policy monitor

India – Digital Personal Data Protection Bill

Modelled after the GDPR but diverging from it on a number of important points, the Indian Digital Personal Data Protection Bill (‘DPDP Bill’) reflects learnings from the operation of the GDPR in the EU, as well as the need to establish a data protection regime adapted to the Indian context.

What: legislation

Impactscore: 1

For who: legal professionals, data protection experts, businesses that offer goods and services to individuals in India

URL:

Key takeaways for Flanders

Flemish companies offering goods and/or services to individuals in India and digitally processing personal data of individuals in India in connection to that, are subject to the requirements of the DPDP Bill. They should therefore start considering how to comply with the obligations set out in the Bill. Existing GDPR compliance practices may offer a start, though the requirements of the Indian law differ in some respect from the requirements of the GDPR. For a more in-depth analysis of the similarities and differences between the GDPR and the DPDP Bill, see: https://www.lexology.com/library/detail.aspx?g=2a5d16a8-fd72-40ac-9730-d6fc420a2a80.

It is also important to note that the Bill does not protect the personal data of people outside of India. In fact, the Bill even contains an explicit exemption for Indian entities who process personal data of individuals outside of India on behalf of an entity outside of India (the ‘outsourcing exception’). Since this makes an adequacy decision unlikely, it is paramount that if you share personal data of individuals in the EU with a recipient in India, you ensure that the recipient will sufficiently protect those data, through e.g. standard contractual clauses.

Summary

Objective and scope

The primary objective of the Bill is to establish a comprehensive framework in India for the protection and processing of personal data. In its own words, the Bill “provide[s] for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”

Data” should be understood in this context as any “representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.” They become “personal data” when the data pertain to an individual (“data principal”, i.e. data subject in the GDPR) who is identifiable by or in relation to such data. Unlike the GDPR, the DPDP Bill does not contain a list of special categories of personal data which deserve enhanced protection.

Processing” in regard to personal data has been defined as “a wholly or partly automated operation or set of operations performed on digital personal data” and – similar to the GDPR – includes virtually every action that can be taken vis-à-vis personal data. The person who determines the purpose and the means of the processing, is called a “data fiduciary” (i.e. data controller in the GDPR).

Key elements and basic principles

  • Scope of application

The Bill applies to the processing of personal data within India where such data is (i) in digital form, or (ii) in non-digital form and subsequently digitized. However, the Bill also applies outside of India to the processing of digital personal data if such processing happens in connection to “any activity related to offering goods or services to data principals within the territory of India.”

Exempt from the Bill, are (i) the categories of data fiduciaries identified by the government (which will happen at a later date), (ii) the processing of personal data of individuals outside of India by any entity based in India, on the basis of a contractual agreement with an entity outside of India (the ‘outsourcing exception’), (iii) the processing of personal data by an individual for personal or domestic purposes, and (iv) the processing of personal data that is made or caused to be made publicly available by the data principal or any other person being under an obligation to make the personal data publicly available. If, for example, an individual makes his or her personal data publicly available on social media, the provisions of the Bill shall not apply (unlike the GDPR).

The Bill also includes broad exceptions for the government in general. For instance, the government may declare that processing activities in the interests of the state, as well as those which are required to preserve friendly relations with foreign states or to maintain public order, are not subject to the provisions of the Bill.

  • Grounds for processing

Personal data may only be processed for a lawful purpose (i) for which the data principal has given his/her consent, or (ii) for any of the legitimate uses mentioned in article 7, such as the processing of voluntarily provided personal data (i.e. provided without the data fiduciary seeking to obtain consent) or the processing for employment purposes. Note that “contractual necessity” and “legitimate interest” are not included in the list, making it substantially different from the one found in the GDPR.

For consent to be a valid ground for processing, it has to be given freely, specifically, informedly, unconditionally, and unambiguously with a clear affirmative action. For individuals under the age of 18, consent shall be provided by their parent(s) or legal guardian.

  • Rights and duties of the data principal

An individual whose personal data are being processed, has the right to (i) obtain information about the processing of his/her data, (ii) correction, completion, updating and erasure of his/her personal data in case the processing is based on consent, (iii) withdraw consent, (iv) nominate another individual to exercise his/her rights in the event of death or incapacity, and (v) have readily available means of grievance redressal (i.e. the data principal has to be able to turn to the data fiduciary with any complaints he/she may have regarding the processing activities). This “grievance redress” mechanism is important, as data principals can only address the Board with a complaint after they have first sought redress with the data fiduciary.

However, data principals are under the obligation not to (i) submit a false or frivolous grievance or complaint, (ii) suppress any material information while providing his/her personal data for any document issued by the state, (iii) furnish any inauthentic information while exercising the right to correction or erasure, and (iv) impersonate another individual while providing personal data. The infringement of these duties may be punished with a fine.

  • Obligations of data fiduciary

The data fiduciary shall (i) only process personal data on the basis of consent or for any of the legitimate uses, (ii) implement appropriate technical and organizational measures to ensure effective compliance with the Bill, (iii) take reasonable security safeguards to prevent the breach of personal data, (iv) make reasonable efforts to ensure the accuracy and completeness of the data, (v) respond to any communication from the data principal seeking to exercise his/her rights, and (vi) inform the Data Protection Board and each affected individual in the event of a data breach.

In contrast to the GDPR, which only allows (with some derogations) data transfers to foreign countries on the basis of either an adequacy decision or appropriate safeguards, the DPDP Bill does not restrict the transfer of personal data outside of India. The Bill leaves it up to the government to blacklist certain countries or to enact other sorts of restrictions.

  • Data Protection Board of India

The Data Protection Board of India (‘Board’) is a new independent body, tasked with (i) directing any urgent remedial or mitigation measures in the event of a data breach, (ii) inquiring into such breach, and (iii) imposing penalties. The Board operates as a civil court, and any other civil court will be barred from entertaining any suit for which the Board has jurisdiction under the Bill .

However, the Board does not have the power to clarify how the Bill should be implemented or interpreted. It is the government who has been conferred broad discretion in adopting legislation to further specify the provisions of the Bill, including e.g. clarifying the modalities and timelines for data fiduciaries to respond to data principal requests or the requirements for a valid notice for obtaining a data principal’s consent. Therefore, despite its name, the Board is more similar to a data protection authority under the GDPR than to the European Data Protection Board.

  • Penalties

Unlike the GDPR, fines for data breaches and violations of the Bill are fixed and cannot be calculated as a percentage of the annual global turnover. The maximum amount depends on the offence committed, but ranges from INR 50 crores to 250 crores (ca. EUR 5-25 million). While determining the amount, the Board will consider factors such as (i) the nature, gravity and duration of the breach, (ii) the type and nature of the affected personal data, (iii) the gain or loss realized, and (iv) the actions taken to mitigate the situation.