The Digital Personal Data Protection Bill, 2022: Key Features and Impact on Businesses

In Depth

The Digital Personal Data Protection Bill, 2022: Key Features and Impact on Businesses

Ameet Datta, Suvarna Mandal | February 2023

On 18th November 2022 the Ministry of Electronics and Information Technology (“MeitY”) released the Digital Personal Data Protection Bill 20221 (“Draft DPDP Bill 2022”) for stakeholder consultations. The purpose of the Draft DPDP Bill 2022, as per its preamble, is to provide a framework for the processing of “digital personal data” in a way that recognizes the right to protect and the necessity to process the digital personal data of individuals for lawful purposes, “and for matters connected therewith or incidental thereto” that have been identified in the Draft DPDP Bill 2022.

By way of brief background, India’s deliberation on privacy and data protection started way back in 2011 when the Planning Commission directed the constitution of a Group of Experts, under the Chairmanship of Justice A.P. Shah, to identify issues and prepare a report to facilitate authoring of a Privacy Bill for the country. The A.P. Shah Committee submitted its report in 2012, however, no steps were taken on this report. Thereafter, in 2017, the MeitY constituted a Committee of Experts, headed by Justice B.N. Srikrishna (Retd.) (“Srikrishna Committee”), to identify key data protection issues and provide a legislative framework for data protection. Notably, a month after the constitution of this committee, the Supreme Court of India, in the case of K.S. Puttaswamy and Anr. v. Union of India and Ors. (AIR 2017 SC 4161), recognised the right to privacy as a fundamental right. The Srikrishna Committee released its report in the year 2018 along with the Personal Data Protection Bill, 20182 . In 2019, the MeitY introduced the Personal Data Protection Bill, 20193 (“2019 PDP Bill”) and tabled it before the Lok Sabha, later referring it to the Joint Parliamentary Committee (“JPC”). On 16th December 2021, the JPC published its report4 , along with the third iteration of a data protection legislation, namely the Data Protection Bill, 2021. However, on 3rd August 2022, the Government of India withdrew the 2019 PDP Bill from the Parliament to address the concerns around some of its provisions and provide a ‘comprehensive legal framework’ on data protection.

The Draft DPDP Bill 2022, when implemented, will be the main personal data protection and privacy related regulation in India and will accordingly replace Section 43A of the Information Technology Act, 20005 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 20116 (“SPDI Rules”) which are notified thereunder.

As per the Explanatory Note7 released along with the Draft DPDP Bill 2022, the provisions of the Draft DPDP Bill follow seven broad principles, namely, lawfulness, fairness, transparency, purpose limitation, storage limitation, accuracy, accountability, integrity and confidentiality, which in effect are principles that are also followed by the EU’s General Data Protection Regulations8 .

The Explanatory Note also states that the Draft DPDP Bill 2022 not only seeks to provide a comprehensive yet concise framework for protection of personal data, but it also seeks to balance individual rights, public interest and ease of doing business. Having said this, the Draft DPDP Bill 2022 comes with its own set of challenges. This article provides a brief overview of the key features of the Draft DPDP Bill 2022 and sheds light on the potential implications of the provisions of the Draft DPDP Bill 2022, if implemented in its present form, on businesses and business activities.

Brief Overview of The Draft Dpdp Bill 2022

Applicability – The Draft DPDP Bill 2022 applies to personal data which has either been collected online or has been digitised within India.9 It also has an extra-territorial application as long as it pertains to processing of digital personal data outside the Indian jurisdiction if such processing pertains to any profiling of or activity of offering goods or services to Data Principals within the territory of India.10 The Draft DPDP Bill 2022 will not apply to non-automated processing of personal data, offline personal data, personal data processed for any personal/ domestic purpose, and personal data contained in a record that has been in existence for at least 100 years.11
Relevant Actors/Entities – The following entities are covered within the ambit will get involved in the processing of digital personal data:

Data Principals (individuals to whom the personal data relates, including parent and lawful guardian of a child),
Data Fiduciaries (person who determines the means and purpose of processing data),
Significant Data Fiduciaries (entities notified by the Central Government based on assessment of certain factors),
Data Processors (person processing data on behalf of Data Fiduciary),
Consent Managers (Data Fiduciary which enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform),
Authorised Representative of a Data Fiduciary
Data Protection Officer (appointed by Significant Data Fiduciary to act as point of contact for grievance redressal mechanism),
Independent Auditors (to be also appointed by Significant Data Fiduciary).

Personal Data and other definitions – Personal data has been defined to mean “any data about an individual who is identifiable by or in relation to such data”.12 Since the definition covers “any data” about an individual, the Draft DPDP Bill 2022 seeks to do away with the sub-categorization of personal data into sensitive personal data and critical personal data and brings every type of personal data under one umbrella term. Additionally, the term “processing” has been broadly defined “and may include” operations such as collection, recording, organization structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction or erasure or destruction of digital personal data.13 This definition when read with other provisions under the Draft DPDP Bill 2022 has wider ramifications since the requirements (such as notice, consent, etc.) apply to “processing” of digital personal data broadly and do not specifically apply to the type of processing (collection, transfer, etc.) to which such requirements would apply. Other than this, definitions for terms such as gain14, loss15, and public interest16 have also been introduced.
Profiling – The Draft DPDP Bill 2022 includes within its scope processing of personal data outside the territory of India for the purposes of profiling, if such profiling is in connection with Data Principals within the territory of India.17 As far as digital personal data within India is concerned the Draft DPDP Bill does not have any specific provision pertaining to profiling. Profiling is defined as any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of the Data Principals.
Notice18 – Data Fiduciaries are required to provide an itemised notice in clear and plain language, providing the description of the personal data collected and the purpose of processing of such data, prior to or at the time of obtaining consent from Data Principals.19 Since the itemised Notice mandates providing the ‘purpose of processing’ along with the description of the personal data, any type of processing of such digital personal data (as included within the definition of processing) will be covered under the itemised Notice requirement. In cases where the consent had been obtained prior to the commencement of the Draft DPDP Bill 2022, a fresh itemised notice will have to be given to the Data Principal as soon as it is reasonably practicable.20 Data Fiduciaries are also required to provide notice in English or in any of the 22 languages specified in the Eighth Schedule of the Constitution of India at the option of the Data Principal.21
Consent22 – Under the Draft DPDP Bill 2022, consent must be freely given, specific, informed and should be an unambiguous indication of the Data Principal’s wishes, through a clear affirmative action signifying agreement to the processing of her personal data for the specified purposes.23 The consent requirement too, applies broadly to processing of personal data, and therefore any specific processing activity of the Data Fiduciary will have to meet the consent requirements. As was the case with the notice requirement, every request for obtaining consent must be in clear and plain language and the Data Principal should be given the option to access such request in English or in any of the 22 languages specified in the Eighth Schedule of the Constitution of India.24 While consent may be withdrawn at any point, the consequences of such consent withdrawal will have to be borne by the Data Principal.25
Deemed Consent26 – The Data Principal will be deemed to have given consent to the processing of their personal data (and accordingly itemised Notice and consent requirements will not apply) if the processing is necessary, inter alia, for the following purposes;

in a situation where the Data Principal voluntarily gives their consent and it reasonably expected that they would provide such personal data;
the performance of any function under any law, provision of any service, benefit, license, permit for any action or activity of the Data Principal by the State or any instrumentality of the State;
for compliance with any judgment or order;
for purposes related to employment including prevention of corporate espionage, maintenance of trade secrets and intellectual property, etc.;
public interest which includes credit scoring, recovery of debts, merger and acquisition, etc.;
for any fair and reasonable purpose as may be prescribed by the Central Government

Obligation to ensure accuracy of digital personal data – Data Fiduciaries are required to make “reasonable efforts” to ensure that the digital personal data of the Data Principals is accurate and complete if such personal data is likely to be used to make a decision that affects the Data Principal, or, is likely to be disclosed to another Data Fiduciary.27
Retention of digital personal data – Data Fiduciaries must cease to retain digital personal data or remove means by which such personal data can be used to identify the Data Principals if the purpose for which personal data was collected is no longer required and retention is no longer necessary for business or legal purposes.28
Data Breach Reporting – Data Fiduciaries and Data Processors have to protect personal data in their possession/ control by taking “reasonable security safeguards” to prevent personal data breach.29 Either a Data Fiduciary or a Data Processor, as the case may be, shall report a personal data breach to the Data Protection Board and the affected Data Principal.30 The manner of reporting such breach will be prescribed later through Rules.
Additional obligations of Significant Data Fiduciaries31 – Any Data Fiduciary or a class of Data Fiduciaries can be notified by the Central Government as Significant Data Fiduciary (“SDF”). This notification will be based on the assessment of factors including, inter alia, the volume and sensitivity of personal data processed, risk of harm to Data Principals, risk to electoral democracy, public order, and such other factors as may be considered necessary.32 Further, SDF is required to appoint a Data Protection Officer (“DPO”), to act as the point of contact for grievance redressal mechanism and will be responsible to the Board of Directors (or a similar body),33 and appoint an independent auditor.34 SDF is also required to undertake Data Protection Impact Assessment (“DPIA”), and periodic audit.35 DPIA is defined as a process comprising description, purpose, assessment of harm, measure for managing risk of harm and such other matters with respect to digital personal data as may be prescribed.
Appointment of DPOs/Authorised Representative – As stated above already, while SDFs are mandated to appoint DPO, similarly, all Data Fiduciaries, who are not SDFs, are required to appoint an authorised representative.36 The SDF or the Data Fiduciary (as the case may be) is required to publish and provide to the Data Principal at the time of seeking consent, the business contact information of the DPO (in case of SDFs), or of the authorised representative i.e. the person who is able to answer on behalf of the Data Fiduciary the Data Principal’s questions about the processing of her personal data or respond to any communication from the Data Principal for the purpose of exercise of their rights.37
Personal Data of Children38 – Data Fiduciaries will have to obtain “verifiable parental consent” before processing any personal data of a child.39 Parental consent includes the consent of lawful guardian, where applicable. The Data Fiduciary can neither process any personal data that is likely to cause harm40 to a child nor undertake tracking or behavioural monitoring of children or targeted advertisement directed at children.41 The specifics of these obligations, including form, manner, etc. will be prescribed later by the Central Government.
Rights of Data Principals – The Draft DPDP Bill 2022 confers the following rights on Data Principals:

Right to information about personal data (pertaining to confirmation regarding processing of data, summary of personal data processed, processing activities, Data Fiduciaries with whom such personal data is being shared etc.),43
Right to correction and erasure of personal data (Data Fiduciary shall be required to correct, complete, update and/ or erase, Data Principal’s personal data upon receiving a request),44
Right of grievance redressal (through readily available means of registering a grievance with Data Fiduciary),45 and
Right to nominate (to exercise rights of the Data Principal, in the event of death or incapacity of the Data Principal )46

Exemptions47 – Under the Draft DPDP Bill 2022 the requirements of providing notice and obtaining consent need not be met with where:

the processing of personal data is necessary for enforcing any legal right or claim;48
where processing of personal data by any court/tribunal/any other body is necessary for performing any judicial/ quasi-judicial function;49
personal data is processed for prevention, detection, investigation or prosecution of any offence/contravention of any law;50
personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.51
Additionally, personal data to be processed by a State/any instrumentality of the State, has been exempted from purpose limitation and storage limitation requirements specified under the Draft DPDP Bill 2022.52

Cross-border transfer of personal data53 – The Central Government has the power to notify certain countries/ territories, based on the assessment of certain factors, for transfer of personal data. The terms and conditions of the transfer will be prescribed later by the Central Government through Rules.
Data Protection Board (“Board”)54 – A Board is sought to be constituted to inter alia, determine non-compliance, impose penalties, conduct inquiry in respect of a complaint, and perform any other function as may be assigned by the Central Government. The jurisdiction of civil courts has specifically been excluded for entertaining a suit or for granting injunction on a matter under the Draft DPDP Bill 2022.55
Voluntary Undertaking56: In a matter relating to compliance, during any stage of proceeding before the Board, a Data Fiduciary may present a voluntary undertaking to the Board.57 The voluntary undertaking may state the specific action that the Data Fiduciary seeks to take within a specified time or an action they shall refrain from pursuing.58 The Draft DPDP Bill 2022 also mandates publicising such undertakings.59 After accepting the voluntary undertaking, the Board may with the agreement of the Data Fiduciary, vary the terms included in such undertaking.60 The acceptance of the undertaking shall lead to a bar on the proceedings before the Board.61
Penalties62 – Financial penalties have been introduced for non-compliance with the provisions of the Draft DPDP Bill 2022 which may extend up to Rs. 500 crores in each instance. The Draft DPDP Bill 2022 also imposes a penalty on a Data Principal for non-compliance with its duties such as furnishing of accurate information, non-registration of false complaints, etc.
Overriding effect63 – While the provisions of the Draft DPDP Bill are in addition to the provisions of any existing law, in the event of a conflict, the Draft DPDP Bill 2022 will prevail.

Potential Impact on Businesses

The Draft DPDP Bill 2022, if implemented in its present form, will require Data Fiduciaries to comply with following obligations:

Extended Responsibility of Data Fiduciaries: Data Fiduciaries will be responsible for complying with the provisions of the Draft DPDP Bill 2022 with respect to any processing undertaken by Data Processors or another Data Fiduciary on its behalf. Accordingly, the Data Fiduciary that collects the digital personal data at the first instance will be responsible for the processing done on its behalf by another entity (Data Processor/ another Data Fiduciary) that it engages to process the collected digital personal data.
Notice – An itemised notice in clear and plain language, containing the description of digital personal data to be collected and the purpose of processing such personal data, will have to be provided on or before obtaining consent. The notice will also have to be issued for each type/purpose of processing of the digital personal data.
Consent – The following will have to be considered while obtaining consent from Data Principals:

As the consent of Data Principals for processing digital personal data will have to be obtained by a clear affirmative action, pre-ticked checkboxes cannot be used to obtain the same. Instead, mechanisms to obtain consent such as click wrap agreements or actively ticking on check boxes may be permissible as it will likely constitute clear affirmative action.
Since the consent requirement pertains to ‘processing’ of personal data, consent will have to be sought for each type/purpose of processing carried out.
The contact details of the DPO/ authorised representative of the Data Fiduciary will have to be provided at the time of obtaining consent.
Further, the ease of withdrawal of consent by the Data Principal should be comparable to the ease with which such consent was given in the first place.
Data Fiduciaries will have to maintain a record of all notices given to them and the consequent consents obtained from such Data Principals since the same will have to be shown before the Board in case any proceedings is instituted regarding obtaining consent from such Data Principals.

Language of Request for Consent and Notice – Businesses will be required to make provision of providing the itemised notice and seeking consent requests from Data Principals in a total of 23 languages, including English. Operationally, this significantly increases compliances and costs for Data Fiduciaries. Additionally, requiring Data Fiduciaries to provide translations in 23 languages for Data Principals leaves room for issues with authenticity, increasing confusion and misunderstandings, potential litigation, etc. if such translations are not accurate.
Deemed consent – The expansive grounds, including for voluntarily providing data where it is reasonably expected, medical treatment and health services vis-à-vis when there is threat to public health, safety purposes, employment purposes, prevention of corporate espionage, prevention of fraud, credit scoring, public interest, fair and reasonable purposes (as may be prescribed) etc., for processing of personal data under the “deemed consent” clause is widely worded and absolve Data Fiduciaries from providing Notice and requesting consent from Data Principals. This provision broadly seeks to ease compliance obligations of Data Fiduciaries. Accordingly, Data Fiduciaries will be required to assess aspects of information qualifying for deemed consent and for which providing Notice will not be necessary.
Processing Personal Data of Children – The following will have to be done for processing digital personal data of children:

‘Verifiable parental consent’ before processing any personal data of children will have to be obtained. However, the manner of obtaining such ‘verifiable consent’ may be prescribed by the Central Government.
Data Fiduciaries are prohibited from undertaking any behavioural monitoring, tracking or direct advertisement activities with respect to the personal data of children.
The Central Government can exempt Data Fiduciaries from obtaining verifiable parental consent and allow tracking, behavioural monitoring activities, or targeted advertising directed at children in accordance with the purposes prescribed by the Central Government

Profiling and Tracking – While the Draft DPDP Bill 2022 applies to digital personal data processed outside the territory of India, if such processing pertains to profiling of Data Principals within India, there is no specific provision pertaining to profiling in the Draft DPDP Bill 2022. As regards tracking, the Draft DPDP Bill 2022 explicitly prohibits conducting behavioural monitoring as well tracking of children only. However, in the absence of a specific prohibition, tracking technologies such as cookies seem to be permitted within the Draft DPDP Bill 2022.
Direct Advertisement – Data Fiduciaries may engage in direct advertisement activities as long as they comply with the provisions of the Draft DPDP Bill 2022. However, there is an explicit bar on directing advertisements at children but the same may be allowed for “certain purposes” as later prescribed by the Central Government.
Obligation to ensure accuracy of personal data – While Data Fiduciaries are required to make reasonable efforts to ensure that personal data of Data Principals is accurate and complete if they are likely to be used for specific purposes, there is no explanation of the term “reasonable efforts”. There is a possibility that the Board may issue directions to demonstrate that the Data Fiduciaries made the required efforts to ensure accuracy and completion of personal data.
Reasonable Security Safeguards – The Draft DPDP Bill obliges Data Fiduciaries to protect personal data in its possession by taking reasonable security safeguards. However, no regulatory guidance has been provided as to what would constitute to be such reasonable security safeguards. Additionally, the Draft DPDP Bill 2022 also does not indicate that further Rules may be prescribed in this regard. The SPDI Rules have mandated adoption of either the international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” or the codes of best practices for data protection as approved and notified by the Central Government. Such specific prescription of security standards, as is the case under the current law, is not provided under the Draft DPDP Bill 2022.
Retention period – Data Fiduciaries are obliged to cease to retain or anonymize/remove means of associating such personal data to the Data Principal if the purpose for which it was collected has been fulfilled and there are no legal or business purposes that such data serves. No specific guidance has been provided on what would constitute such legal/business purposes. Therefore, the Data Fiduciary may continue to retain the data as long as it is anonymized.
Right to Nominate – The Data Fiduciaries will have to introduce a mechanism which shall allow Data Principals to nominate any individual to exercise their rights in the event of the death or incapacity of the Data Principal. Further, the Draft DPDP Bill 2022 does not confer on the Data Principals the right to be forgotten and the right to data portability.
Appointment of DPOs/Authorised Representative – There is no mandate for Data Fiduciaries to appoint a resident of India as their authorised representative under the Draft DPDP Bill 2022. However, SDFs are required to appoint a resident of India as their DPO.
Independent Data Audits – If a business entity is classified as a SDF, then they shall have to appoint an Independent Data Auditor who will be responsible for evaluating the compliance of the SDF with the provisions of the Draft DPDP Bill 2022.
DPIA – SDFs will also be required to undertake periodic DPIAs and audits. The Central Government shall notify rules in relation to the same.
Data Breach Reporting – Compliance costs are likely to increase as the Indian Computer Emergency Response Team (“CERT-In”) Directions64 already mandate reporting of “data breach” and “data leak” to CERT-In. If the Draft DPDP Bill 2022 is implemented in its current form then there will be an additional mandate of reporting data breaches to not just to the Board but also to the “affected” Data Principals. Further, the contract between the Data Fiduciary and Data Processor should clearly indicate the Data Processors’ obligation to report data breaches at its end, to the Board and the affected Data Principals as per the Central Government prescribed Rules.
Obligation of Data Fiduciary towards Data Principals – As Data Principals can request access to the identities of all Data Fiduciaries with whom their personal data has been shared along with the categories of personal data from the Data Fiduciary, a mechanism to enable the same will have to be established. There is also a possibility of the Central Government notifying additional sets of information that a Data Principal can seek from the Data Fiduciary.
Cross-border transfer of data & Data Localization – The Data Fiduciaries shall transfer personal data only to the countries that are notified by the Central Government. Such whitelisting of countries is a restrictive provision which will adversely impact business operations of large business entities that store/transfer data in multiple jurisdictions. Therefore, if a country where the Data Fiduciary intends to transfer the data is not notified, the business entity may have to store the data within the territory of India or a Central Government notified country. Additionally, this clause conflicts with the cross-border data transfer allowance under the existing regime for the storage of payment system data that does not limit the transfer of data to specifically notified countries.
Voluntary Undertaking – If the Data Fiduciary does not comply with any terms of the voluntary undertaking, after an opportunity of being heard, the Board may proceed to impose a financial penalty on them.
Power to prescribe rules & regulations – Since the Central Government has broad powers to prescribe rules and regulations in various areas such as notice format, data breach reporting, children’s digital personal data, etc., there is a likelihood of onerous compliance obligations being imposed on Data Fiduciaries/Data Processors through delegated legislation. While ideally any rule/regulation made by the Central Government or the Board ought to be subjected to a regulation impact assessment before it is notified, in order to prevent overdoing the regulatory burden, the extent of the delegated legislation, as well as the consultation process undertaken by the Central Government, is unclear at this time.
Overriding Effect: The Draft DPDP Bill 2022, when enacted, shall repeal Section 43A and the SPDI Rules which are the prevailing data protection regulations in India. Additionally, the Draft DPDP Bill 2022 proposes an amendment to the Right to Information Act, 200565 (“RTI Act”) which in effect will prohibit the ability of citizens from obtaining personal information about public servants on the grounds of public interest. Section 81 of the IT Act has an overriding effect but the proviso to the same allows individuals to exercise their rights under the Copyright Act, 1957 and the Patents Act, 1970. Similarly, the Draft DPDP Bill 2021 seeks to amend Section 81 of the IT Act to the extent that no person is restricted from exercising their rights under the Draft DPDP Bill 2022.

About Author

Ameet Datta

Ameet Datta is a Partner at Saikrishna & Associates. He is an IP litigator and TMT lawyer with over 22 years of experience and wide ranging expertise across IP Law, Technology law, privacy and data protection law, white collar crime cases around data breaches, and, media & entertainment law specifically in relation to licensing, content aggregation & acquisition, film & music production, distribution/ licensing, format rights, defamation and right of publicity. Ameet has extensive experience with the creative sector in terms of multiple litigations including licensing disputes before the Courts & the Copyright Board. Ameet is closely involved with Copyright laws, Technology regulations and policy matters. In 2010, Ameet appeared as an expert witness before the Indian Parliamentary Standing Committee overseeing amendments to the Copyright Act, 1957. Ameet has been highly ranked as a recommended lawyer for IP Litigation, and, telecoms, media & entertainment by Chambers & Partners (Asia Pacific), WTR1000; as a recommended lawyer for IP litigation by Legal 500, and recommended as an IP Star by MIP

Suvarna Mandal

Suvarna Mandal is a Partner at Saikrishna & Associates. She has nearly a decade of experience in providing trade & regulatory compliance advice to domestic and international clients for understanding and complying with a wide range of national, state as well as sector-specific legislations and regulations in the spheres of telecommunications, technology law, consumer law, environmental law, product compliance and safety regulations (including packaging standards, labels and safety standards), data protection and privacy, media law, advertising regulations, etc. She provides end-to-end compliance counselling to clients across various industries and sectors such as software services, consumer electronics, technology, telecom, media, intermediaries, e-commerce, online value-added services sectors, consumer goods and medical devices. Suvarna also works closely with clients’ Government Affairs team to prepare strategic policy documents, representations and formal communications towards policy development and policy reform efforts with the Government.