Introduction
Key aspects
Comment


Introduction

India recently released a new draft Digital Personal Data Protection Bill 2022 (2022 Bill). The 2022 Bill follows a previous draft bill that was first released in 2018, revised in 2019 and finally withdrawn in 2022, owing primarily to strong criticism from a parliamentary review committee. The last bill was heavily inspired by the EU General Data Protection Regulation (GDPR), which is the global gold standard in data protection regulation; however, its complexity might have been a factor in its demise. The 2022 Bill seems to have learnt from the fate of its predecessor regulations and will likely forge its own path in furthering data regulation in India.

The 2022 Bill comes with explanatory notes, which make for useful reading, particularly in regards to laying down a set of seven principals that have guided the formulation of this new bill.

The 2022 Bill is open for public comment until 17 December 2022.

Key aspects

Length
The 2022 Bill is much shorter than its 2019 counterpart – it has 30 sections as opposed to the earlier version, which contained 98 sections. As noted, the 2019 bill was heavily inspired by the EU GDPR and sought to import a number of GDPR concepts, including:

  • detailed grounds for processing data;
  • privacy-by-design requirements; and
  • identical data subject rights.

The 2022 Bill is much more focused on the rights and obligations of data principals and data fiduciaries, while leaving some aspects to be worked out in subordinate legislation (for example, how to collect children's data).

As a whole, the 2022 Bill seems to have borrowed provisions from Singapore's Personal Data Protection Act 2012. The concepts of deemed consent and voluntary undertakings (for non-compliance), as well as factors for determining the financial penalties, bear a striking resemblance to the wordings in Singapore data law. Perhaps most importantly, the 2022 Bill swerves the pitfall of trying to regulate non-personal data within the same law. This was a recommendation in the old 2019 bill pursuant to the review by the parliamentary expert committee, though it is difficult to see how this would have been implemented.

Language and illustrations
A (perhaps surprising) feature of the 2022 Bill is that it explains certain concepts and provisions by way of factual illustrations. While not unknown, this is certainly not common in Indian law-making. But the 11 illustrations in the 2022 Bill do help clarify the scope of certain sections, and they are quite an elegant way of clearly communicating the legislative intent. In addition, these illustrations provide courts and regulators with a clear idea of what the regulatory intent behind a particular provision is, and they promote predictable outcomes. Fortunately, some of the more onerous compliance requirements, such as data audits, are only required of "significant" data fiduciaries.

In fact, a through-line in the 2022 Bill is to keep matters clear – the draft itself uses the term "plain language" thrice in its wordings, and the aim to use "plain and simple language to facilitate ease of understanding" is also found in the public notice releasing the draft. This will come as a welcome development to businesses, who would appreciate the maximum level of clarity possible when dealing with a law that can lead to heavy penalties of up to 3,872 Indian rupees.

Concepts and data
Despite looking substantially different from the 2019 version, the 2022 Bill keeps the broad framework suggested in the previous version. There are still data fiduciaries who must ensure compliance with law while processing the data of data principals – and the Data Protection Board of India will be created to enforce the law.

The draft law applies to any processing of data outside India if done in connection with profiling Indians or offering goods or services within India. All processing must be for a lawful purpose, and with prior consent obtained through a notice.

At the same time, the 2022 Bill foregoes a few concepts, likely in order to simplify compliance. There is no separate category for sensitive data; only children's data is treated differently than other data (which makes sense, since the line between personal data and sensitive data is difficult to demarcate). In line with the Singapore data law, the draft 2022 Bill accords limited rights to data principals. Perhaps more interestingly, the new 2022 Bill also requires that data subjects fulfil certain duties and prescribes penalties if they do not. These duties include an obligation not to supply false information and a duty to only provide authentic information while exercising their rights.

Cross border flows and localisation
The draft 2019 data bill worried Indian start-ups and businesses in particular by prescribing data localisation for a number of data sets. In fact, under the 2019 draft, certain "critical data" could not be stored abroad at all and had to remain in India. Predictably, this worried digital majors and businesses who send data abroad as part of their operations. This requirement has been diluted in the new 2022 Bill, which makes a number of significant concessions on sending and storing data outside India.

The 2022 Bill contemplates the Indian government notifying countries or territories to whom a data fiduciary may transfer data. Presumably, this will be done by taking into account corresponding data security levels and may lead to bilateral data transfer arrangements with countries. If these can be realised, the prospect of free cross border data flows with trusted jurisdictions would appeal to businesses, as it would take away a lot of uncertainty around data transfers. The 2022 Bill also provides an exemption for processing personal data by the government for public interest and national security. Such provisions are, as always, concerning for businesses who need to predict the scope and frequency of access requests.

Comment

Arguably, being a more comprehensive draft, the 2019 data bill also made for a bigger target – it sought to import certain concepts into Indian law that had hitherto not been present, and it was not clear as to how these would be complied with (eg, in the case of privacy-by-design); and in some cases it promised rights and procedures that could not work under a single regulator who would be in charge of a much larger population than all European regulators combined (eg, in the 2019 draft, breach notifications to data principals were intended to be controlled by the data regulator).

Some matters will need to be clarified further. For instance, there appears to be an overlap between the 2022 Bill and the recently issued cybersecurity regulations in relation to reporting data breaches and cybersecurity threats. That said, by concentrating its focus on relatively straightforward, non-controversial aspects, and limiting itself to data that is in digital form, the 2022 Bill may make the job of lawmakers a little easier. After the debates around the earlier 2019 law, this new version may present a good middle ground solution towards data privacy regulations, which may mean that this 2022 Bill faces a much easier path through parliament, perhaps as soon as Spring 2023.

For further information on this topic please contact Vikram Jeet Singh at BTG Legal by telephone (+91 22 6177 2900) or email ([email protected]). The BTG Legal website can be accessed at www.btg-legal.com.