On November 18, 2022, the Ministry of Electronics and Information Technology (“MeitY”) released a new version of India’s data protection bill. Titled the Digital Personal Data Protection Bill, 2022 (“DPDPB”), the document is a fourth iteration in a long series of draft laws. After considerable debate and apprehension over the last few versions, the DPDPB adopts a more business friendly and simple approach, while largely upholding the spirit of its predecessors. We provide a short summary of some of the standout provisions of the draft law.
Consent is – and, in line with previous iterations, continues to remain – the primary ground for processing personal data. However, the DPDPB now includes the concept of “deemed consent”, a broad concept that includes other grounds for processing personal data. Effectively, a data principal is deemed to have given consent for the processing of their personal data if (a) such data has been shared voluntarily, (b) the processing activity is necessary for the provision of any service or benefit by the State, (c) the processing is necessary for compliance with any law or judgment, (d) the processing is necessary for responding to a medical emergency or for providing medical treatment, (e) the processing is in connection with employment purposes, or (f) if the processing is necessary for ensuring public safety and public interest. In our view, “other grounds of processing personal data” may be a more appropriate term than “deemed consent”. In addition, the government has the right to prescribe additional grounds for processing, after considering whether the legitimate interests of businesses outweigh an adverse impact to data principals, public interest in the processing activity, and reasonable expectations of data principals in the context of the processing activity.
Data fiduciaries – that is, persons who alone or in conjunction with others determine the purposes and means of processing personal data – are obliged to provide data principals with information notices about processing activities. Significantly, such notices must be made available in English as well the 22 Indian languages listed in the Eighth Schedule of the Indian Constitution. While a welcome move in respect of India’s diverse internet user base, this will have an impact on the way businesses operate, increase operational costs for translations, and raise interesting questions on addressing conflicts that may arise between different versions of notices.
Controversially, previous iterations of the law required varying degrees of localisation. Mildly reassuring for businesses in India, the DPDPB does not contain a localisation requirement. However, with a few exceptions for public interest, enforcement actions, and law order, cross border transfers may now only occur on the basis of adequacy decisions issued by the Indian government, with no concepts of contractual measures or other safeguards. There are presently no indications on the jurisdictions that may fall within the scope of adequacy.
The Data Protection Board of India (“Board”) is a new authority that will be responsible for enforcing the provisions of DPDPB. The composition of the Board will be specified at a later stage. It will operate as an independent body and function in a manner that is “digital by design”. The Board is tasked with enforcement: it will act upon complaints made by affected individuals, references made by the Central or any State Government, directions issued by courts, or a failure by data principal to comply with their obligations under the law. Appeals against the decision of the Board will lie with High Courts. The Board also has the power to refer complaints to mediation or other dispute resolution mechanisms.
The Board has the power to impose financial penalties of up to INR 500 crores in each instance if it determines that non-compliance by an individual or entity is significant in nature. Notably, penalties may also be imposed on data principals for a breach of their obligations under the DPDPB.
The language of and the obligations imposed by the DPDPB are simpler than those of its predecessors. MeitY has, no doubt, carefully considered the concerns surrounding the enactment of this long-awaited law, including those on localisation, a consent-heavy architecture, and enhanced compliance obligations that could potentially raise barriers to entry for smaller and mid-size businesses. This is a welcome move for businesses, but raises questions on safeguards available to data principals, especially in the context of non-digital data and the risk of being subject to penalties. Feedback on the draft law may be submitted to MeitY by December 17, 2022.
Please reach out to Mathew Chacko and Aadya Misra for queries.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.