The Digital Personal Data Protection Bill, 2023 The End Of The Beginning? - Data Protection

1. INTRODUCTION

Following the Union Cabinet's approval on July 5, 2023, the latest version of the 'Digital Personal Data Protection Bill, 2023' ("DPDPB") was formally placed before the Lok Sabha on Thursday, August 3, 2023. This version of the bill builds on its antecedent, released in November 2022 ("2022 Bill"), implementing some tactical modifications while retaining all core concepts. With smaller key modifications made across the board, the more significant changes include the formation and constitution of the Data Protection Board ("Board") (which was earlier to be constituted 'as may be prescribed' by the Central Government), the power of the Central Government to make rules, and the circumstances under which entities can be exempted from the applicability of its provisions. Through this recent rendition, the law has set out robust notice and consent obligations, 'legitimate uses' for processing personal data without consent, the establishment of an 'Appellate Tribunal', and augmented obligations on data fiduciaries while handling children's data, among others.

The DPDPB narrows its focus to the protection of 'digital' personal data. A key concern lies in the numerous provisions of the DPDPB which remain subject to determination by the Central Government, raising apprehensions about the potential for unguided and arbitrary rule-making.

2. KEY TAKEAWAYS

2.1. Key definitions.

2.1.1. Data principal: The DPDPB has expanded the scope of 'data principal', which not only includes the individual as well as the parent/lawful guardian of a child to whom the personal data relates, but now also includes a lawful guardian of a 'person with disability'. It, however, does not define who a 'person with disability' is. In India, the Rights of Persons with Disabilities Act, 2016, is the primary legislation that recognizes the rights of persons with disabilities. It defines a 'person with disability', as a 'person with long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders his full and effective participation in society equally with others'. ¹ If inference were to be drawn from this definition, it would appear that certain classes of 'persons with disabilities' (for instance, people with physical disabilities) may not always require the assistance of their lawful guardian when it comes to matters involving their personal data. However, it is yet to be seen how the Central Government construes the term 'persons with disabilities' under the rules adopted under the DPDPB.

2.1.2. Processing of personal data: The DPDPB defines 'processing' to mean a 'wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction'. This definition is largely in-line with the definition of 'processing' under the European Union's General Data Protection Regulation ("GDPR"). However, while the definition under the GDPR envisions automated and certain non-automated operations, the DPDPB limits the scope of processing to only 'automated' operations.

2.1.3. Digital personal data: The definition of 'digital personal data'² has been introduced, to mean 'personal data' in a 'digital form'.

2.2. Applicability. The DPDPB applies to the processing of digital personal data within India when collected from data principals (i) in digital form; or (ii) in non-digital form and then digitized. It has also extended its applicability to the processing of digital personal data outside India if it relates to offering of goods or services to data principals located in India. However, the DPDPB remains silent on whether its provisions will apply to the processing of personal data of data principals situated outside India. Unlike the GDPR, which limits its applicability to processing of personal information of persons physically present in the European Union ("EU"), or EU citizens, the DPDPB does not limit the definition of 'data principal' (captured below) to persons situated in India, or to Indian citizens, alone. This may create a lacuna in understanding the full extent of the DPDPB. It is to be seen how the Central Government will interpret this ambiguity in the DPDPB's extra-territorial application.

The 2022 Bill had introduced certain types of personal data processing that would be exempt from its provisions. The DPDPB does away with the exemptions introduced by the 2022 Bill, except the exemption in relation to personal data processed by an individual for any personal or domestic purpose. In addition, it now also exempts from its ambit, personal data made publicly available by the data principal or any other person who is under an obligation under any Indian law to make such personal data publicly available.

2.3. Personal data. The DPDPB covers processing of 'personal data' only, i.e., 'any data about an individual who is identifiable by or in relation to such data'. The erstwhile classification of personal data into 'sensitive personal data' and 'critical personal data' (which found its way in all iterations till the 2022 Bill) has been done away with in the DPDPB.

2.4. Notice requirement. A data fiduciary is required to give an itemized notice to the data principal, either at the time of making or preceding a request for consent, (i) describing the personal data sought to be collected and the purpose for its processing; (ii) the manner in which the data principal may exercise his/her/their rights (including the right to correction, withdrawal of consent, etc.); and (iii) the manner in which the data principal may make a complaint to the Board. If the data principals have already provided his/her/their consent for processing their personal data prior to the commencement of the DPDPB, the data fiduciary must provide him/her/ them with such notice 'as soon as it is reasonably practicable'. The notice must be presented in clear and plain language, by way of a separate document or in an electronic form, or in a form 'as may be prescribed'. Further, the data fiduciary must give the data principal the option to access the contents of the notice in English or any of the 22 (twenty-two) languages specified in the Eighth Schedule to the Constitution of India.³

2.5. Consent.

2.5.1.Concept of consent: Data Fiduciaries will be required to process personal data for lawful purposes for which the data principal has given consent. Consent entails any 'free, specific, informed, unconditional and unambiguous indication of the data principal's wishes by which she, by way of a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose as is necessary.'⁴ Therefore, a data fiduciary can only process such personal data of a data principal when it is required for the specific purpose for which consent has been sought, and nothing further.

2.5.2. Request for consent: Every request for consent should be provided to the data principal in the following manner:

(i) It must be presented in clear and plain language with an option to access the request in English or any of the 22 languages specified in the Eighth Schedule to the Constitution of India;⁵ and

(ii) It must contain the contact details of the data protection officer (for a significant data fiduciary), or a person authorised by the data fiduciary to respond to any communication from the data principal.

2.5.3.Consent manager: The data principal can give, manage, review, or withdraw the consent given to the data fiduciary through a 'consent manager',⁶ i.e., a person registered with the Board who enables a data principal to give, manage, review and withdraw his/her/their consent through an accessible, transparent and interoperable platform.⁷ However, there is lack of clarity on the role such consent managers will play. Currently, it is not clear if all data fiduciaries are expected to connect with the consent managers to seek consent of the data principals. Additionally, clarity is required on the manner or system that needs to be put in place to enable consent managers to perform their functions.

2.5.4.Consent of parents: The term 'consent of the parent' has also been introduced. It includes the consent of a lawful guardian, wherever applicable.

2.5.5. Legitimate use: The DPDPB provides for certain 'legitimate uses' for which a data fiduciary may process the personal data of data principals, without obtaining the specific consent of the data principal. One such legitimate use is if the data principal has voluntarily provided his/her/their personal data to the data fiduciary, while availing/ seeking out a specific service and for a specific purpose, has not indicated that he/ she/they do not consent to the use of his/ her/their personal data. Legitimate use also extends to the processing of personal data to comply with any judgment, decree, or order issued under any Indian law, and any judgment, decree or order relating to claims of a contractual or civil nature under any law in force outside India as well.

2.5.6. Withdrawal of consent: The data principal has a right to withdraw consent at any time, and the consequences of such withdrawal will be borne by the data principal without affecting the lawfulness of the processing of personal data based on consent before its withdrawal. In the event a data principal withdraws his/her/their consent to the processing of personal data, the data fiduciary must erase,⁸ and cease the processing, and cause its data processors to erase and cease the processing of the personal data of such data principal, unless the retention is prescribed under any applicable laws.

To view the full article, click here.

Footnotes

1. Section 2(s) of the Rights of Persons with Disabilities Act, 2016.

2. Section 2(n) of the DPDPB.

3. The Eighth Schedule to the Constitution of India consists of the following 22 (twenty-two) languages: (1) Assamese, (2) Bengali, (3) Gujarati, (4) Hindi, (5) Kannada, (6) Kashmiri, (7) Konkani, (8) Malayalam, (9) Manipuri, (10) Marathi, (11) Nepali, (12) Oriya, (13) Punjabi, (14) Sanskrit, (15) Sindhi, (16) Tamil, (17) Telugu, (18) Urdu (19) Bodo, (20) Santhali, (21) Maithili and (22) Dogri.

4. Section 6(1) of the DPDPB.

5. Section 6(3) of the DPDPB.

6. Section 6(7) of the DPDPB.

7. A 'consent manager' means a "data fiduciary which enables a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform".

8. Section 8(7) of the DPDPB

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.