Draft Data Protection Bill: 12 Things You Need To Know

The Digital Personal Data Protection Bill, 2022, has been made public by the government on Nov. 18.

Here's a quick snapshot of significant aspects of the bill:

The Digital Personal Data Protection Bill 2022 will apply to personal data collected from data principals (i.e., individuals to whom the personal data relates to) within India if collected through: (i) online mode; and (ii) offline mode but is then digitised.

The Bill also has an extraterritorial applicability which will extend to processing of digital personal data outside India, if such processing is in connection with profiling of, or activity of offering goods or services to data principals within India. 

Profiling has been defined to mean any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of data principals. The Bill makes no express reference to the exclusion or inclusion from its ambit, personal data which has been anonymized. This is a departure from the 2019 Bill.

Data principals are required to be provided an itemized notice (i.e., presented as individual items) in clear and plain language that describes the personal data sought to be collected from them and the purpose of such collection.

This provision will also apply retrospectively where, if data principals have provided their consent to collection of their personal data prior to commencement of the Bill, then all data fiduciaries (i.e., entities that, alone or in conjunction with other entities, determine the purpose and means of processing of personal data) would be required to furnish a notice (in the manner described above) to such data principals setting out the description of personal data collected from them and the purpose for which such personal data has been processed, as soon as reasonably practicable.

Consent has been prescribed as one of the legal bases for collection of personal data under the Bill. Consent from data principals is required to be taken by way of a clear affirmative action, signifying agreement to processing of their personal data for a specified purpose (as mentioned under the notice furnished to the data principal before collection of personal data). Such consent is required to be freely given, specific for a given purpose, informed and unambiguous.

Data fiduciaries are required to provide data principals the option to access the above mentioned request for consent in English or any local Indian language specified under the Eighth Schedule to the Indian Constitution.

While this measure is indeed in the interests of the data principals, this could be a challenge for several businesses who may not have the resources to comply with such obligation.

To address the requirement of providing a legal basis for processing personal data where obtaining consent is not appropriate or is impractical, the concept of ‘deemed consent’ has been introduced.

Deemed consent may apply in certain situations such as where the data principal is expected to voluntarily provide personal data (such as for receiving  any services), for purposes related to employment, and for fair and reasonable purpose as may be prescribed after considering whether the legitimate interests of the data fiduciary in processing the personal data would outweigh any adverse effect on the rights of the data principal.

The central government will establish a Data Protection Board of India, which will be responsible for determining non-compliance under the legislation and impose penalties.

This board will be an independent body operating digitally (to the extent possible). The board may, suo-moto or on receipt of a complaint made by an affected person or on a reference made to it by the central government/state government or in compliance with the directions of any court take actions as prescribed under the Bill. Every order made by the board will be enforceable akin to a decree made by the civil court.

The Bill has provided for certain specific compliances and obligations that will apply to data fiduciaries, in respect of collection of personal data of data principals.

Importantly, the Bill has clarified that a data fiduciary will continue to remain responsible for complying with the provisions of the Bill for any processing undertaken by it or on its behalf by a data processor (i.e., entity that processes personal data on behalf of data fiduciaries).

In this context, data fiduciaries will have to ensure adherence to compliances such as implementing appropriate security measures and grievance mechanisms.

The Bill provides that data processors have a duty to protect personal data in their possession or control by taking reasonable security safeguards to prevent breach of personal data.

Personal data breach has been defined to mean any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

In the event of a personal data breach, data fiduciaries / data processors (as the case may be) would be required to notify the board and each affected data principal, in such form and manner as may be prescribed.

Verifiable parental consent (including consent of a guardian) is required to be obtained prior to processing personal data of children.

Data fiduciaries are not permitted to undertake tracking and behavioural monitoring of children or sending targeted advertisement directed at them. Any kind of processing that may cause significant ‘harm’ to children (as may be prescribed) is barred.

Further, in case of children, parents or lawful guardians will be deemed to be data principals for the purposes of rights and obligations set out under the Bill.

Data fiduciaries that will be classified as ‘significant data fiduciaries’ (on the basis of factors such as volume and sensitivity of personal data collected, risk of harm to data principals, etc.) are required to comply with additional obligations such as appointment of a data protection officer residing in India, appointment of an independent data auditor and undertaking data protection impact assessments or complying with other measures as may be prescribed.

The central government, after a comprehensive assessment of such factors that it may consider necessary, (to) notify specific countries or territories outside India to which personal data (including sensitive personal data) may be transferred in accordance with such terms and conditions as may be specified.

Significant financial penalties for non-compliances have been provided under the Bill. Such financial penalties will be determined by the board while considering factors such as the gravity, duration, repetitiveness of non-compliance, etc.

Penalties of up to Rs 250 crore (and up to Rs 500 crore, if an offence has been found to be significant) may be imposed for offences such as failure of a data fiduciary/data processor to take reasonable security safeguards to prevent personal data breach.

Supratim Chakraborty is a Partner at Khaitan & Co. and Sumantra Bose is a Principal Associate at Khaitan & Co.

The views expressed here are those of the author, and do not necessarily represent the views of BQ Prime or its editorial team.