Digital Personal Data Protection Bill 2023 | A Step Towards a Comprehensive Data Protection Regime in India

1.     

Legislative scope: The 2023 Bill will apply to personal data collected from data principals (i.e., individuals to whom the personal data relates to) within India if collected: (i) in digital form; and (ii) in non-digital form and digitized subsequently. It continues to have an extraterritorial applicability which will extend to processing of digital personal data outside India, if such processing is in connection with an activity related to offering goods or services to data principals within India. A prominent deviation, however, is that the 2023 Bill excludes ‘profiling’ of data principals within India from its extra-territorial scope. 

2.     

Grounds for processing of personal data: According to the 2023 Bill, personal data can only be processed on the basis of consent of data principal or for certain legitimate uses (e.g., where personal data is provided voluntarily, for provision or issuance of subsidies, benefits, etc. by the State, fulfilling legal obligations, compliance with judgment/ decree, responding to medical emergency, certain employment purposes and so on). Where the basis is consent, such consent will have to be procured in the prescribed manner. Additionally, there are conditions for processing data for legitimate uses.

3.     

Obligations of data fiduciaries: In contrast to the 2022 Bill, the 2023 Bill primarily requires the data fiduciary to be responsible for compliance and prescribes corresponding penalties. Data processors’ obligations which were outlined in the 2022 Bill (e.g., implementation of technical measures) have been dropped. Notably, data fiduciaries can engage data processors only under a valid contract. Data fiduciaries are also required to implement appropriate technical and organisational measures, ensure an effective mechanism for grievance redressal, report personal data breaches to the Data Protection Board of India and the impacted individuals, etc.

4.     

Additional obligations for significant data fiduciaries: Similar to the preceding versions of the proposed data protection law, the 2023 Bill provides for classification of data fiduciaries as ‘Significant Data Fiduciaries’ by the Central Government based on identified factors. Such Significant Data Fiduciaries are required to comply with additional obligations such as appointment of a data protection officer residing in India, appointment of an independent data auditor, undertaking of data protection impact assessments and such other measures as may be prescribed.

5.     

Additional obligations in relation to processing of data of children or persons with disability: The 2023 Bill mandate data fiduciaries to obtain ‘verifiable consent’ from parents before processing personal data of children (i.e., any individual below 18 years of age) or person with disability who has a legal guardian. Further, the 2023 Bill casts a duty on the data fiduciary to not undertake behavioral tracking/ targeted advertising which is ‘likely to cause any detrimental effect on the well-being of a child’. Additionally, the age of children may be lowered for only those processing activities of a data fiduciary, which are deemed verifiably safe by the Central Government.  

6.     

Oversight and enforcement: The Central Government will establish a Data Protection Board of India (Board), which will be responsible for determining non-compliances under the legislation and for imposing penalties. The Board will be an independent body operating digitally. Every order made by the Board will be enforceable akin to a decree made by the civil court. Any person aggrieved by any order or direction of the Board may prefer an appeal before the Telecom Disputes Settlement and Appellate Tribunal within a period of 60 days from the receipt of such order/direction.

7.     

Cross-border transfer of personal data: In a significant departure from the 2022 Bill, the 2023 Bill provides that the Central Government may restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be notified. However, it has been clarified that such power will not override any law that provides for a higher degree of protection for or restriction on transfer of personal data by an entity.

8.     

Exemptions: Certain additional exemptions have been provided under the 2023 Bill such as implementation of scheme of compromise or arrangement or merger or amalgamation and for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment of a loan. In addition, the Central Government (by notification within 5 years) may exempt certain categories of data fiduciaries such as startups from certain obligations.

9.     

Enhanced financial penalties: Similar to the 2022 Bill, penalty of up to INR 250 crores (approximately, USD 30 million) has been prescribed for failure to take reasonable security safeguards to prevent personal data breach. However, the 2023 Bill removes the upper limit of INR 500 crores (approximately, USD 60 million) which could have been imposed in each instance of a significant non-compliance, as was mentioned in the 2022 Bill.

10.        

Miscellaneous powers of the Central Government: A completely new provision in the 2023 Bill provides that upon a reference by the Board in writing and in the interest of general public, the Central Government can block a data fiduciary’s platform. Further, the Central Government may require the Board and any data fiduciary or intermediary to furnish such information as it may call for.