Skip to main content

Legal Capsule: Lex Counsel

By


A Dive Into The Digital Personal Data Protection Bill, 2022


Introduction

After the withdrawal of the earlier Personal Data Protection Bill, 2019 (“PDP Bill”), the Ministry of Electronics and Information Technology has released a new Digital Personal Data Protection Bill, 2022 (“DPDP Bill”), which adopts a more simplified approach to handling ‘personal data’ in comparison to its predecessor. The DPDP Bill covers several key principles pertaining to lawful usage of personal data, limitation on collection of personal data, data minimisation, data storage and accountability of the person processing personal data.

Key Provisions of the DPDP Bill and our Analysis

The focus of this article is to discuss and analyse some of the key aspects of the DPDP Bill and critically analyse any areas of concern:

  • Scope and Application: The DPDP Bill applies to ‘personal data’ (i.e., any data about an individual who is identifiable by or in relation to such data) which is processed digitally, including the personal data collected online as well as such personal data collected offline which is digitised for processing. However, it does not cover personal data processed manually unlike the earlier PDP Bill that had brought manual processing of data by small entities within its purview. The DPDP Bill extends its scope to processing of digital personal data outside the territory of India if such processing is in connection with any profiling of, or activity of offering goods or services to individuals within the territory of India. While the PDP Bill had categorised personal data into sensitive and critical personal data, the DPDP Bill does not have any such classification and this may oversimplify the criticality of protection of sensitive personal data.

  • Obligations of Data Fiduciary: Data fiduciary under the DPDP Bill is a person who alone or together with other persons determines the purpose and means of processing personal data and has been subjected to several obligations including the following:

    • Every data fiduciary is required to process personal data for lawful purposes only and with the consent of the data principal i.e., the individual whose personal data is processed. The data fiduciary is required to issue a notice to the data principal regarding the description of each type of personal data sought to be collected and the purposes of processing of such personal data. The notice to be issued to users should be in easy and plain language.

    • When processing personal data of children i.e., users under the age of 18, data fiduciaries are required to obtain verifiable consent from the parents. The DPDP Bill has prescribed a penalty of up to ₹200,00,00,000/- (Rupees Two Hundred Crore) in case of non-fulfilment of additional obligations imposed on the data fiduciary with respect to the processing of personal data of children. 

    • In case of withdrawal of consent by data principal to the processing of personal data, the data fiduciary is obliged to cease and cause its data processors to cease processing of the personal data of such data principal within a reasonable time period, unless such processing without the data principal’s consent is authorised under the DPDP Bill or any other law.

    • In the event of a personal data breach, both the data fiduciary and the data processor i.e., any person who processes personal data on behalf of a data fiduciary, are required to notify the Data Protection Board (“Board”) proposed under the DPDP Bill, and each affected data principal. However, no time frame has been prescribed within which such notification has to be made. Notably, the Joint Parliamentary Committee report on the PDP Bill (“JPC Report”), had suggested that companies should report data breaches within a period of 72 (seventy-two) hours.

    • Further, any data fiduciary or data processor that fails to ensure reasonable security safeguards to prevent personal data breach will be fined as high as ₹250,00,00,000/- (Indian Rupees Two Hundred and Fifty Crore) whereas the earlier PDP Bill had proposed a penalty of ₹15,00,00,000 (Rupees Fifteen Crores) or 4% (four percent) of the company’s total worldwide annual turnover, whichever is higher. It is apparent that severe penalties are being imposed to ensure strict compliance.

  • Rights of Data Principal: The data principal, i.e., the individual to whom the personal data relates, has certain rights under the DPDP Bill including the:

    • right to obtain confirmation from the data fiduciary on whether the personal data of the data principal is being processed, summary of the personal data of the data principal being processed by the data fiduciary and the processing activities undertaken by the data fiduciary, and the identities of all the data fiduciaries with whom the personal data has been shared along with the categories of personal data so shared;

    • right to make a request with data fiduciary for correction, completion, updating and erasure of personal data that is no longer necessary for the purpose for which it was processed;

    • right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal; and 

    • right of grievance redressal by registering grievance with the data fiduciary or to register a complaint with the Board in case of dissatisfaction with the response of data fiduciary or in case no response is received from the data fiduciary.

      Surprisingly, the ‘right of portability’ of the data principal which could have allowed users to port or systematically transfer personal data from one data fiduciary to another data fiduciary has been left out and this possibly interferes with the spirit of consumer welfare and competitiveness among data fiduciaries.

  • Duties of Data Principal: A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information or impersonate another person while applying for any document, service, unique identifier, proof of identity or proof of address and to provide information that is verifiably authentic while exercising their right to correction or erasure. DPDP Bill has introduced a penalty up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.

  • Data Protection Board: The DPDP Bill provides for the establishment of an independent Board, namely, the Data Protection Board, to function as an adjudicating body to enforce the provisions of the Bill and to impose penalty in cases of non-compliance. In the event of breach of personal data, the Board has been given the power to direct the data fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to data principals. However, the independence of such an important functionary may come under scrutiny as matters concerning the strength and composition of the Board, the appointment and service conditions of the chief executive, chairperson and other members of the Board have been left to the discretion of the Government of India.

    Further, in case of an inquiry by the Board, the DPDP Bill does not specify any time limit for completion of the inquiry. The DPDP Bill has done away with the establishment of an Appellate Tribunal and laid down that an appeal against an order of the Board would lie to the High Court. In appropriate cases, the Board has been given the power to direct alternative dispute resolution to resolve disputes between concerned parties.

  • Financial Penalties: The amount of financial penalty would be determined by the Board based on factors which inter-alia include the gravity, nature and duration of non-compliance, type and nature of personal data affected by the non-compliance and the likely impact of the imposition of the financial penalty on the concerned person. If the non-compliance by a person is found to be significant, then the Board has the power to impose a penalty of up to ₹500,00,00,000/- (Rupees Five Hundred Crore) provided that such person has been given a reasonable opportunity of being heard.

  • Cross-border transfer of personal data: The DPDP Bill has eased the requirement of localising data which was proposed under the JPC Report and permitted the unrestricted transfer of personal data by a data fiduciary to those countries or territories outside India which would be notified by the Central Government. While this resonates with the ease of doing business, there is no clarity regarding the factors on which the Government would notify such trusted countries or territories, who could be granted access to all kinds of personal data of Indian residents.

  • Exemptions from Applicability: The DPDP Bill gives the power to the Government to exempt any instrumentality of the state in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order etc., without any explanation. The exemptions under the DPDP Bill gives wide discretionary powers to the Government and does not take into consideration the JPC Report’s recommendation to have a ‘just, fair, reasonable and proportionate’ procedure in place before allowing any such exemption.

Conclusion

The DPDP Bill is an attempt by the Government to formulate a simply worded and comprehensible law on data protection in the country as opposed to the earlier PDP Bill which was criticised by businesses and start-ups for being compliance intensive. However, in an endeavour to narrow down the earlier draft, the DPDP Bill has missed out in clarifying several provisions. For instance, the DPDP Bill has introduced the concept of ‘deemed consent’ in broad and vague terms, by allowing the processing of personal data without the individual’s consent based on several wide factors which inter alia include the maintenance of public order, purposes related to employment and in public interest including credit scoring, recovery of debt, for any fair and reasonable purposes including the reasonable expectations of the data principal. As the balance between the individual’s right to privacy and the right of the data principal to assume ‘deemed consent’ is missing, this aspect of law could be a contentious issue.

Despite the recommendation under the JPC Report, the DPDP Bill has kept the ‘non-personal data’ of the individuals such as information collected by the Government, NGOs and other private sector entities, outside its ambit.

The usage of phrases ‘as it may consider necessary’ and ‘as may be prescribed’ can lead to administrative ambiguities. The autonomy of the Board which is entrusted with overseeing the protection of individual’s personal data and ensuring compliance with the provisions of the law is not reassuring.

Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled.

There is no mechanism to ensure accountability of those Government agencies or data fiduciaries who are exempted from the purview of the Act, particularly in view of the concerns around digital surveillance by Government functionaries. Undeniably, the Government needs to bring a codified data protection regime at the earliest, however, the DPDP Bill in its current form requires careful recalibration to bridge some of the above discussed gaps.

If you have questions or would like additional information on the material covered herein, please contact:

Seema Jhingan, Partner
sjhingan@lexcounsel.in

Jyoti Vats Mishra, Senior Associate
jvmishra@lexcounsel.in

Disclaimer: LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is not intended to constitute, and should not be taken as, legal advice, or a communication intended to solicit or establish any attorney-client relationship between LexCounsel and the reader(s). LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s) consequent to any information contained in this e-newsletter. The readers are advised to consult competent professionals in their own judgment before acting on the basis of any information provided hereby.

Popular posts from this blog

PE-VC investments decline 8% to $6.2 B in Q1'24

By
Press Release: Private Equity - Venture Capital (PE-VC) firms invested over $6.2 Billion (across 205 deals) in Indian companies during the first three months of 2024, shows data from  Venture Intelligence , a research service focused on private company financials, transactions, and their valuations. (Note: These figures include Venture Capital type investments, but exclude PE investments in Real Estate). The investment amount represents a 8% fall over the $6.7 Billion (across 242 deals) invested in the same period during 2023 and also down by 6% when compared to the immediate previous quarter (which witnessed $6.6 Billion being invested across 200 deals). Deal volumes in Q1'24 also declined 15% compared to Q1'23 and were up by 3% compared to the immediate previous quarter.  Q1’24 witnessed 8 mega deals ($100 M+ rounds) worth $3.5 Billion, compared to 17 such investments (worth $3.6 Billion) in Q1’23 and 15 such deals (worth $4.1 Billion) in the immediate previous quarter.  Th
Read more

PE-VC investments in Q2'23 decline 33% to $9.9 Billion

By
Private Equity-Venture Capital (PE-VC) investments in India during the quarter ended June 2023 (Q2'23), at $9.85 Billion across 182 deals, registered a 33% decrease compared to the same period in 2022 (which saw $14.6 Billion being invested across 371 deals). The investment amount however rose 74% compared to the immediate previous quarter (which saw $5.7 Billion being invested across 181 deals), shows data from  Venture Intelligence , a research service focused on private company financials, transactions, and their valuations. The PE-VC investment figures for the first 6 months of 2023 - at $15.5 Billion (across 363 deals) - was 50% lower compared to the same period in 2022 (which saw $31 Billion being invested across 800 deals). Q2’23 witnessed 19 mega deals ($100 M+
Read more

Chiratae, Speciale and Stride Ventures win APEX'24 Venture Capital Awards

By
Chiratae Ventures, Speciale Invest and Stride Ventures were awarded as among the leading Venture Capital investors in India for 2023 as part of Venture Intelligence APEX‘24 Private Equity & Venture Capital awards event in Mumbai.  The Venture Intelligence “Awards for Private Equity Excellence” (APEX) is dedicated to celebrating the best that the Indian Private Equity & Venture Capital industry has to offer. The APEX Awardees are selected based on both Self Nomination by the participating PE-VC firms and "crowd sourced" voting from the Limited Partner, PE-VC and advisory communities. (The main criteria are Return Track Record, New Fund Raises & Follow-on Funding Rounds for Portfolio Companies) VC Investor of the Year Chiratae Ventures received the Venture Capital Investor of the Year 2023 Award on the back of 10 part exits totaling $178 million via Secondary Sales during the year. Its exits included those from retail unicorn Lenskart, SaaS Startup Pixis and baby pr
Read more

Blackstone, MO Alts and InvAscent win APEX'24 Private Equity Awards

By
Press Release Blackstone, MO Alternates (formerly Motilal Oswal PE) and InvAscent were awarded as among the leading Private Equity and Growth Capital investors in India for 2023 as part of Venture Intelligence APEX‘24 Private Equity & Venture Capital awards event in Mumbai.  The Venture Intelligence “Awards for Private Equity Excellence” (APEX) is dedicated to celebrating the best that the Indian Private Equity & Venture Capital industry has to offer. The APEX Awardees are selected based on both Self Nomination by the participating PE-VC firms and "crowd sourced" voting from the Limited Partner, PE-VC and advisory communities. (The main criteria are Return Track Record, New Fund Raises & Follow-on Funding Rounds for Portfolio Companies) PE Investor of the Year Blackstone received the Private Equity Investor of the Year 2023 Award on the back of strong complete exits during the year: from Sona Comstar and IBS Software. Ganesh Mani and Amit Dalmia, Senior Managing D
Read more

Avendus tops League Table for Transaction Advisors to PE deals in Q1'23

By
Aeka Advisors and Ambit claim the No.2 & 3 slot Avendus topped the Venture Intelligence League Table for Transaction Advisor to Private Equity Transactions for Q1 2023 advising 5 deals worth $808 million. Aeka Advisors stood second having advised 3 deals worth $228 million. Ambit followed with 4 deals worth $160 million. Ernst & Young ($114 million across 4 deals) and o3 Capital ($80 million across 2 deals) completed the top five for Q1 2023. Avendus acted as advisor to ADIA’s $500 million investment in omnichannel eyewear retailer Lenskart . Aeka Advisors acted as advisor to Kreditbee’s $160 million fundraise from Advent International, Mitsubishi UFJ Financial Group (MUFG) and existing investors. Ambit advised the $104 million fundraise of Freshtohome from Mount Judi Ventures, Iron Pillar, Amazon and others. The  Venture Intelligence League Tables , the first such initiative exclusively tracking transactions involving India-based companies, are based on the value of PE
Read more