any fair and reasonable purpose after taking into consideration: 

• whether the legitimate interests of the data fiduciary in processing for that purpose outweigh any adverse effect on the rights of the data principal;
• any public interest in processing for that purpose; and 
• the reasonable expectations of the data principal having regard to the context of the processing

6. Obligations of the data fiduciary: Every data fiduciary is required to make reasonable efforts to ensure that personal data processed by or on behalf of the data fiduciary is accurate and complete, if the personal data is likely to be used by the data fiduciary to make a decision that affects the data principal to whom the personal data relates; or  is likely to be disclosed by the data fiduciary to another data fiduciary.

Data fiduciaries are required to implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the DPDPB 2022. Every data fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.  In the event of a personal data breach, the data fiduciary or Data Processor, as the case may be, should notify the Data Protection Board (described below) and each affected data principal, in such form and manner as may be prescribed by the Central Government.

A data fiduciary must cease to retain personal data or remove the means by which the personal data can be associated with particular data principals, as soon as retention of such personal data is no longer necessary.

Every data fiduciary is required to put in place a procedure and effective grievance redressal mechanism to address the grievances of data principals.

7. Transfer of personal data: Transfer of personal data by a data fiduciary to any other data fiduciary requires the prior consent of the data principal. However, data fiduciaries may use a data processor to process personal data under a valid contract, without the consent of the relevant data fiduciary.

8. Processing of children’s personal data: Before processing any personal data of a child, data fiduciaries should, obtain verifiable parental consent in such manner as may be prescribed. A data fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. The Central Government has been given the power to make more detailed rules regarding the processing of Children’s personal data, especially to ensure that data fiduciaries do not undertake such processing of personal data that is likely to cause harm to a child.

9. Significant data fiduciaries: The Central Government may notify any data fiduciary or class of data fiduciaries as “significant data fiduciary”, on the basis of an assessment of factors such as the volume and sensitivity of personal data processed, the risk of harm to the data principal, security of the State, public order etc.

Every significant data fiduciary is required to appoint a data protection officer who shall represent the significant data fiduciary under the provisions of the DPDPB 2022. The data protection officer has to be an individual based in India. Every Significant data fiduciary should also appoint an independent data auditor who shall evaluate the compliance of the significant data fiduciary with provisions of the DPDPB 2022.

Significant data fiduciaries are also required to carry out “data protection impact assessments” and periodic audits as per rules that the Central Government is expected to frame.

10. General Exemptions: Chapter 2 of the DPDPB 2022 (which imposes various obligations on data fiduciaries, including significant data fiduciaries) is inapplicable in a few situations, such as:

• where the processing of personal data is necessary for enforcing any legal right or claim
• if the processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function
• in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.
• to process personal data of data principals outside India pursuant to any contract entered into with any person outside India.

However, the obligation on the part of every data fiduciary and data processor to protect personal data by taking reasonable security safeguards to prevent personal data breach, shall not be suspended even in the situations mentioned above.

11. Central Government Exemption: The Central Government have been given the power to exempt from the application of provisions of DPDPB 2022, the processing of personal data by any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States and maintenance of public order or preventing incitement to any cognizable offence relating to any of these. Processing of personal data need not comply with DPDPB 2022 if necessary for research, archiving or statistical purposes, provided the personal data is not to be used to take any decision specific to a data principal and such processing is carried on in accordance with standards specified by the Data Protection Board (described below).

The Central Government may, based on the volume and nature of personal data processed, exempt certain data fiduciaries from specific provisions of the DPDPB 2022, such as the obligation to give notice before requesting for consent to collect personal data (section 6), the duty to ensure that personal data that is processed is accurate and complete (section 9(2)), the duty to not retain personal data if retention of such personal data is no longer necessary (section 9(6)), the duty to provide data principals information about their personal data held by the data fiduciary (section 12), from the provisions relating to Significant data fiduciaries and from rules relating to the processing of children’s personal data.

12. Rights of data principals: Data principals have the right to obtain from the data fiduciary (i) confirmation whether the data fiduciary is processing or has processed personal data of the data principal, (ii) a summary of the personal data of the data principal being processed or that has been processed by the data fiduciary,  (iii) the identities of all the data fiduciaries with whom the personal data has been shared along with the categories of personal data so shared. A data principal shall also have the right to correction and erasure of his/her personal data if it is inaccurate or misleading or incomplete

13. Transfer of personal data outside India: DPDPB 2022 is silent on data localization, other than to provide that the Central Government may notify such countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified. Such notification shall be made after an assessment of such factors as the Central Government may consider necessary.

14. Data Protection Board of India: After the enactment of the DPDPB 2022, the Central Government shall, by notification, establish the Data Protection Board of India. The Data Protection Board shall determine non-compliance with provisions of DPDPB 2022 and impose penalties for violations of the DPDPB 2022. It can also issue directions to any person. In the event of a personal data breach, Data Protection Board may direct the data fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to data principals.  

An appeal against any order of the Data Protection Board shall lie to the relevant High Court. No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter covered under the DPDPB 2022.

15. Financial Penalties: The Data Protection Board has the power to impose a financial penalty for any violation of the DPDPB 2022. Before imposing such penalty, it has to give the alleged violator and chance to be heard. Schedule 1 of the DPDPB 2022 sets out various penalties that may be imposed by the Data Protection Board. A failure by a data fiduciary or a data processor to take reasonable security safeguards to prevent personal data breach may be penalized by a fine of up to Rs. 250 crore. A failure to notify the Data Protection Board may be penalized by a fine of up to Rs. 200 crore. Non-fulfilment of additional obligations in relation to children may also attract a fine of up to Rs. 200 crore. Non-fulfilment of obligations by significant data fiduciaries may attract a fine of up to Rs. 150 crore. A data principal who violates its duties given under Section 16 of the DPDPB 2022 may be fined up to Rs. 10,000.

DPDPB 2022 imposes a maximum limit of Rs. 500 crore for financial penalties, which appears to be surprising such the highest penalty provided for in Schedule 1 is Rs. 250 crore. However, this is explained by the fact that Section 27 of the DPDPB 2022 gives the Central Government the power to amend Schedule 1 to the DPDPB 2022, provided the penalties specified at the time of its enacted cannot be increased to more than double of what is specified in Schedule 1 now.

16. Impact on other laws: Once the DPDPB 2022 comes into effect, Section 43A of the Information Technology Act, 2000 shall be omitted. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which has been framed under Section 43A of the Information Technology Act, 2000, will also cease to be effective. However, the Information Technology (The Indian Computer Emergency Response Team And Manner Of Performing Functions And Duties) Rules, 2013, will remain unaffected.  

17. The RTI Act: The DPDPB 2022 amends Section 8(1)(j) Right to Information Act, 2005 ("the RTI Act") in order to exempt "any information which relates to personal information" from disclosure under the RTI Act, without any qualifiers or conditions.

Section 8 of RTI Act, as it exists now, does not permit disclosure of “information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information”. DPDPB 2022 amends Section 8(1)(j) of the RTI Act, by deleting the portion in quotes, to bar any disclosure of personal information.

This update has been contributed by Vinod Joseph (Partner) and Vasavi Khatri (Associate).

Argus Knowledge Centre is now on WhatsApp! Send us a message on +91 8433523504 to receive updates from our Knowledge Centre.