A new version (the “23 Draft”) of India’s long-awaited digital personal data protection law (“DPDP”) is being moved for consideration and passing in the Lok Sabha today, i.e., August 7, 2023. Meanwhile, the 23 draft is currently available on the Lok Sabha’s website in ‘Bill’ form.
Part I: DPDP – Legislative Status and Possibilities
The Lok Sabha is the ‘lower house’ of India’s bicameral legislature. If and when the 23 Draft is passed there (with or without changes), DPDP will be sent to the Rajya Sabha – the ‘upper house’ of parliament – where it will be laid ‘on the table’ in the same form as passed in the lower house.
While a ‘Bill’ remains a draft statute, it is capable of becoming law pursuant to approval from both houses, followed by presidential assent. Subsequently, the new DPDP Bill may come into force (as an ‘Act of Parliament’) on a date appointed by the central government via notification in India’s official gazette. The Ministry of Electronics and Information Technology (“MeitY”), being the nodal ministry in this regard, will represent the central government for the purpose of DPDP and data protection in general.
Late last week, during the parliament’s ongoing monsoon session, the 23 Draft was introduced by the Union Minister of MeitY in the Lok Sabha for the first time – although other attempts at formulating a dedicated data protection law (in draft form) have been tabled in (and retracted from) parliament in the past.
For instance, a previous legislative proposal in this regard – called the Personal Data Protection Bill (“PDP 19”) – had been introduced before the Lok Sabha back in December 2019. Along with its parliamentary introduction, PDP 19 had also been referred to a joint committee, which managed to submit its report only two years later (in December 2021), after 78 sittings conducted through the pandemic. Mainly on account of the large number of changes recommended by such joint committee, PDP 19 had to be ultimately withdrawn – exactly one year before the 23 Draft was introduced in the Lok Sabha, on August 3.
Accordingly, while the 23 Draft has indeed been tabled in Bill form, and although it is currently being moved in the Lok Sabha, it is nevertheless possible that – like with PDP 19 in the past – the new version will also be referred to a parliamentary committee for further consideration. However, there is also a strong possibility that this may not happen now, including on account of the rudimentary form that DPDP bears compared to its prior iterations – such as PDP 19.
The first reading
The first reading refers to a motion for leave in terms of introducing a Bill before a particular house. Once this has been adopted, such Bill is introduced in that house. Thus, the first reading with respect to the 23 Draft has already been completed – last Thursday, in the Lok Sabha.
The second reading
The second reading of DPDP, as scheduled for today, will comprise two stages: the first stage will involve a discussion on the principles and provisions of the 23 Draft on the basis of a motion that the corresponding Bill ought to be taken into consideration. Next, the second stage will involve a clause-by-clause review of the 23 Draft, as introduced in the Lok Sabha on August 3, 2023.
The third reading
Lastly, the third reading will involve the discussion on the motion that the Bill be passed in the lower house (with or without amendments) before being forwarded to the upper house in its final form for the latter’s consideration.
On the other hand, although unlikely, in the first stage itself, the 23 Draft may be referred to either a select committee of the Lok Sabha or a joint committee of both houses of parliament (with the concurrence of the Rajya Sabha). Alternatively, the draft may also be circulated for the purpose of obtaining additional opinions on it.
However, each of such scenarios as described above appears unlikely right now – given that DPDP is a culmination of several rounds of recommendation from both select and joint parliamentary committees in the recent past – whether with respect to PDP 19 or its earlier versions – such as the Personal Data Protection Bill of 2018 (“PDP 18”), a draft of which had been presented by an expert committee to MeitY in July that year.
Further, according to the list of business circulated by the Lok Sabha’s secretariat for today, the 23 Draft appears to have already been earmarked for consideration and passing under Rule 377 (‘Raising a matter which is not a point of order’) – which, in turn, relates to one of several procedures in connection with how the Lok Sabha conducts its business.
In addition, in the event that the Bill does get referred to a standing committee, the latter is likely to approve and/or return it without delay – given that media reports claimed that a panel on communications and information technology appeared to have been familiar with an advanced copy of a revised version of the law since March this year, pursuant to which the parliamentary committee managed to adopt and table a favorable report on a draft that had been previously approved by India’s Union Cabinet. In fact, the standing committee adopted its report only a few days ago during the current monsoon session – despite strong internal opposition and dissent – eventually recommending the Bill’s expeditious passing into law.
Furthermore, the 23 Draft is already a revised version of a previous DPDP draft (the “22 Draft”), the latter of which has not only remained in the public domain for comments since its release on MeitY’s website last November, but has also received extensive feedback pursuant to stakeholder consultations.
In light of the above, while the 23 Draft contains several incremental changes relative to the 22 Draft, some of these differences may prove more significant than others in the long run.
A detailed analysis of the 23 Draft, along with an in-depth comparison relative to its predecessor, will be released soon. Meanwhile, a few key takeaways from the current version, including in respect of major changes incorporated to the 22 Draft, are highlighted below.
Part II: Key Changes in the 23 Draft Relative to the 22 Draft
Data ‘processing’ has been re-defined
The revised definition may now expressly cover processing activities which involve some amount of human intervention and/or prompts.
Accordingly, most modern business operations involving personal data in digital form (even if collected manually and then digitized later) may now be subsumed under the 23 Draft.
A separate definition for ‘specified purpose’ has been inserted
A renewed emphasis on a ‘specified purpose’ suggests that notices need to be drafted carefully, keeping in mind all future processing activities and requirements.
Relatedly, prospective data processing tasks need to be adequately planned for, and specified well in advance (i.e., prior to giving notice and seeking consent).
Added emphasis on the role of ‘consent manager’
Obligations parallel to those of ‘data fiduciaries’ have been imposed upon consent managers in terms of grievance redressal.
Special requirement for consents from persons with disability
Where persons with disability are involved, the applicable ‘data principal’ will include a lawful guardian acting on their behalf.
‘Digital office’ has been defined
While the 23 Act now clarifies that the Data Protection Board of India (“DPBI”) will deal with the receipt of complaints and remain responsible for the allocation, hearing and pronouncement of decisions, a newly added definition of a ‘digital office’ may provide greater clarity about the DPBI’s role.
A similar role has also been envisaged for appeals.
However, given that the DPBI’s functions appear to be limited to the determination of non-compliance and imposition of penalties, purely digital modes of dispute resolution might become complicated in the future.
Further, the 23 Draft clarifies that the DPBI will be a body corporate.
An appellate tribunal has been provided for
The Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) (as established under the Telecom Regulatory Authority of India Act, 1997) will serve as the appellate tribunal under DPDP.
Earlier, under the 22 Draft, appeals against DPBI orders lay before a High Court.
Now, such appeals are required to be made before TDSAT.
Clarification on necessary qualifications, term of office, disqualification, resignation, etc. of DPBI members
Previously, the 22 Draft did not specify these parameters and left it to the central government to formulate rules on.
However, the 23 Draft repairs this vacuum, including by requiring the DPBI’s chairperson and members to possess special knowledge/practical experience in data governance, consumer protection, dispute resolution, ICT, digital economy, law, techno-regulation, etc.
Such subject-matter expertise may improve the quality of the board’s functioning.
Grievance redressal/dispute resolution may suffer additional delays
Under the 22 Draft, an individual who was not satisfied with the data fiduciary’s response to a stated grievance, or who did not receive a response within seven days, could register a complaint with the DPBI.
However, the 23 Draft has clarified that an individual can only approach the DPBI after exhausting the grievance redressal mechanism available with the data fiduciary or consent manager.
Principles of ‘purpose limitation’ and ‘necessity’ have been introduced
These are likely intended to act as additional safeguards for the purpose of restricting disproportionate data processing.
Accordingly, data processing can only be done for the purpose specified in the notice and must be limited to only such data as is necessary for that purpose alone.
The definition of ‘harm’ has been removed
While the 23 Draft does not define ‘harm’, its provision on children’s data is similar to the one in the 22 Draft.
The 22 Draft had prohibited the processing of personal data that was likely to cause ‘harm’ to a child.
The equivalent provision in the 23 Draft prohibits data processing when it is likely to cause a ‘detrimental effect on the well-being of a child’.
However, it is not clear what such effects may be, and no separate guidance on ‘detriment’ has been provided.
The definition of ‘public interest’ has been removed
However, ‘public interest’ as a ground for ‘deemed consents’ has been removed too.
Subsequent rules framed under DPDP may include references to ‘public interest’ without any indicative guidance about what the term includes (or excludes).
Accordingly, grounds listed under the erstwhile definition of ‘public interest’ (as contained in the 22 Draft) may need to be kept in mind to prevent situations of penalty through subsequent regulation.
Such grounds may be especially relevant for social, online and news media platforms; technology companies; microblogging sites; as well as significant data fiduciaries and social media intermediaries.
Publicly available information has been expressly excluded from the ambit of data protection
Accordingly, such information is likely to be used by businesses, AI platforms, ML technologies, online intermediaries, social media platforms, website aggregators, etc.
Public data may be used for the purpose of training, analytics, evaluation, targeted advertising, profiling, and other forms of commercial exploitation.
Individual ‘profiling’ has been excluded from the scope of extraterritorial application
Thus, ‘Big Data’ analytics for evaluative and targeting purposes can continue as before.
Further, the use of third-party cookies – including those used by data brokers, analytics firms and ‘ad-tech’ platforms may also be permitted, especially if the processing is done extraterritorially.
This may be particularly relevant for technology companies, including social media platforms and website aggregators, which have ‘persistent identifiers’ to track consumer behavior.
Certain erstwhile grounds for non-applicability of DPDP have been removed
Such erstwhile grounds related to ‘non-automated’ processing, ‘offline’ personal information and individual-specific data contained in old records (over 100 years old).
Notice and consent requirements have been made more stringent
‘Consent’ under DPDP 23 has to be unconditional.
A ‘notice’ must now include additional information on:
- how an individual may exercise their right to withdraw consent;
- the right of grievance redressal; and
- how to file a complaint with the DPBI.
What happens when an individual’s consent has been obtained before DPDP takes effect?
In this context, the 23 Draft clarifies that a data fiduciary may continue to process personal data until and unless the corresponding individual withdraws their consent.
In the same situation, the 22 Draft had previously required a data fiduciary to give the corresponding data principal an itemized notice in plain language with a description of the data collected, as well as the purpose for which such data had been processed, as soon as it was reasonably practicable to do so.
An erstwhile provision on ‘deemed consent’ has been replaced with one on ‘legitimate use’
In both versions of DPDP, this clause deals with situations where consent does not form the legal basis for processing personal data.
While an individual’s voluntary action with respect to providing their personal data still allows for processing to proceed on that basis, the same individual will now have the right to specify the particular purpose for which their data is being provided.
Moreover, if that individual indicates that they do not give consent for the use of their data for certain other purposes, data processing will not be permitted for such other purposes.
Despite the illustration provided in the 23 Draft, it is not very clear how individuals in diverse situations may indicate the absence of consent for such ‘other purposes’ in all instances, especially when the data is voluntarily provided to an entity that offers multiple services and/or operates in several contexts.
Other changes under ‘deemed consent’/‘legitimate use’
Erstwhile subclauses with respect to (i) ‘public interest’ and (ii) ‘fair and reasonable purpose’ under the provision on deemed consent/legitimate use have been removed.
While the former had made the provision susceptible to expansive interpretation, the latter’s removal may now limit the provision’s scope and/or compromise the understanding of ‘legitimate use’.
Contractual appointments of data processors are required in limited situations only
Now, appointments with respect to data processing on behalf of a data fiduciary is required to be made under a valid contract only when such processing is done in connection with activities that are related to the offering of goods or services to individuals.
An added obligation to ensure data ‘consistency’ has been imposed upon data fiduciaries
Where the personal data processed by one is likely to be disclosed to another data fiduciary, the former will be required to ensure the ‘consistency’ of such data – along with its completeness and accuracy, as required earlier.
Data Fiduciaries may be responsible for data processors too
Previously, the 22 Draft appeared to suggest that each data fiduciary and each data processor, respectively, would be severally/individually responsible to protect personal data to prevent breaches.
However, the 23 Draft seems to indicate that the data fiduciary alone will be responsible in all such situations, including those of breach.
Anonymization alone may not be enough for data fiduciaries to comply with the principle of purpose limitation and/or data minimization
Earlier, under the 22 Draft, a data fiduciary could remove the means through which personal data could be associated with specific individuals (or, alternatively, could altogether cease retention) in order to remain in compliance with the law.
Now, the 23 Draft has removed the first option.
Accordingly, a data fiduciary must not only itself erase the data in prescribed conditions, but must also cause its data processor to erase the data which it made available to the latter for processing purposes.
Data non-retention requirements have been expanded upon
Under the 22 Draft, either of two options between: (1) non-retention and (2) anonymization, respectively, with regard to collected data was permissible if: (i) the purpose of data collection was no longer being served by retaining such data; and (ii) retention was no longer necessary for prescribed purposes.
However, barring one expressly exempted situation (discussed below), a data fiduciary may now be obliged to erase such data at the earlier of two possible events: (i) when an individual withdraws their consent; or (ii) as soon as it is reasonable to assume that the specified purpose is no longer being served.
The ‘necessity’ requirement with respect to retaining personal data has now been limited to reasons of legal compliance only
Earlier, the 22 Draft allowed data fiduciaries to retain personal information if it was necessary to do so for business reasons (other than legal ones).
However, the 23 Draft now omits the ‘business purpose’ exemption and instead allows data fiduciaries to retain personal information only in order to remain in compliance with the law.
The precise understanding about when a ‘specified purpose’ for data processing is ‘no longer being served’ has been clarified
The 23 Draft clarifies that such ‘specified purpose’ will be deemed to no longer being served in a given set of circumstances.
Thus, the principle of ‘purpose limitation’ in terms of erasing personal data will now get triggered when the individual concerned either does not: (i) approach the data fiduciary for performance of the specified purpose; or (ii) exercise their rights with respect to such processing for a prescribed time-period.
Further, an individual will be considered as not having approached a data fiduciary for the performance of the specified purpose if the former does not initiate contact with the latter for such performance – whether in person or via electronic/physical communications.
Greater flexibility in terms of processing children’s data
A new clause has been added in the 23 Draft which suggests that, if satisfied that a particular data fiduciary processes children’s personal data safely, the central government may notify a separate age (presumably below 18 years) in terms of the future processing obligations for that data fiduciary.
Accordingly, with respect to individuals above such notified age (e.g., 16), such data fiduciary will be exempt from the additional obligations related to processing children’s data.
Importantly, such exemption may extend to tracking, behavioral monitoring and targeted advertising.
Earlier, the 22 Draft did state in its clause on exemptions that the central government may, via notification, exempt certain data fiduciaries from certain DPDP provisions – including those on additional obligations related to children’s data and SDFs.
The evaluative parameters for making Significant Data Fiduciary (“SDF”) classifications have been further broadened
Earlier, among other listed factors, the government could conduct an assessment about SDF notifications based on the risk of harm to an individual.
Under the 23 Draft, the same factor has been widened to include risks to all individual rights.
Thus, the higher standard of risk that ‘harm’ earlier implied need not apply any more.
As long as data processing activities are perceived as risky by the government with respect to an individual right (but not necessarily considered ‘harmful’), it may classify the concerned entity as an SDF.
Data provided voluntarily but non-consensually will also provide rights
A new subclause in the 23 Draft explicitly clarifies that such instances will also be eligible for an individual to exercise the right to obtain information about the processing of their personal data.
More party autonomy in alternative dispute resolution (“ADR”)
The 22 Draft had suggested mediation by a body of persons designated by the DPBI itself.
However, the 23 Draft expressly envisages that such ADR process may be conducted by mediators chosen by the disputing parties themselves via mutual agreement.
Cross-border data transfers
The 23 Draft marks a shift from the erstwhile ‘whitelisting’ approach to allow cross-border data flows to any country/territory unless the latter has been expressly blacklisted.
However, if any other Indian law provides a higher threshold for protection, or restricts such cross-border data transfers in general, that other law will prevail.
Certain additional exemptions have been provided in the 23 Draft
Even in the absence of prior government notification, certain additional instances of exemption have been provided under the 23 Draft compared to the 22 Draft, such as:
- When processing is necessary for:
- a scheme of compromise or arrangement, or
- merger/amalgamation of two or more companies, or
- a reconstruction by way of demerger or otherwise, or
- transfer of undertaking of one or more companies to another, or
- involving a division of one or more companies
(as approved by a court or tribunal or other competent authority)
Earlier, the 22 Draft had addressed such similar situations under ‘public interest’ grounds within the ambit of ‘deemed consents’.
- When processing is done for the purpose of ascertaining the financial information and/or assets and liabilities of a person who has defaulted in payments which are due on account of a loan or advance taken from a financial institution – as long as, however, such processing is done in accordance with the provisions regarding disclosure of information under any other law.
Earlier, the 22 Draft addressed data processing related to debt recovery under ‘public interest’ grounds within the ambit of ‘deemed consents’.
The 22 Draft had already authorized the central government, pursuant to the latter’s assessment of the volume and nature of personal data processed, to exempt via notification certain data fiduciaries (or a class of data fiduciaries) with respect to various requirements under DPDP, such as those related to: giving notice prior to data processing; certain general obligations of data fiduciaries; additional obligations related to SDFs and processing children’s data, respectively; along with an individual’s right to information.
The 23 Draft has now added start-ups incorporated in India to this category of (potentially) exempted beneficiaries via governmental notification.
In this regard, the 23 Draft defines a ‘start-up’ as an eligible and recognized private limited company, partnership firm or limited liability partnership (incorporated in India in all cases), as notified by the appropriate governmental department pursuant to prescribed criteria and processes.
Additional exemptions for the government
The central government has now been exempted from liability for acts done in good faith.
The central government has wide powers to call for information
Pursuant to a newly added clause in the 23 Draft, the central government may require the DPBI and any data fiduciary or intermediary to furnish such information as it may call for.
The maximum financial penalty has been reduced from INR 5 billion to INR 2.5 billion.
This insight has been authored by Deborshi Barat (Counsel); he can be reached at email@example.com for any questions. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.