Tag: Regulatory

Under Section 11 of India’s Digital Personal Data Protection Bill (“DPDP”), the central government (as opposed to a data protection authority) is authorized to notify ‘data fiduciaries’ (“DFs”) as ‘significant’ DFs (“SDFs”).
A DF can be any person who – either alone or in conjunction with others – determines the purpose and means of processing personal data. Individuals, companies, firms or any artificial juristic person may be considered a DF under DPDP. However, SDFs need to comply with additional obligations, over and above those prescribed for DFs in general. Such general obligations may include those listed under the IT Act and its rules.
Past iterations of DPDP had contained references to SDFs as well (although General Data Protection Regulation (“GDPR does not have an exact equivalent). In addition, some such prior versions had classified other types of DFs, such as: (i) ‘guardian’ DFs (“GDFs”) (in respect of children’s data, similar to the U.S.’s COPPA); and (ii) social media intermediaries (“SMIs”).
However, DPDP obliterates such latter categories, to the extent that GDFs and SMIs may now be subsumed under SDFs. Moreover, erstwhile SMI-specific parameters have been added to those applicable for SDF assessments. Nevertheless, since DPDP contains only a sparse description of SDF obligations in its present avatar, added requirements may be specified later. Meanwhile, DFs may want to check how such obligations were detailed in the past. Accordingly, in this note, we discuss DPDP’s provisions on SDFs with reference to existing law and past legislative proposals.

Last week, India’s Union Cabinet approved a revised version (the “2023 Draft”) of the Digital Personal Data Protection Bill (“DPDP”), which proposes to replace the country’s existing data protection framework.
Pursuant to extensive feedback received on a November 2022 draft (the “2022 Draft”), it now appears that the 2023 Draft of DPDP is ready for parliamentary deliberation during the monsoon session, scheduled between July 20 and August 11.
While several bills in this regard were drafted in the past, and various attempts have been made over the last decade to address privacy and data protection in India, the present instance may prove different on account of DPDP’s rudimentary form relative to previous iterations.
In this note, we unpack and discuss the statutory definition of personal data under the 2022 Draft. Our analysis is in light of GDPR provisions. Importantly, Section 4 of DPDP limits the latter’s operation to the processing of digital personal data. This is the first time that an Indian legislative proposal has expressly clarified such limitation.

Artificial Intelligence (“AI”), and generative AI applications in particular (e.g., ChatGPT), may revolutionize vast sections of the global economy. Significantly, this change could occur sooner than expected. On account of its ability to understand and process natural language, generative AI can perform a diverse set of tasks that consume a majority of human work time, thereby adding unprecedented value across sectors.
However, it is also important to account for adverse consequences. After all, AI can be deployed to infringe upon privacy, cause socio-political disruptions, generate biased outputs, and violate intellectual property rights (“IPRs”).
Nevertheless, India’s stance on regulating AI remains ambiguous. While the Ministry of Electronics and Information Technology was reluctant to introduce AI-specific laws at first, subsequent reports indicate that individuals may be ‘protected’ against harmful deployment. Accordingly, limits on AI use may be articulated under the proposed Digital India Act, including through the prism of user safety.
In this note, we analyze cross-jurisdictional developments for the purpose of exploring a viable regulatory template. While India’s approach should foster innovation and growth, it should not sacrifice individual and collective rights. At any rate, the risks associated with generative AI need to be recognized upfront, including for the purpose of designing India’s new digital regime.

While the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) is partly similar to the EU’s General Data Protection Regulation (“GDPR”) with respect to ‘notice’ and ‘consent’ requirements, the former introduces certain unique elements – such as ‘deemed consents’ under Section 8, involving nine subsections.
While a consent under subsection (1) may be considered ‘deemed’ when a person voluntarily provides their data and it is reasonably expected that they would provide it in such a situation (similar to Section 15 of Singapore’s Personal Data Protection Act, 2012 (“PDPA”)), sub-sections (2) to (9) deal with circumstances where data may be non-consensually processed on account of a necessity or a prescribed purpose (similar to Article 6 of the EU’s GDPR). Although both such categories have been included under the same provision, they are inherently different.
While Singapore’s PDPA specifically imposes purpose limitations and requires reasonable necessity (e.g., contractual performance) with regard to deemed consents, DPDP’s Section 8(1) does not. It is also unclear if ‘notice’ requirements apply to deemed consents under the latter provision. Further, unlike the EU’s GDPR, subsections (2) to (9) of DPDP’s Section 8 do not permit non-consensual processing by non-state and/or private entities other than in a few limited circumstances.
At the same time, a wide variety of human activity could lead to deemed consents under Section 8(1). For instance, during interface with a new technology or platform, an individual may inadvertently (albeit ‘voluntarily’) make their personal data available without actually agreeing to its collection or use. In that regard, DPDP is ambiguous about the possibility of withdrawing a deemed consent –although it allows consent withdrawals in general. Since data processing is required to stop in such cases – unless non-consensual processing is authorized by law (or is otherwise necessary), the final draft of DPDP could clarify this point.

Given the imminence of India’s refurbished digital data framework, along with the diversely innovative ways in which personal data is collected and/or processed today on account of new technologies and platforms – ‘notice’ and ‘consent’ requirements have assumed additional importance.
In this note, we address some such aspects with reference to the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) and the EU’s General Data Protection Regulation (“GDPR”).
While DPDP mirrors certain provisions of GDPR with respect to notice and consent, there are significant departures from the EU template. In particular, while earlier iterations of DPDP had more faithfully reproduced GDPR-like disclosure requirements that were comprehensive, elaborate, and rights-laden, DPDP in its present form eschews several such principles. Moreover, DPDP introduces novelties such as ‘deemed consent’ – which we discuss in our next note.
Nevertheless, subject to potential changes in DPDP’s November 2022 draft further to stakeholder feedback, the revised DPDP bill (which is likely to be tabled before parliament during the monsoon session) may continue to retain references to bespoke regulation as may be subsequently prescribed – allowing for flexibility while technologies, priorities, and public policies evolve over time.

Developments in data science have revolutionized the means through which personal data is capable of being collected and/or processed. Control over mass markets can be instrumentalized through mobile and web-based terminals, each of which remains equipped with a variety of embedded technologies. As a result, vast numbers of users – who remain permanently online – come in contact with such technologies, including with respect to the ‘measurement’ of their individual characteristics.
Further, such bio-surveillance and/or data collection via internet-linked apps and devices is powered by increasingly sophisticated analytic tools provided by the digital infrastructures of online media platforms. Unsurprisingly, therefore, the world has witnessed a growing demand for the re-use of this valuable informational inventory.
Since the aggregation of such an inventory may involve both personal and non-personal data, the associated regulatory paradigm must consider the fundamental differences between the two. More importantly, India’s new digital data regime will likely remain alert about how personal information may be converted into its non-personal equivalent, as well as the ramifications of such conversion.

With respect to the collection/processing of children’s personal information under Indian law, Clause 2(3) of the current draft of the country’s Digital Personal Data Protection Bill, 2022 (“DPDP”) defines a ‘child’ to mean “an individual who has not completed eighteen years of age.” Accordingly, a significant number of individuals may be covered under DPDP’s special requirements related to children’s data.
Meanwhile, the proposed Digital India Act (the “Proposed DI Act”) may also introduce special provisions with respect to children – including by ‘age gating’ them from: (i) addictive technologies, and (ii) online/digital platforms that collect/process their data. However, if the Proposed DI Act ends up defining a ‘child’ with a similarly high threshold, there may be implications for a multitude of online/digital/social media platforms, as well as for children and parents themselves, including in terms of access and compliance.
In this note, the fourth of S&R Data+, we discuss the implications of stipulating an upper age-limit of 18 while defining a child in connection with data protection, including through global comparisons.