The Lok Sabha[1] and Rajya Sabha[2] passed the Digital Personal Data Protection Bill, 2023 (the “Bill”) marking the dawn of the Data Protection Law in India, which currently awaits Presidential assent. It seeks to replace the data protection architecture under the existing Information Technology Act, 2000 and rules thereunder, and affirms the right to privacy affirmed by the Supreme Court in Puttaswamy[3].
The Bill proposes a comprehensive framework for data protection in India, while recognizing the right to privacy of individuals to whom personal data relates (referred to as “Data Principals”). Such personal data may be processed by entities which determine means and purposes of processing (referred to as “Data Fiduciaries” or “Fiduciaries”) and entities such as contractors, service providers, who may process personal data on behalf of such Data Fiduciaries (referred to as “Data Processors” or “Processors”).
The Bill also proposes the establishment of a regulator viz. the Data Protection Board (the “Board”), consisting of a chairperson and such other members as may be notified, who would be appointed by the Central Government, with at least one law expert. The Board is expected to play an adjudicatory role, as opposed to being a comprehensive sectoral regulator.
While a sizeable portion of the provisions and clarity on obligations would be on the next wish list, entities complying with existing law[4] may need to reimagine data handling practices at every stage of the data life-cycle, up until deletion, as per the provisions of the Bill. Here we discuss some of the core requirements which are to be met by the newly recognized Data Fiduciaries in India.
(A) Assessing applicability of the Bill
At the outset, entities must assess the applicability of the Bill to processing activities undertaken by them. This may involve assessing ‘territorial’ applicability and examining exemptions on ‘subject-matter’.
Territorial Applicability: The Bill states while that all processing undertaken within India will be applicable to the Bill, processing outside India will also invite applicability, if the Fiduciary undertakes processing in relation to an activity related to offering of goods or services to Indian residents.[5] Therefore, entities engaged in offering goods or services to Indian residents would still have to comply with the Bill, regardless of whether or not they may be established, having a corporate entity or undertake processing within India.
Thus, while entities which undertake processing of personal data in India will regardless be subject to provisions of the Bill, those undertaking processing outside India may also be required to comply, if such processing is in connection with offering of goods or services to Data Principals resident in India.
Subject Matter Applicability: The Bill provides exceptions to applicability in specific situations such as when personal data is processed for personal or domestic purpose or in cases where such personal data is publicly available, on account of the Data Principal publishing it (herself) or any other entity publishing it pursuant to a legal obligation.
(B) Undertake mapping of data flows
Entities must undertake discovery and mapping of inward and outward data flows to comprehensively understand personal data processed by them. This may be helpful in assessing applicability and extent of compliance, such as in:
- examine documentation pertaining to collection of personal data, including notices, consents, authorizations etc.
- analyze purpose for which such data is collected and whether minimization obligations may apply to such information[6];
- identify certain special categories of data (such as children’s personal data[7]) to which additional obligations may apply;
- storage and security measures applied to such data, from the purview of implementing technical and organizational measures[8];
- assessing cross-border transfers of personal data and permissibility thereof[9]; and
Data discovery and mapping is a critical step to be undertaken, by organizations to have complete visibility over personal data being processed. Maintaining accurate and updated inventories of data through periodic exercises may enable entities to avoid consequences of discovering data which has not been secured subsequently, as has been seen in the case of Eatigo International[10] (Singapore).
(C) Managing consent obtained previously
The Data Fiduciaries may, as soon as reasonably practicable, be required to take steps to provide a notice to existing Data Principals. Since the continuing of processing of personal data by Fiduciaries would be contingent on the withdrawal of consent by Data Principals, Fiduciaries must implement mechanisms which permit the Data Principals to withdraw consent, should they choose to do so.
The Bill provides for many other obligations which are likely to be crystallized once the rules are formally made available by the Central Government. This will further expand the breadth of the compliance obligations under the Bill.
[The authors are Executive Partner and Senior Associate in Data Protection and TMT practice of Lakshmikumaran & Sridharan Attorneys at New Delhi and Hyderabad, respectively]
[1] Bulletin-I dated August 7, 2023, Lok Sabha, available at https://sansad.in/getFile/bull1mk/17/XII/07082023.pdf?source=loksabhadocs
[2] Bulletin-I dated August 9, 2023, Lok Sabha, available at https://sansad.in/getFile/UploadedFiles/TableOffice/TableBulletin1/260/English_090823.pdf?source=rscms
[3] Justice K.S. Puttaswamy (Retd) v. Union of India, (2017) 10 SCC 1.
[4] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
[5] Clause 3(a), Digital Personal Data Protection Bill, 2023.
[6] Clause 6(1), Digital Personal Data Protection Bill, 2023.
[7] Clause 9, Digital Personal Data Protection Bill, 2023.
[8] Clause 8(4), Digital Personal Data Protection Bill, 2023.
[9] Clause 16, Digital Personal Data Protection Bill, 2023.
[10] Eatigo International, (2022) SGPDPC 9