After the Government of India withdrew the draft Data Protection Bill 2019 on 3 August 2022, the Indian Ministry of Electronics and Information Technology released a new and shorter draft, the Digital Personal Data Protection Bill 2022 (DPDP Bill, 2022), a few months later – on 18 November 2022. The DPDP, 2022 is intended to lay the foundation for comprehensive regulations on data protection in India.
What is the current data protection situation in India?Privacy is a fundamental right and is protected by the Constitution of India. In August 2017, the right to privacy was recognised as a fundamental right by a judgment of the Supreme Court of India. This right, enshrined in the Constitution, casts a long shadow on Indian law, influencing policy and jurisprudence and acting as a check on legislative and executive action. The regulations governing the processing of personal data are currently mainly found in the Information Technology Act, 2000 and the Information Technology Rules, 2011. In addition, personal data is protected by indirect safeguards developed by the courts through various judgments over the years. India does not have a national supervisory authority for the protection of personal data. The Ministry of Electronics and IT is responsible for administering the above laws and issuing new regulations. With the planned DPDP Act, 2022 (see this PDF), the principles of data protection, such as transparency, purpose limitation, data minimisation or storage limitation, are to be observed in particular.
The Digital Personal Data Protection Act, 2022In the 2019 version, the transfer, processing and storage of data abroad was to be severely restricted. This bill was criticised by various organisations, most notably the Asia Internet Coalition, a trade organisation that includes companies such as Google, Facebook and Amazon. The justification for the criticism was that decisions on cross-border transfers should be free from political interference. As a result, the DPDP Bill, 2022 is less restrictive with regard to cross-border data traffic. These are the most important regulations:
Applicability of the DPDP Act
The DPDP Act, 2022, as drafted, is applicable to entities that process digital personal data within India. The term digital covers personal data that is collected online as well as data that is collected offline and subsequently digitised. This means that data that is collected offline and also stored offline is excluded.
However, the provisions of the DPDP Act, 2022 are also intended to apply to the processing of digital personal data outside India´s territory where the processing is carried out in connection with the profiling or offering of goods or services to data subjects in India´s territory.
Obligations of the data processor
Section 5 of the Bill provides that the data processor shall process personal data only in accordance with the provisions of the DPDP Act, 2022 and the regulations made thereunder for a lawful purpose for which the data subject has consented or consent may be assumed in accordance with the provisions of the Act. The Bill does not specify the circumstances in which consent may be assumed.
Similar to the provisions of the General Data Protection Regulation (GDPR), the draft Indian law also provides for an information obligation on the part of the data processor. According to this, the data processor must inform the consenting person about the collected data and the purpose of the processing. However, the wording of the draft only speaks of data subjects who have actively consented, and not of those for whom consent is assumed. However, these are likely to be meant in the context of compliance with the principle of transparency or to be included in the final law.
Special data processors
A data processor may also be classified as a special data processor by the government under Section 11 of the draft, based on an assessment of relevant factors (e.g. state security, scope of data processing, risk of injury to data subjects). In particular, this includes – comparable to Art. 9 GDPR – processors of special categories of personal data or data on a large scale.
Appointment of a data protection officer
If a data processor is specially classified, it must appoint a data protection officer based in India. In addition to appointing a data protection officer, an independent auditor must also be appointed to verify compliance with the DPDP Act, 2022. Further, other measures such as conducting a data protection impact assessments and periodic audits must also be undertaken.
Rights and obligations of data subjects
Since the GDPR came into force, the influence of European data protection law has been seen globally, especially with regard to the rights of data subjects. The draft Indian law also contains rights similar to Art. 15 et seq. GDPR, including:
- Right of access (Section 12 DPDP Act, 2022)
- Right to correction and deletion (Section 13 DPDP Act, 2022)
- Right to complain (Section 13 DPDP Act, 2022)
Another is the right of nomination (Section 15 DPDP Act, 2022), under which a data subject has the right to nominate another person to exercise the data subject’s rights under this Act in the event of the data subject’s death or incapacity.
Finally, Chapter 3 of the draft regulates various obligations on the part of the data subjects.
Cross-border data transfer
Cross-border data transfers are a highly relevant issue. Here too, the DPDP Act, 2022 contains provisions to regulate these matters. Section 17 of the DPDP Act, 2022 provides that the government may, after making an assessment based on factors it considers necessary, specify countries or territories outside India to which personal data may be transferred in accordance with the specified provisions.
In addition, the following section sets out some exceptions. With regard to cross-border data transfer, section 17 does not apply:
- if the processing of personal data is necessary for the assertion of a legal claim,
- where the processing of personal data by a court or other body in India is necessary for the performance of a judicial or quasi-judicial function,
- where personal data is processed in the interest of the prevention, investigation, detection or prosecution of a criminal offence or the prosecution of any offence against a law,
- where personal data of principals not located in the territory of India is processed by a person resident in India pursuant to a contract entered into with a person outside the territory of India.
Cross-border data transfers are now subject to a central government assessment of the legal situation of the recipient country. The intention to regulate cross-border transfers on the basis of an adequacy assessment seems progressive, but the draft does not specify on what basis such an assessment should be carried out.
However, in the context of adequacy mechanisms and alternatives thereto, it is reasonable to assume that the government will assess the precedents and actions of the Court of Justice of the European Union in its various rulings, in particular the decisions in Schrems I and Schrems II. While specifying objective factors or specific conditions is a constructive approach from a data protection perspective, such factors may not be generally applicable in all recipient countries. Accordingly, mechanisms such as the EU’s Standard Contractual Clauses (SCCs), certifications, etc., must be considered as required under the rules.
Indian Data Protection Authority
Section 19 of the Bill seeks to provide for the establishment of an Indian Data Protection Authority, which is not found in India so far. The distribution of work within the authority, the receipt of complaints, the formation of groups for hearings, the pronouncement of decisions and other functions of the authority are to be digitalised as far as possible.
If the Indian data protection authority comes to the conclusion that a breach has occurred, it can impose fines, whereby the amount is to be assessed according to various criteria. These include, for example, the type, severity and duration of the breach, the type of personal data affected by the breach or the existence of a risk of recurrence. Among other things, violations of the Data Protection Act may result in fines of up to the equivalent of approximately 30 million euros (₹ 2.5 billion).
Considering that the Act under Section 29 DPDP Act, 2022 takes precedence in case of competing provisions of other laws, it remains to be seen how India will adapt existing regulations to create harmonisation in the Indian regulatory landscape between the Act and already existing laws. In particular, it remains questionable how cross-border data transfers will be further specifically regulated and what basis will be used to determine the adequacy of countries.
The member states of the European Union are likely to be determined without much doubt as adequate countries by the Indian government under the DPDP Act, 2022. Whether the EU will also publish an adequacy decision under Article 45 GDPR for India is, however, questionable. This is likely to depend above all on how the planned Indian data protection law is implemented in the regulatory landscape and what changes are made before the DPDP, 2022 comes into force.
It is currently unclear when the DPDP Act, 2022 will come into force, as the bill does not specify an implementation period, but only states that the provisions will come into force on the date set by the government. According to recent reports, the draft could be presented to parliament during the budget session in early 2023. It is now necessary to wait for reactions to the draft, which was open for public consultation until 2 January 2023.