‘The Digital Personal Data Protection Act, 2023’ (“DPDP Act”), was passed by the Indian parliament and notified in the official Gazette on the 11th of August 2023. The stated purpose of the draft Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto.
The Bill aims to establish a comprehensive legal framework governing digital personal data protection in India and provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.

Background

In India, for almost ten years now, there have been multiple endeavours to put in place a comprehensive data privacy legislation, the latest being November 18, 2022, when The Ministry of Electronics and Information Technology (“MeitY”) released a draft Bill, titled ‘The Digital Personal Data Protection Bill, 2022’ (“DPDP Bill”), for public consultation. Earlier, in 2012 a Group of Experts committee headed by Justice A P Shah had first submitted a Report on a privacy legislation, which proposed a conceptual framework for a privacy statute and how Indian Privacy law should take shape.

And following Supreme Court’s recommendation in 2016, two draft versions of proposed law (2018 and 2019) were previously released for public consultation, in an effort to enforce the “fundamental right to privacy” recognized by the Supreme Court of India in the Justice K.S. Puttaswamy judgment earlier in 2016 wherein the Court observed- “The Parliament needs to examine and put into place a robust regime for data protection in India.”

The report of the JPC was culmination of a five year exercise whereby in 2017 the Ministry of Electronics and Information Technology, vide its NotificationNo.3 (6)J2017-CLES ( “Notification”) had first constituted a “Committee of Experts” under the Chairmanship of former Supreme Court Justice ‘Shri B N Srikrishna’ on issues relating to data protection in India and to draft a bill on data protection. The JPC, after two years of deliberations and five extensions, finally adopted the draft report on ‘The Personal Data Protection Bill, 2019’ with a majority on 22 November, 2021. However after the JPC submitted it report on the draft Bill to be tabled for the consideration before the Parliament, the Government abruptly withdrew the legislation in October 2022 before it could be taken up by the Parliament for consideration.
Ministry of Electronics and Information Technology after deliberating on various aspects of digital personal data and its protection has formulated the draft DPDP Bill in 2022.
The draft was made available to the public for feedback and engagement, showcasing the government’s commitment to transparency and inclusivity in the legislative process. The latest version of Bill has been formulated largely on the lines of its predecessors after multiple consultation processes and considerable deliberation on various aspects of digital personal data and its protection and the various controversies and apprehensions over the past three versions.

Highlights of the Bill

The DPDP Bill, applies to all digital processing of personal data and now narrows the scope of the data protection regime to ‘personal data’ protection. It is much more ‘simplified’ and ‘stripped down’ version with 43 provisions now. The Bill holds significant importance and aims to achieve two primary objectives: firstly, to define the rights and responsibilities of citizens in an increasingly digital environment, and secondly, to impose lawful obligations on data fiduciaries regarding the proper usage of collected data.
It succinctly enunciates the core privacy principles, individuals’ rights and organizational obligations and sticks to the key aspects of Personal Data Protection. As opposed to previous versions the Bill allows Companies to be able to send user data to servers in countries that have not been ‘blacklisted’ by the government but prohibits them from retaining user data unless it serves the business purpose for which it was collected, besides providing exemptions from certain requirements for small entities.
The Bill proposes to setup a “Data Protection Board” for user complaints and for compliance verifications. Another major change is the obligation on Data fiduciaries to provide data principals with information notices about processing activities in English or any language specified in the Eighth Schedule to the Constitution.

Scope and Applicability of the Bill

The DPDP Bill applies to processing of personal data collected within India’s territory, whether gathered online or offline and then digitized. It covers only to ‘Digital Data’ and excludes ‘non-personal data’ from the applicability of law, but includes even ‘digitised’ data thereby bringing scanned paper forms of personal data now come under the purview of the law.
The DPDP Bill has extra- territorial applicability and applies to the processing of personal data outside India if the processing is in connection with any profiling of, or activity of offering goods or services to data principals in India. Where personal data collected from data principals is subsequently digitised, and is processed within India. However, certain exemptions do apply.

Cross-border data transfers

The DPDP Bill while doing away with the local storage or localization obligations proposes new requirements for cross border data transfers whereby it allows the transfer of personal data outside India, except to countries restricted by the government through notification. This is a significant change in the new version of the bill as in the previous version, the Bill outlined a “white list” approach, where specific countries or territories were permitted for data transfer. However, the revised Bill now adopt a “black list” approach, allowing the government through notification to restrict data transfer to certain specific countries.

Consent

According to the provisions of the Bill, after obtaining the consent of the individual, personal data may be processed only for a ‘lawful purpose’. A notice must be given before seeking consent and such a notice should contain details about the personal data to be collected and the purpose of processing. Besides, for minors, individuals below 18 years of age, consent will be provided by the parent or the legal guardian. Nevertheless, Consent may be withdrawn at any point in time. However, Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment.

Processing of Personal Data

As per the provisions of the DPDP Bill the Consent of the data principal is the primary ground for processing personal data. Further, additional grounds for processing can be prescribed by the government after considering whether the legitimate interests of businesses outweigh an adverse impact to data principals, public interest in the processing activity, and reasonable expectations of data principals in the context of the processing activity.

Rights and duties of data principal

An individual, whose data is being processed (data principal), will have the right to:
(i) obtain information about processing,
(ii) seek correction and erasure of personal data,
(iii) nominate another person to exercise rights in the event of death or incapacity, and
(iv) grievance redressal.
Data principals will have certain duties. They must not:
(i) register a false or frivolous complaint, and
(ii) furnish any false particulars or impersonate another person in specified cases.

Obligations of data fiduciaries

The entity, determining the purpose and means of processing, (data fiduciary), must:
(i) make reasonable efforts to ensure the accuracy and completeness of data,
(ii) build reasonable security safeguards to prevent a data breach,
(iii) inform the Data Protection Board of India and affected persons in the event of a breach, and
(iv) erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).
In case of government entities, storage limitation and the right of the data principal to erasure will not apply.

Data Protection Board of India

The Data Protection Board of India (“DPB”) is a new authority that will be responsible for enforcing the provisions of DPDP Bill. The composition of the Board will be specified at a later stage. It will operate as an independent body and function in a manner that is “digital by design”. The Board is tasked with enforcement: it will act upon complaints made by affected individuals, references made by the Central or any State Government, directions issued by courts, or a failure by data principal to comply with their obligations under the law. Appeals against the decision of the Board will lie with High Courts. The Board also has the power to refer complaints to mediation or other dispute resolution mechanisms.

Penalties

The DPDP Bill prescribes that the DPB has the power to impose financial penalties of up to INR 500 crores in each instance. Further the DBDP Bill also allows the government to amend penalties as it just prescribes an upper limit. Notably, both data processors and data fiduciaries, if they fail to put in place reasonable security safeguards to prevent personal data breaches, can be imposed with a penalty of penalty of upto INR 250 crores. Further, Failure to notify the Board and affected Data Principals of a personal data breach can lead to imposition of a penalty of upto INR 200 crores. Besides, Non-fulfillment of obligations of Significant Data Fiduciary can lead to imposition of a penalty of upto INR 150 crores. While, Non-fulfilment of obligations in relation to processing data of children can lead to imposition of a penalty of upto INR 200 crores, the violation of user duties can lead to imposition of a penalty of upto INR 10,000.
Besides, the breach of any term of voluntary undertaking accepted by the Board can lead to imposition of a penalty of upto the extent applicable for the breach in respect of which the proceedings against the entity were instituted and for any other breaches of the law a penalty of upto INR 50 crores can be imposed.

Should you need any clarification or would like to discuss any query related to the said development or generally any aspect related to the Law, please feel free to contact:

Salman Waris,
Partner,
TechLegis Advocates & Solicitors
Email: salman.waris@techlegis.com
Ph: +91-9891427685