Securiti announces a $75M Series C Funding Round

View

An Overview of India's Digital Personal Data Protection Bill 2022 (DPDP Bill)

background-image

1. Introduction

A Brief Background of Privacy Laws in India

Before analyzing the obligations brought forward by the Digital Personal Data Protection Bill 2022, let's understand the history of India's data privacy law landscape.

1.1 Personal Data Protection Bill 2019

In December 2019, India introduced the Personal Data Protection Bill (“PDPB 2019”), following the example of many other significant data privacy laws being introduced worldwide. India was one the first South Asian region to introduce such a bill and inspired other countries in the region to work towards developing privacy regimes.

PDPB 2019 aimed to reform India's legal system and establish standards for cross-border transfers, the accountability of entities processing personal data, and remedies for unauthorized and harmful personal data processing.

PDPB 2019 faced significant criticisms, especially regarding the regulation of social media platforms and requirements of data localization, which raised concerns for potential violation of fundamental rights of the citizens of India as well as being non-friendly for businesses and platforms to operate in India. Therefore, significant amendments were proposed in 2021 that aimed to clarify and rework the criticized provisions.

1.2 Data Protection Bill 2021

Data Protection Bill 2021 (“DPB 2021”) made key revisions to the previous bill. This included the addition of personal as well as non-personal data and also imposing strict guidelines for reporting data breaches. DPB 2021 was thought to be passed and become an official part of India's legislature as the Data Protection Act 2021.

However, the bill was withdrawn altogether in August 2022 by the Indian government - after three years of discussion and 90 sittings - because it failed to meet international standards and upcoming challenges. After the much-awaited DPB 2021 was withdrawn, all eyes have been on the Indian government and Parliament for an update on the new bill.

1.3 Digital Personal Data Protection Bill 2022

On 18th November 2022, the Indian Government released a draft for the Digital Personal Data Protection Bill 2022 (“DPDP Bill ”), which is open for public comments and consultations until 02 January 2023. This Bill, once passed, will be called the Digital Personal Data Protection Act 2022.

The DPDP Bill's objective is to provide standards for handling digital personal data in a way that respects both people's rights to privacy protection and the need to handle personal data legally. It outlines the duty of data fiduciaries (data handlers/controllers), the rights of the principals (data subjects), and the consequences of non-compliance.

2. Who Needs to Comply with the Law

2.1 Material Scope

DPDP Bill applies to the processing of digital personal data in India, whether collected online or offline - which is then digitized. DPDP Bill does not apply to non-automated processing of personal data, offline personal data, or processing for personal or domestic purposes. In addition, any personal data about an individual contained in a record that has existed for at least 100 years will also not lie within the purview of the DPDP Bill.

2.2 Territorial Scope

As far as the territorial scope is concerned, DPDP Bill has extraterritorial application if the processing of digital personal data is in connection with any profiling of, or activity of offering goods or services to data principals within India.

2.3 Exemptions

DPDP Bill does not apply to the following type of processing:

  • The processing of non-automated personal data;
  • The processing of offline personal data;
  • The processing of personal data by an individual for any personal or domestic purpose; and
  • The processing of personal data about an individual contained in a record that has existed for at least 100 years.

DPDP Bill prescribes that the Central Government of India may exempt certain data fiduciaries or classes of data fiduciaries based on the volume and nature of personal data they process from the applicability of certain provisions of the DPDP Bill. Section 18 of the DPDP Bill provides a list of specific exemptions.

3. Definitions of Key Terms

3.1 Person

According to DPDP Bill, person means any of the following entities:

  • an individual;
  • a Hindu undivided family;
  • a company;
  • a firm;
  • an association of persons or a body of individuals, whether incorporated or not;
  • the State; and
  • every artificial juristic person.

3.2 Data Fiduciary

DPDP Bill refers to data controllers as “Data Fiduciaries.” A data fiduciary is any person or group of persons who determine the purposes and means of processing the personal data of individuals.

3.3 Data Principal

“Data Principals” are essentially data subjects to whom the personal data relates or belongs. If a data principal is a child (an individual under the age of 18 years), then the parents or lawful guardian of such a child becomes the data principal.

3.4 Personal Data

Pertains to any such information or data regarding an individual who becomes identifiable by virtue of that information.

3.5 Consent Manager

Data fiduciary that provides an open, transparent, and interoperable platform, enabling the data principal to provide, maintain, evaluate, and withdraw her consent. These data fiduciaries will be registered with the Data Protection Board of India and will be accountable to the data principles.

3.6 Significant Data Fiduciary

Any data fiduciary or class of data fiduciaries may be designated by the Central Government as a “Significant Data Fiduciary” after taking into account the volume and sensitivity of personal data processed, risk of harm to the data principal or electoral democracy, impact on national sovereignty and security, and public order.

3.7 Board

Board means the Data Protection Board of India established by the Central Government for the purposes of the DPDP Bill.

4. Obligations for Data Fiduciaries Under India’s DPDP Bill 2022

4.1 Grounds for Processing Requirements

Digital personal data may only be processed for a lawful purpose for which the data principal has given or is deemed to have given his/her consent. Lawful purpose means any purpose that is not specifically and explicitly prohibited by law.

The processing of digital personal data should be done in accordance with requirements laid under DPDP Bill and any other applicable Rules or Regulations that would be enacted under DPDP Bill.

4.2 Consent Requirements

DPDP Bill requires consent to be freely given, explicit, informed, and unequivocal, which clearly indicates the data principal's intentions to the processing of her/his personal data for the specified purpose. Whenever a data fiduciary requests for the data principal’s consent, such a request must be made in clear, plain language and include the contact information of a data protection officer or the designated focal person. Any such person will be responsible for responding to any queries and concerns of the data principal regarding the exercise of their rights under the DPDP Bill.

Moreover, the data fiduciary must provide the data principal with the option of viewing the consent request in either English or any of the other languages listed in the Eighth Schedule of the Indian Constitution.

The data principal can withdraw their consent at any time and will be responsible for bearing the costs associated with such withdrawal. The data principal can grant, manage, evaluate, or revoke her consent to the Data Fiduciary via a Consent Manager.

Consent managers will be interoperable platforms required to be registered with the Data Protection Board of India. The consent manager will be accountable to the data subject.

4.2.1 Deemed Consent

DPDP Bill provides for situations where the data principal is deemed to have given consent for the processing of his/her personal data if such processing is necessary. These include:

  • the data principal voluntarily provides his/her personal data, and it is reasonably expected for him/her to give such data;
  • for the execution of any legal duty, the rendering of any service or benefit to the data principal, or issuance of any certificate, license, or permit, etc.;
  • for compliance with any judgment or order issued under any law;
  • for responding to a medical emergency involving a threat to the life of the data principal or any other individual;
  • for facilitation of services during any public health emergency;
  • purposes related to employment, prevention of corporate espionage, maintenance of confidentiality (trade secrets, intellectual property, classified information, etc.), recruitment, termination of employment, and provision of any service or benefit sought by the data principal who is also an employee; and
    for public interests, which includes detection and prevention of fraud, mergers and acquisitions, information and network security, credit scoring, debt recovery, processing of publicly available information, and any other fair and reasonable purpose after considering legitimate interests of data principal and data fiduciary.

4.3 Notice Requirements

A data fiduciary must provide a data principal with an itemized notice in clear and plain language on or before asking for the data subject's consent. The notice must include a description of the personal information the data fiduciary plans to collect as well as its intended use. The data fiduciary must provide an option to the data principal to access such information.

4.4 Security & Data Breach Notification Requirements

A data fiduciary must put in place the necessary organizational and technical safeguards to ensure compliance with the DPDP Bill. Each data fiduciary and data processor is required to take reasonable security precautions to secure any personal data that is in their possession or under their control to prevent any breach of the personal data of the data principal. In case of a data breach, the data fiduciary or data processor must inform the Board and each affected data principal.

4.5 Data Protection Officer Requirement

Every data fiduciary is required to publish, in the way that may be prescribed under the DPDP Bill, the business contact information of a Data Protection Officer (DPO) or of a person who may respond to the data principal's inquiries about the processing of their personal data.

4.6 Data Processor Requirement

The data fiduciary may only engage, appoint, use, or involve a data processor to process personal data on its behalf. This should only be done when the data principal's consent has been acquired and the arrangement between the data processor and data fiduciary has been done under a legal contract.

Such a data processor may only engage, employ, use, or involve another data processor in processing personal data under a legitimate contract if permitted under its agreement with the data fiduciary.

4.7 Children’s Data Processing Requirement

Before any processing of personal data belonging to the children, the data fiduciary must first get verified parental consent or guardian’s consent. The data fiduciary must not process personal data in any way that could endanger children. Moreover, the data fiduciary is also not allowed to track children, monitor their behavior, or use them as targets for advertising.

4.8 Additional Obligations of Significant Data Fiduciary

Any data fiduciary or class of data fiduciaries may be designated by the Central Government of India as a ‘Significant Data Fiduciary’ based on an evaluation of cases it is important, such as:

  1. the volume and sensitivity of personal data processed;
  2. risk of harm to the Data Principal;
  3. potential impact on the sovereignty and integrity of India;
  4. risk to electoral democracy;
  5. security of the State;
  6. public order; and
  7. such other factors as it may consider necessary.

A Significant Data Fiduciary is required to appoint a DPO who will be based in India and will represent the Significant Data Fiduciary. Along with this, the Significant Data Fiduciary is also responsible for designating an independent data auditor who will assess whether the Significant Data Fiduciary complies with the DPDP Bill's requirements and implement additional safeguards, such as conducting Data Protection Impact Assessments (DPIA) and periodic audits.

4.9 Cross-Border Data Transfer Requirements

DPDP Bill does not expressly prohibit cross-border data transfers or prescribe any specific compliance requirements (like obliging with standard contractual clauses, transfer impact assessments, etc.) for the transfer of personal data outside India.

However, the Central Government of India may specify the nations or territories outside of India to which a data fiduciary may transmit personal data under the terms and conditions it deems appropriate.

5. Data Subject Rights

The data subjects, or data principals, as they're referred to under India’s DPDP Bill 2022, have the following rights:

5.1 Right to Information

The data principal has the right to ask the data fiduciary for information. This entails finding out whether the data fiduciary is or has processed the data principal's personal information, a list of the personal information being or that has been processed, the names of all data fiduciaries with whom the personal information has been shared, as well as the categories of personal information shared.

5.2 Right to Correction & Erasure

A data principal shall have the right to correction and erasure of their personal data. Upon receiving a request for such correction of the personal data from a data principal, a data fiduciary is required to correct any inaccuracies, complete any incomplete information and update a data principal's personal data in the systems accordingly.

In addition, unless retention is mandated by law, the data fiduciary is expected to delete any personal information that is no longer needed for the original reason it was obtained and processed.

5.3 Right to Grievance Redressal

A data principal has the right to lodge a grievance with a data fiduciary. The data principal may file a complaint with the Data Protection Board in the manner that may be necessary if a data fiduciary's response to a grievance is unsatisfactory or if no response is received after seven days or another shorter time period that may be required.

5.4 Right to Nominate

In the event of the data principal's death or incapacity, the data principal shall have the right to choose another person in the manner that may be prescribed to act on the data principal's behalf in accordance with the provisions of this Act.

6. Obligations of Data Principal

A data principal is required to abide by all other laws whilst exercising any rights under the DPDP Bill. The DPDP Bill also prohibits data principals from registering any false or frivolous grievance or complaint with a data fiduciary or the Board or furnishing any false particulars or suppressing any material information, or impersonating another person.

It is the duty of the data principal to furnish verifiably authentic information whilst exercising the right to correction or erasure under the DPDP Bill.

7. Regulatory Authority

To implement the provisions of the DPDP Bill, the regulatory authority will be the Data Protection Board of India. The Board will be responsible for ensuring compliance and imposing penalties in case of any violation of the DPDP Bill. The Board may also direct data fiduciaries to adopt any urgent measures - in the event of a data breach - to remedy such personal data breach or mitigate any harm caused to data principals.

8. Penalties for Non-compliance

Under the DPDP Bill, if a data fiduciary or data processor fails to take reasonable security safeguards to prevent a personal data breach, they would be liable to a fine of 2,500,000,000 Indian Rupiah. In addition, any failure to notify the Board and the data principal regarding the data breach and non-fulfillment of any obligations for processing of children's data would attract a fine of 2,00,00,00,000 Indian Rupiah.

If a data principal fails to comply with his /her duties, he/she will be liable to a fine of 10,000 Indian Rupees. In any case, a financial penalty imposed would not exceed Rs. 500 crores per instance, and the person would be given a fair opportunity to respond.

9. How Organizations Can Operationalize India’s DPDP Bill

Few steps that organizations can undertake to operationalize the DPDP Bill into practice:

  • Conduct data mapping assessments, analyze data inventories, and categorize data storage that contains digital personal data about Indians;
  • Have a compliant consent mechanism in place to capture consent and deemed consent;
  • Maintain proper channels of communication, allowing the data subjects to exercise their rights;
  • Put in place the necessary organizational and technical safeguards;
  • Identify cross-border data transfer and fulfill data transfer requirements;
  • Properly educate the employees and the workforce on data processing methods;
  • Have an easy-to-read privacy policy that clearly communicates all the data subjects' rights without leaving any room for ambiguity;
  • Have a breach response plan in place; and
  • Conduct regular data protection impact assessments to analyze risks and vulnerabilities to processing activities and to ensure maximum efficiency in compliance efforts.

10. How Can Securiti Help

India's Digital Personal Data Protection Bill 2022 is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and the need for a comprehensive data privacy framework in India.

In the modern digital economy, it is past time for businesses to acknowledge data privacy as a human right, not just a consumer right, and to make sure their data processing procedures comply with all applicable data privacy requirements.

To operationalize compliance and avoid falling behind in a constantly evolving technology and data privacy landscape, businesses must use robotic automation to expedite compliance. Securiti uses the PrivacyOps architecture to provide end-to-end business automation, combining reliability, intelligence, and simplicity.

Securiti can assist you in complying with India's Digital Personal Data Protection Bill 2022 and other privacy and security standards worldwide.

Examine how it functions. Request a demo right now.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.

Newsletter



Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 RSAC Leader Forrester Badge IAPP Innovation award 2020 Gartner Cool Vendor Award Sinet Innovator Award