Personal Data Protection Bill

The Importance of Being ‘Significant’: Significant Data Fiduciaries Under India’s Proposed Data Protection Regime

Under Section 11 of India’s Digital Personal Data Protection Bill (“DPDP”), the central government (as opposed to a data protection authority) is authorized to notify ‘data fiduciaries’ (“DFs”) as ‘significant’ DFs (“SDFs”).
A DF can be any person who – either alone or in conjunction with others – determines the purpose and means of processing personal data. Individuals, companies, firms or any artificial juristic person may be considered a DF under DPDP. However, SDFs need to comply with additional obligations, over and above those prescribed for DFs in general. Such general obligations may include those listed under the IT Act and its rules.
Past iterations of DPDP had contained references to SDFs as well (although General Data Protection Regulation (“GDPR does not have an exact equivalent). In addition, some such prior versions had classified other types of DFs, such as: (i) ‘guardian’ DFs (“GDFs”) (in respect of children’s data, similar to the U.S.’s COPPA); and (ii) social media intermediaries (“SMIs”).
However, DPDP obliterates such latter categories, to the extent that GDFs and SMIs may now be subsumed under SDFs. Moreover, erstwhile SMI-specific parameters have been added to those applicable for SDF assessments. Nevertheless, since DPDP contains only a sparse description of SDF obligations in its present avatar, added requirements may be specified later. Meanwhile, DFs may want to check how such obligations were detailed in the past. Accordingly, in this note, we discuss DPDP’s provisions on SDFs with reference to existing law and past legislative proposals.

Personal Data

Defining the Scope of ‘Personal Data’ in Digital India

Last week, India’s Union Cabinet approved a revised version (the “2023 Draft”) of the Digital Personal Data Protection Bill (“DPDP”), which proposes to replace the country’s existing data protection framework.
Pursuant to extensive feedback received on a November 2022 draft (the “2022 Draft”), it now appears that the 2023 Draft of DPDP is ready for parliamentary deliberation during the monsoon session, scheduled between July 20 and August 11.
While several bills in this regard were drafted in the past, and various attempts have been made over the last decade to address privacy and data protection in India, the present instance may prove different on account of DPDP’s rudimentary form relative to previous iterations.
In this note, we unpack and discuss the statutory definition of personal data under the 2022 Draft. Our analysis is in light of GDPR provisions. Importantly, Section 4 of DPDP limits the latter’s operation to the processing of digital personal data. This is the first time that an Indian legislative proposal has expressly clarified such limitation.

Listing Obligations and Disclosure Requirements

SEBI Tightens Governance Norms for Listed Entities

On June 14, 2023, the SEBI tightened governance requirements for listed entities by amending the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015. One of the key changes brought about by the SEBI is to the disclosure regime under Regulation 30 of the LODR Regulations, which will become effective on July 14, 2023. This note discusses these changes and their implications.

regulating Artificial Intelligence in India

Regulating Artificial Intelligence in India: Challenges and Considerations

Artificial Intelligence (“AI”), and generative AI applications in particular (e.g., ChatGPT), may revolutionize vast sections of the global economy. Significantly, this change could occur sooner than expected. On account of its ability to understand and process natural language, generative AI can perform a diverse set of tasks that consume a majority of human work time, thereby adding unprecedented value across sectors.
However, it is also important to account for adverse consequences. After all, AI can be deployed to infringe upon privacy, cause socio-political disruptions, generate biased outputs, and violate intellectual property rights (“IPRs”).
Nevertheless, India’s stance on regulating AI remains ambiguous. While the Ministry of Electronics and Information Technology was reluctant to introduce AI-specific laws at first, subsequent reports indicate that individuals may be ‘protected’ against harmful deployment. Accordingly, limits on AI use may be articulated under the proposed Digital India Act, including through the prism of user safety.
In this note, we analyze cross-jurisdictional developments for the purpose of exploring a viable regulatory template. While India’s approach should foster innovation and growth, it should not sacrifice individual and collective rights. At any rate, the risks associated with generative AI need to be recognized upfront, including for the purpose of designing India’s new digital regime.

SEBI Listing Regulations

Recent Amendments to the SEBI Listing Regulations: Additional Disclosure of Agreements and Special Rights to Shareholders

On June 14, 2023, the SEBI introduced certain amendments to the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, including in relation to disclosure of agreements entered into by or in relation to listed companies and approval by shareholders for special rights granted to shareholders.
While the amendments aim to create a more robust compliance framework and increase transparency and accountability of listed entities, they are likely to lead to additional compliance burden for listed entities and reduce flexibility to shareholders to enter into inter-se arrangements.

Competition Approval in Insolvency Resolutions

Timing of Competition Approval in Insolvency Resolutions: A Need for Greater Clarity in the IBC

The Insolvency and Bankruptcy Code 2016 requires a successful resolution applicant to obtain regulatory approvals for the implementation of a resolution plan. The exact stage at which such regulatory approvals are required was not clear until a new Section 31(4) was introduced by the Insolvency and Bankruptcy Code (Second Amendment) Act, 2018, which required the necessary regulatory approvals to be obtained within a period of one year from the date of approval of the resolution plan by the National Company Law Tribunal (“Tribunal”) or within such period as provided for in the applicable law, whichever is later.
However, a proviso to Section 31(4) lays down that where the resolution plan contains a provision for combination under the Competition Act, 2002, the resolution applicant is required to obtain the approval of the CCI prior to the approval of such resolution plan by the CoC (“CCI Proviso”). While the requirement under the CCI Proviso is mandatory, certain judgements of the Tribunal/National Company Law Appellate Tribunal have diluted the mandatory effect of the CCI Proviso by treating the CCI Proviso as ‘directory’. This note explores the question as to whether the CCI Proviso serves any useful purpose and is needed at all.

‘Deemed’ Consents

Daring to Deem? ‘Deemed’ Consents Under India’s Proposed Data Protection Law

While the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) is partly similar to the EU’s General Data Protection Regulation (“GDPR”) with respect to ‘notice’ and ‘consent’ requirements, the former introduces certain unique elements – such as ‘deemed consents’ under Section 8, involving nine subsections.
While a consent under subsection (1) may be considered ‘deemed’ when a person voluntarily provides their data and it is reasonably expected that they would provide it in such a situation (similar to Section 15 of Singapore’s Personal Data Protection Act, 2012 (“PDPA”)), sub-sections (2) to (9) deal with circumstances where data may be non-consensually processed on account of a necessity or a prescribed purpose (similar to Article 6 of the EU’s GDPR). Although both such categories have been included under the same provision, they are inherently different.
While Singapore’s PDPA specifically imposes purpose limitations and requires reasonable necessity (e.g., contractual performance) with regard to deemed consents, DPDP’s Section 8(1) does not. It is also unclear if ‘notice’ requirements apply to deemed consents under the latter provision. Further, unlike the EU’s GDPR, subsections (2) to (9) of DPDP’s Section 8 do not permit non-consensual processing by non-state and/or private entities other than in a few limited circumstances.
At the same time, a wide variety of human activity could lead to deemed consents under Section 8(1). For instance, during interface with a new technology or platform, an individual may inadvertently (albeit ‘voluntarily’) make their personal data available without actually agreeing to its collection or use. In that regard, DPDP is ambiguous about the possibility of withdrawing a deemed consent –although it allows consent withdrawals in general. Since data processing is required to stop in such cases – unless non-consensual processing is authorized by law (or is otherwise necessary), the final draft of DPDP could clarify this point.

Notice and Consent Requirements

Notice and Consent Requirements in India’s New Digital Data Regime

Given the imminence of India’s refurbished digital data framework, along with the diversely innovative ways in which personal data is collected and/or processed today on account of new technologies and platforms – ‘notice’ and ‘consent’ requirements have assumed additional importance.
In this note, we address some such aspects with reference to the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) and the EU’s General Data Protection Regulation (“GDPR”).
While DPDP mirrors certain provisions of GDPR with respect to notice and consent, there are significant departures from the EU template. In particular, while earlier iterations of DPDP had more faithfully reproduced GDPR-like disclosure requirements that were comprehensive, elaborate, and rights-laden, DPDP in its present form eschews several such principles. Moreover, DPDP introduces novelties such as ‘deemed consent’ – which we discuss in our next note.
Nevertheless, subject to potential changes in DPDP’s November 2022 draft further to stakeholder feedback, the revised DPDP bill (which is likely to be tabled before parliament during the monsoon session) may continue to retain references to bespoke regulation as may be subsequently prescribed – allowing for flexibility while technologies, priorities, and public policies evolve over time.

Personal Data

What We Talk About When We Talk About Personal Data

Developments in data science have revolutionized the means through which personal data is capable of being collected and/or processed. Control over mass markets can be instrumentalized through mobile and web-based terminals, each of which remains equipped with a variety of embedded technologies. As a result, vast numbers of users – who remain permanently online – come in contact with such technologies, including with respect to the ‘measurement’ of their individual characteristics.
Further, such bio-surveillance and/or data collection via internet-linked apps and devices is powered by increasingly sophisticated analytic tools provided by the digital infrastructures of online media platforms. Unsurprisingly, therefore, the world has witnessed a growing demand for the re-use of this valuable informational inventory.
Since the aggregation of such an inventory may involve both personal and non-personal data, the associated regulatory paradigm must consider the fundamental differences between the two. More importantly, India’s new digital data regime will likely remain alert about how personal information may be converted into its non-personal equivalent, as well as the ramifications of such conversion.

Digital India

Child’s Play in Digital India: Handling Teen Data with Kid Gloves?

With respect to the collection/processing of children’s personal information under Indian law, Clause 2(3) of the current draft of the country’s Digital Personal Data Protection Bill, 2022 (“DPDP”) defines a ‘child’ to mean “an individual who has not completed eighteen years of age.” Accordingly, a significant number of individuals may be covered under DPDP’s special requirements related to children’s data.
Meanwhile, the proposed Digital India Act (the “Proposed DI Act”) may also introduce special provisions with respect to children – including by ‘age gating’ them from: (i) addictive technologies, and (ii) online/digital platforms that collect/process their data. However, if the Proposed DI Act ends up defining a ‘child’ with a similarly high threshold, there may be implications for a multitude of online/digital/social media platforms, as well as for children and parents themselves, including in terms of access and compliance.
In this note, the fourth of S&R Data+, we discuss the implications of stipulating an upper age-limit of 18 while defining a child in connection with data protection, including through global comparisons.