Month: July 2023

It appears that India’s Digital Personal Data Protection Bill (“DPDP”) is poised for consideration during the Lok Sabha’s ongoing monsoon session. Present reports about such proceedings suggest that despite strong dissent from the minority, a standing committee managed to adopt a draft report on DPDP just yesterday through a majority vote. Other pressing matters notwithstanding, since the monsoon session is scheduled to last until August 11, the government may get the draft law passed, after all.
Pursuant to Section 11 of DPDP, the central government (“CG”) can classify any company or other entity as a ‘significant data fiduciary’ (“SDF”) based on its own assessment of certain listed factors, which include the volume and sensitivity of personal data processed, as well as the risk of harm to individuals related to such data (“Factors”).
Importantly, special obligations apply to SDFs, in addition to the ones which all data fiduciaries must abide by. Thus, understanding the implications of each prescribed Factor becomes important. However, DPDP itself does not provide much clarity. With regard to ‘sensitivity’, for example, neither does DPDP define the term nor separately explain ‘sensitive personal data/information’ (“SPDI”).
Nevertheless, concerned entities could interpret the term in light of provisions related to SPDI under other laws and proposals – including the SPDI rules and DPDP’s past avatars. Further, given that GDPR had heavily influenced such prior drafts, the EU’s provisions may provide additional interpretive guidance.

Under Section 11 of India’s Digital Personal Data Protection Bill (“DPDP”), the central government (as opposed to a data protection authority) is authorized to notify ‘data fiduciaries’ (“DFs”) as ‘significant’ DFs (“SDFs”).
A DF can be any person who – either alone or in conjunction with others – determines the purpose and means of processing personal data. Individuals, companies, firms or any artificial juristic person may be considered a DF under DPDP. However, SDFs need to comply with additional obligations, over and above those prescribed for DFs in general. Such general obligations may include those listed under the IT Act and its rules.
Past iterations of DPDP had contained references to SDFs as well (although General Data Protection Regulation (“GDPR does not have an exact equivalent). In addition, some such prior versions had classified other types of DFs, such as: (i) ‘guardian’ DFs (“GDFs”) (in respect of children’s data, similar to the U.S.’s COPPA); and (ii) social media intermediaries (“SMIs”).
However, DPDP obliterates such latter categories, to the extent that GDFs and SMIs may now be subsumed under SDFs. Moreover, erstwhile SMI-specific parameters have been added to those applicable for SDF assessments. Nevertheless, since DPDP contains only a sparse description of SDF obligations in its present avatar, added requirements may be specified later. Meanwhile, DFs may want to check how such obligations were detailed in the past. Accordingly, in this note, we discuss DPDP’s provisions on SDFs with reference to existing law and past legislative proposals.

Last week, India’s Union Cabinet approved a revised version (the “2023 Draft”) of the Digital Personal Data Protection Bill (“DPDP”), which proposes to replace the country’s existing data protection framework.
Pursuant to extensive feedback received on a November 2022 draft (the “2022 Draft”), it now appears that the 2023 Draft of DPDP is ready for parliamentary deliberation during the monsoon session, scheduled between July 20 and August 11.
While several bills in this regard were drafted in the past, and various attempts have been made over the last decade to address privacy and data protection in India, the present instance may prove different on account of DPDP’s rudimentary form relative to previous iterations.
In this note, we unpack and discuss the statutory definition of personal data under the 2022 Draft. Our analysis is in light of GDPR provisions. Importantly, Section 4 of DPDP limits the latter’s operation to the processing of digital personal data. This is the first time that an Indian legislative proposal has expressly clarified such limitation.

Artificial Intelligence (“AI”), and generative AI applications in particular (e.g., ChatGPT), may revolutionize vast sections of the global economy. Significantly, this change could occur sooner than expected. On account of its ability to understand and process natural language, generative AI can perform a diverse set of tasks that consume a majority of human work time, thereby adding unprecedented value across sectors.
However, it is also important to account for adverse consequences. After all, AI can be deployed to infringe upon privacy, cause socio-political disruptions, generate biased outputs, and violate intellectual property rights (“IPRs”).
Nevertheless, India’s stance on regulating AI remains ambiguous. While the Ministry of Electronics and Information Technology was reluctant to introduce AI-specific laws at first, subsequent reports indicate that individuals may be ‘protected’ against harmful deployment. Accordingly, limits on AI use may be articulated under the proposed Digital India Act, including through the prism of user safety.
In this note, we analyze cross-jurisdictional developments for the purpose of exploring a viable regulatory template. While India’s approach should foster innovation and growth, it should not sacrifice individual and collective rights. At any rate, the risks associated with generative AI need to be recognized upfront, including for the purpose of designing India’s new digital regime.