Co-authored by Manav Raheja (Senior Partner), Kanisha Vora (Partner), Avadhoot Potnis (Associate)
The Ministry of Electronics and Information Technology released the much-awaited draft Digital Personal Data Protection Bill, 2022 (“Draft Bill”) on 18 November 2022, which is a more concise draft legislation than its previous versions. Following are the key takeaways from the Draft Bill:
The Draft Bill applies to the ‘automated processing of digital Personal Data’, and in addition to the processing of digital Personal Data in India, it also applies to the processing of such data outside India in connection with any profiling of or activity of offering goods/services to Data Principals (any natural person to whom the personal data pertains) within India.
The Draft Bill specifically excludes, inter-alia, non-automated processing of Personal Data, and offline Personal Data. It remains to be seen if separate legislations will be introduced to cover these exclusions.
Further, ‘Personal Data’ has been defined to mean any data about an individual who is identifiable by or in relation to such data. Unlike previous iterations of the bill, Personal Data is not categorized into ‘sensitive’ and ‘critical’ Personal Data.
While consent continues to be the basis for collecting and processing Personal Data, the Draft Bill introduces the concept of deemed consent in certain instances, such as in public interest, in furtherance of applicable laws, for employment purposes, etc.
3. Cross Border Data Transfer
Cross-border transfers of Personal Data can only be undertaken to specific countries which are to be designated by the Central Government, based on the factors which are still to be prescribed.
4. Central Government to make Rules
Rules on various aspects are to be made by the Central Government, such as the fair and reasonable purposes for which Personal Data can be processed without consent, the manner in which data breaches are to be notified by Data Fiduciaries and Data Processors, etc.
There has been a significant change from turnover-based penalties under previous iterations of the Draft Bill to the right of the Data Protection Board to impose penalties from INR 50 crore to INR 500 crore, depending on the nature of the non-compliance. Further, there is no provision for any statutory compensation for any aggrieved Data Principal, as was provided under section 43A of the Information Technology Act, 2000.
Penalties are also now contemplated for breach by Data Principles of their duties (including not furnishing false particulars when applying for any document or service, complying with all applicable laws while exercising rights under the Draft Bill, etc) which can extend up to INR 10,000.
The Central Government may exempt government agencies from the scope of the Draft Bill. The inclusion of Joint Parliamentary Committee’s recommendation that exemptions provided need to be subject to just, fair, reasonable, and proportionate procedures has not been included. Further, wide-ranging exemptions from certain provisions of the Draft Bill have been provided for, inter-alia, prevention of offenses, prevention of dissemination of false statements, and Data Fiduciaries which may be notified.
In addition, it may be noted that a specific exemption has been provided for processing the Personal Data of foreign data principals under a cross-border contract.
The Draft Bill is open for public comments till December 17, 2022. While the Draft Bill appears to be an attempt to provide a simple data privacy regime for India, it would need to be considered along with the prescribed rules, as well as any further iterations pursuant to comments from stakeholders.