Decoding the Salient Features of India’s Digital Personal Data Protection Bill, 2022

The latest draft of India’s data protection law – the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) was released on November 18^th. It is the fourth iteration of the bill in an ongoing effort to develop a “comprehensive” legal framework that is aligned with contemporary privacy laws, emerging data protection standards and constantly evolving nuances of the digital ecosystem. Since its first release in 2018, the draft, has undergone extensive changes and revisions, to make it adequate, comprehensive and future proof particularly in the context of the right to informational privacy being upheld as a ‘fundamental right’ by the Supreme Court in 2017. The current draft retains some of the clauses from previous versions but makes a significant departure on many counts. This blog looks at the core principles and the salient features of the latest draft.

The DPDP Bill, 2022 is formulated keeping in mind the seven core principles namely lawful, fair and transparent processing; purpose limitation; data minimization; accuracy of personal data; storage limitation; integrity and confidentiality; and accountability. The reworked version incorporates hefty penalties for non-compliance, relaxes rules on cross-border data flows and recognizes the right to post-mortem privacy, among others. The key highlights of the legislation are presented below.

• Covers only digital personal data: The DPDB Bill, 2022 will cover only digital personal data i.e., data collected online, or if collected offline, is digitized later. Thus, manual data processing such as structured filing systems are outside the purview of this bill. It is unclear if DPDB will apply to mechanical and semi-automated data processing. In effect, by being completely inapplicable to data processed manually, this provides for a relatively lower degree of protection compared to the earlier drafts which only excluded data processed manually specifically by “small entities” and not in general.
  
  
• Applies to three levels of stakeholders: DPDB Bill, 2022 covers three key stakeholders in the data processing cycle: (i) data fiduciary (akin to controller) – any person who alone or with others determines the purpose and means of processing, (ii) data processor – any person who processes personal data on behalf of data fiduciary, and (iii) data principal (akin to data subject) – individual to whom the personal data relates, and in context of children (e., 18 years or below), will include their parents and legal guardian.
  
  
• No special provision for sensitive data: The DPDP Bill, 2022 does away with the special categories of sensitive personal data or critical data and consequently, there are no specific requirements that would apply to the processing of sensitive data sets like health, financial, biometrics, genetic data etc. This personal data is traditionally afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments. By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.
  
  
• Introduces the concept of Deemed Consent: Consent is and, in line with previous iterations, continues to remain – the primary ground for processing personal data. However, the DPDP Bill, 2022 now includes the concept of “deemed consent”, a broad concept that includes other grounds – considered as reasonable grounds for processing personal data. Effectively, a user is deemed to have given consent for the processing of their personal data if such data has been shared voluntarily, or if the processing is necessary for compliance with any law or for ensuring public safety and public interest, to name a few.
  
  
• Eases cross-border data flows: Previous versions of the bill came under intense scrutiny from various industries for proposing data localization, using India’s “digital sovereignty” as a primary reason for this approach. However, the current bill does away with the localization requirement and eases cross-border data flows. The DPDP Bill, 2022 aims to strike a balance between these concerns by allowing for cross border data flow to “countries and territories” notified by the Central government. This indicates that the central government will have a free hand to determine jurisdictions and come up with conditions for data transfers.
  
  
• Includes the right to post-mortem privacy: An important addition to the right of data principals is that it recognises the right to post-mortem privacy. The right to post-mortem privacy would allow the data principal to nominate another individual to exercise his/her rights in case of death or incapacity. On the other hand, the DPDP Bill does away with the data principal’s right to portability and the right to be forgotten. This implies that data principals will no longer be empowered to choose between different digital/social media platforms, or to direct a data fiduciary to restrict the continuing disclosure of their personal data.
  
  
• Imposes duties on data principals: Apart from the rights of data principals including but not limited to the right to information, grievance redressal and the right to nominate, this version of the Bill also imposes duties that data principals must adhere to. If they are non-compliant, it could lead to penalties upto ₹10,000. Some of these duties include being in compliance with the “provision of all applicable laws” when exercising rights, not registering “false or frivolous” complaints with the data fiduciary and/or not suppressing material information.
  
  
• Requires setting up of an independent board: The DPDP Bill, 2022 provides for the establishment of an independent Board, namely, the Data Protection Board of India (DPBI), to function as an adjudicating body to enforce the provisions of the Bill and to impose penalty in cases of non-compliance. In comparison to the regulatory framework conceptualized under the previous iterations of the draft law, where the proposed regulator, the Data Protection Authority (DPA), was enshrined with significant powers of regulation making, enforcement and adjudication, the current draft considerably reduces the scope of the proposed DPBI. Further, it gives the government wide-ranging powers in matters pertaining to the composition of the board, appointment of members, service terms etc.

To conclude, the bill in its current version is an attempt by the Government to formulate a simplified, yet a comprehensible law on data protection as opposed to the earlier Personal Data Protection Bill (2019) which was criticised by businesses and start-ups for being compliance-intensive. While the current draft appears to have weighed in on the concerns around localisation, a consent-heavy architecture, and enhanced compliance obligations among others, certain provisions such as those offering exemptions to the state’s processing of personal data coupled with lack of clarity in operational details and lower safeguards for data principals are among the key concerns flagged by experts. The government believes that in its current form, the proposed law leaves sufficient window for adaptation as the digital ecosystems evolve, but the true efficacy and impact of DPDB Bill, 2022 will have to be time-tested.