India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
Part 2 of this series looks closely at the stakeholders recognised by the PDPB Bill.
The Bill regulates “data fiduciaries” and “data processors”. A “data fiduciary”, much like a data controller under the GDPR, is any person who, either alone or with others, determines the purpose and means of processing personal data. A “data processor” is any person who processes personal data on behalf of a data fiduciary. A “data principal” is the natural person to whom personal data relates.
The Bill establishes the Data Protection Authority of India (“Authority”) to oversee and regulate processing of data. The government has the power to appoint members of the Authority. Members of the selection committee include the Attorney General of India, the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs, an independent expert nominated by the government, and Directors of the Indian Institutes of Technology and Indian Institutes of Management. The Authority has wide powers under the Bill, and will, over time, issue regulations to address various operational aspects of the law. The Committee has recommended that the Authority be constituted within three months of the enactment of the law and commence activities within six months.
The Authority has the power to create sub-categories of data fiduciaries called “significant data fiduciaries”, depending on the volume of personal data processed, sensitivity of such data, risk of harm posed by the processing, and the turnover of the data fiduciary. Significant data fiduciaries are subject to enhanced obligations under the Bill and are required to register themselves with the Authority.
Certain types of “social media platforms” (i.e., platforms that primarily enable online interactions between users and allow them to create, disseminate, and modify data and information) may also be categorised as significant data fiduciaries.