In November 2022, the government published a draft of its new data protection law, the Digital Personal Data Protection Bill, 2022 (DPDPB). The DPDPB’s predecessors were the subject of controversy, including concerns over localisation, government access to data, over-reliance on consent as a ground of processing and obligations and penalties that would impact a thriving startup culture.
In the DPDPB, the government attempts to tackle some of these issues, with varying degrees of success. The draft provides a framework, with various rights and powers delegated to the government. This may ruffle more feathers than it soothes, with excessive delegation a particular focus of controversy.
From an industry perspective, the DPDPB adopts a sector-agnostic, business-friendly approach. Compliance obligations are, compared to previous versions, relatively simple. The DPDPB applies only to the automated processing of digital personal data and personal data collected offline that is later digitised. While the law does not recognise sensitive personal data as a category, the government may classify businesses as significant data fiduciaries based on, among other factors, the volume and sensitivity of the data they process. Significant data fiduciaries are subject to additional compliance obligations, including ensuring that data protection officers are based in India.
Consent remains the main ground to allow the processing of personal data. However, the DPDPB provides other grounds to permit this. Notably, individuals are deemed to have consented if they voluntarily provide their personal data. The law permits the processing of personal data for employment-related purposes, for public interest purposes such as fraud detection, credit scoring, corporate restructuring transactions undertaken under law and network and information security. In a first, the government may prescribe additional grounds for processing based on the legitimate interests of data fiduciaries.
While publishing privacy policies is a requirement under existing laws, the DPDPB goes further. Notices, as well as requests for consent where businesses rely on consent as a ground for processing, must be made available in English and the 22 Indian languages. Notices must clearly specify each category of personal data to be processed, together with the reasons for processing. They must be made available to data principals whose personal data was collected prior to the commencement of the law. This inclusion will ensure data principals remain adequately informed of how their data is treated.
The government has softened its earlier stance on localisation. While personal data no longer has to be stored in India, they may only be transferred to jurisdictions that are deemed adequate by the government. The DPDPB does not provide any exceptions for other safeguards, such as contracts or approved intra-group data transfer schemes. The government has yet to clarify the criteria to determine adequacy. Adequacy will be at the forefront of issues that have to be resolved before the draft law is enacted.
The DPDPB does not prescribe security standards but requires businesses to implement reasonable security safeguards to prevent personal data breaches. Both data fiduciaries and data processors must report all personal data breaches, with no exceptions based on degrees of harm, to the Data Protection Board of India that will be established by the government, as well as to affected data subjects. The government will prescribe the means and other terms, including timelines, for reporting such incidents. Non-compliance is punishable with the highest penalties under the DPDPB of up to INR2.5 billion (USD30.7 million) for a failure to implement security safeguards and INR2 billion for a failure to report breaches. The DPDPB is silent on how these requirements will be married to existing breach notification obligations. Penalties under the DPDPB are among the highest in India, with fines of up to INR5 billion. While the draft does not impose criminal sanctions for non-compliance, the financial penalties will force businesses to update existing practices to ensure compliance.
The DPDPB has not been finalised. In a welcome move, the government encourages feedback before 17 December 2022. Questions and observations are welcome before further commentary.
Mathew Chacko is the managing partner, Aadya Misra is a senior associate and Shambhavi Mishra is an associate at Spice Route Legal. Ada Shaharbanu, an associate, also contributed to the article.