India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
Part 1 of this series looks closely at the “Applicability and Extraterritoriality” aspects of the PDPB Bill.
- Material Applicability: The Bill has a wider scope than the PDPB: it applies to the processing of personal data, sensitive personal data, and non-personal data (which includes personal data that has been anonymised). The change in the title of the proposed law to the “Data Protection Bill, 2021” underscores the Committee’s resistance to distinguishing between personal data and other types of data and information and implementing separate legal framework for different types of data.
Definitions: “Personal data” is defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or other feature of the identify of such person. The Bill defines “non-personal data” to mean any data other than personal data. Significantly, several provisions of the Bill apply to non-personal data, and the scope of the Authority’s powers now extend to the regulation of the processing of non- personal data. The Bill also regulates the processing of “sensitive personal data”, a subset of personal data that includes, among other categories, financial data, health data, sexual orientation, and biometric data. The government may, in consultation with the Authority, expand this list. Separately, the Bill imposes certain restrictions on the processing of “critical personal data”. At this stage, the contours of the scope of critical personal data remain unclear. The government has the right to create and modify this category of data.
Territorial Applicability: The Bill applies to:
(a) the processing of personal data within India, where such data has been collected, stored, disclosed, shared, or otherwise processed within India;
(b) the processing of personal data by any person under Indian law; and
(c) the processing of personal data by data fiduciaries or data processors not present within India if the processing is in connection with any:
(i) business carried out in India, or any systemic activity of offering goods or services to data principals within India; or
(ii) activity that involves the profiling of data principals in India.
Key Divergence from the PDPB
The draft law will now extend to the processing of “non-personal” data: a wide category that includes all data that is not personal data. This approach echoes recent policy initiatives to regulate non-personal data.
EXEMPTIONS TO APPLICABILITY
- Government Agencies:
The Bill permits the government to exempt any government agency from the applicability of its provisions (a) in the interest of the sovereignty or integrity of India, security of the state, friendly relations with foreign states, or public order, or (b) for preventing any incitement to the commission of any cognisable offence relating to the sovereignty or integrity of India, security of the state, friendly relations with foreign states, or public order. The exercise of this right must be in accordance with just, fair, reasonable, and proportionate procedures and will be subject to safeguards and oversight mechanisms prescribed by the government.
- Contravention of Law, Legal and Judicial Proceedings, Personal or Domestic Use, and Journalistic Purposes:
Certain provisions of the Bill will not apply to processing of personal data if the processing is:
(a) in the interests of prevention, detection, investigation, and prosecution of any offence or any contravention of any law;
(b) necessary for enforcing any legal rights or related claims, seeking relief, defending charges, opposing claims, or obtaining legal counsel advice in impending legal proceedings;
(c) by any court or tribunal for the exercise of judicial functions;
(d) by a natural person for personal or domestic purposes, except where the processing involves disclosure to public, or is undertaken in connection with any professional or commercial activity; or
(e) necessary for or relevant to a journalistic purpose, and such processing is compliant with rules and regulations issued under the Bill and any code of ethics issued by the Press Council of India or any statutory media regulatory organisation.
- Processing Data of Data Principals Outside India:
The Bill allows the Indian government to exempt the processing of personal data of data principals outside India by data processors (or a class of data processors) incorporated in India who process such data pursuant to a contract with a person outside India.
- Research, Archival, or Statistical Purposes:
The Authority has the right to conditionally exempt processing of personal data under classes of research, archiving, or statistical purposes from the provisions of the Bill.
- Non-Automated Processing by Small Entities:
Non-automated processing by small entities (i.e., entities that fall within a particular category classified by the Authority) are granted limited exemptions from certain provisions of the Bill.
- Data Fiduciaries and Start-Ups Included in Regulatory Sandbox:
The Authority may create a regulatory sandbox to encourage innovation in AI, machine- learning, or other emerging technology in public interest. Certain provisions of the Bill will not apply to organisations that are a part of the sandbox.
Key Divergence from the PDPB
The government’s right to exempt government agencies from the provisions of the Bill has not been without controversy. Recognising a need for the constitutionally guaranteed fundamental right of privacy to be upheld, the Committee has introduced language that requires any exercise of this right to be in accordance with just, fair, reasonable, and proportionate procedures.