Four years ago India received the landmark Puttaswamy judgment, which enshrined the right to privacy for the world's largest democracy. Since then, through various iterations, the government of India has attempted to devise an act that can adequately ensure the privacy of its more than 760 million active internet users. Versions of the Personal Data Protection Bill were proposed in 2018 and 2019, each receiving extensive scrutiny from experts across the country and alarming tech giants with requirements such as data localization. After receiving 81 amendments from the Joint Parliamentary Committee, the bill was withdrawn in August 2022, amid promises of a new bill that fits into India's comprehensive legal framework.
The new bill, proposed by the Ministry of Electronics and Information Technology, frames both the rights and duties of the "Digital Nagrik" (digital citizen) and the obligation to the lawful use of collected data. Drawing upon best practices from places like Singapore, Australia, and the European Union, the bill is based on the following principles:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Accuracy.
- Storage limitation.
- Accountability.
As the name suggests, the scope of the Digital Personal Data Protection Bill is restricted to processing digital personal data within the territory of India. As such, all offline personal data and anything not digitized will be exempt from the purview of this legislation. Such a scope carves out a large number of processing operations still relying on paper forms as the default mechanism of data collection. Additionally, the bill remains silent on the governance of digitized paper records.
Keeping in line with the global trend, the bill has extraterritorial applicability. It will apply to all organizations processing digital personal data outside the territory of India, if such processing involves profiling or offering goods and services to data principals within the territory of India. Since the bill does not specify what constitutes an offering of goods and services, the Data Protection Board of India, established in the proposed bill, will need to provide additional guidance.
The DPB will be the first regulatory body in India responsible for protecting the privacy of Indians. While it will determine noncompliance and impose penalties, the power to make rules regarding the bill's provisions remains with the central government. When it comes to outlining the structure and composition of the DPB, the current version of the bill is less prescriptive than its predecessors. Additionally, the codes of practice and appellate tribunal specified in the 2019 version of the bill have been dropped.
The new bill adopts a unique approach to the relationship between data principals and data fiduciaries, organizations determining the means and purpose of collection, outlining both the obligations of the data fiduciaries and the duties of data principals. Such duties require the data principal should not:
- Register a false or frivolous grievance or complaint with a data fiduciary or the DPB.
- Furnish any false particulars or suppress any material information or impersonate another person.
- Furnish any information that is not authentic while exercising the right to correction or erasure.
Noncompliance with the above duties can result in the data principal receiving a penalty of up to 10,000 rupees (approximately $120).
The term sensitive personal data has not been defined as part of the bill, and, as such, no additional obligations have been outlined for safeguarding data attributes that could pose a greater risk to the individual if compromised. The current bill retains the concept of significant data fiduciaries proposed as part of earlier versions. Organizations would be classified as significant data fiduciaries upon notice by the central government. Such organizations would be required to ensure the following:
- Appoint a data protection officer.
- Appoint an independent data auditor who shall conduct a periodic audit for compliance with the bill.
- Perform data protection impact assessments.
Since the power to classify an organization, or a class of organizations, as a significant data fiduciary lies with the central government instead of the DPB, it remains to be seen whether such an approach will create a bottleneck in effectively safeguarding the privacy of individuals.
A key highlight of the proposed approach is cross-border data transfers. Previous versions of the bill came under intense scrutiny from various industries for proposing data localization, using India's "digital sovereignty" as reasoning for this approach. However, the current bill does away with the localization requirement and adopts a vague approach, stating the central government will notify countries outside India to which a data fiduciary may transfer personal data. The terms and conditions governing such transfers will be specified with such notifications.
Another departure from the previous versions of the bill lies in the rights afforded to data principals. Data principals have been shortchanged as the right to portability and the right to be forgotten have been dropped. Thus, data principals will no longer be empowered to choose between different platforms or to direct a data fiduciary to restrict the continuing disclosure of their personal data. Instead the bill provides the data principals with the right to grievance redressal and the right to nominate. The right to nominate enables data principals to nominate another individual to exercise the rights of the data principal in the event the principal's of death or incapacity.
Penalties for noncompliance, the driving force for ensuring compliance with the bill, have also undergone a change. The previous versions of the bill took inspiration for imposing fines from EU General Data Protection Regulation, capping fines at 4% of the total worldwide turnover of the data fiduciary to ensure they were commensurate to the size of the organization. However, the current bill limits the fines that can be imposed on the data fiduciary to 5 billion rupees (approx. $61 million). While the bill does not outline the compliance requirements that should be enforced on the data processors, it has been mentioned failure to safeguard the security of personal data can result in a penalty of 2.5 billion rupees (approximately $30 million) for both the data processor and data controller.
The proposed bill remains open to public consultation until Dec. 17. As India continues its digital transformation and achieves greater internet penetration, the approaches to data privacy regulation will greatly shape the relationship between its 1.3 billion citizens and the organizations attracted by the value of such data. The creation of a strong and empowered DPB with sufficient regulatory tools is imperative to ensure the safety of India's "Digital Nagriks."