icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
People

With one of the largest legal teams in Japan, we bring a wealth of practical knowledge focused on the singular purpose of providing high quality legal services.

Publications

Our lawyers have authored or co-authored a number of newsletters, articles, books and other materials covering a wide range of legal areas to address the latest legal developments and increasingly diverse and complex issues.

Seminars

We regularly hold seminars and offer lectures through various formats, such as online streaming.

SCROLL
TOP
Publications
Newsletters

The Draft Digital Personal Data Protection Bill, 2022 (India)

NO&T Asia Legal Review

Author
Shejal Verma
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Asia Legal Review No.55 (January, 2023)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

Background

On 18 November 2022, the Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Bill (“Bill”)※1. This is the fourth iteration of India's proposed privacy law since 2018, with the goal of establishing a comprehensive data protection regime in the country. The purpose of the draft Bill is, inter alia, to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.

Currently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, made by the Central Government in exercise of its powers under the Information Technology Act 2000, outline the security practices and procedures to be followed by a body corporate or any person collecting, receiving, possessing, storing, dealing or handling information of users on behalf of the body corporate.

Key Provisions of the Draft Bill

The key provisions of the draft Bill in its present form are as follows:

Applicability of the Draft Bill: The draft Bill only applies to personal data※2 collected online or offline that has been digitized. The draft Bill also applies to processing of digital personal data outside India, if such processing is done in connection with any profiling of, or activity of offering goods or services to data principals※3 within India.

Notice, Consent, and Deemed Consent: The draft Bill provides that consent for processing personal data must be freely given, specific, informed and unambiguous indication of the data principal's wishes by which the data principal, by a clear affirmative action, signifies agreement to the processing of personal data for the specified purpose. Thus, the draft Bill emphasizes on obtaining express consent of data principals by presenting a request in plain and clear language. Prior to or at the time of requesting a data principal for consent, a data fiduciary※4 is required to give to the data principal an itemized notice in clear and plain language containing a description of personal data sought to be collected by the data fiduciary and the purpose of processing of such personal data. A data principal has the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.

The draft Bill also provides for the concept of “deemed consent” in certain specific situations, including where the data principal voluntarily provides their personal data to the data fiduciary and it is reasonably expected that they would provide such personal data (for instance, making reservation in a hotel), or for the performance of any function under any law, or the provision of any service or benefit to, or the issuance of any certificate, license, or permit for any action or activity of, the data principal, or for compliance with any judgment or order issued under any law, in public interest, including for prevention of fraud, credit scoring, as well as for other ‘fair and reasonable’ purposes.

Duties of data fiduciary: The draft Bill prescribes certain duties of a data fiduciary. Data fiduciary is responsible for complying with the provisions of the law in respect of any processing undertaken by it or on its behalf by a data processor※5 or another data fiduciary, make reasonable efforts to ensure that personal data processed by or on behalf of the data fiduciary is accurate and complete, implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the law, protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach, and cease to retain personal data as soon as it is reasonable to assume that retention is no longer necessary for legal or business purposes.

Significant Data Fiduciary: The draft Bill has retained the concept of “Significant Data Fiduciary” as in the previous iteration of the data protection bills. The Central Government has the powers to notify any or a class of data fiduciaries as “Significant Data Fiduciaries” considering relevant factors, including the volume and sensitivity of personal data processed, risk of harm to the data principal, potential impact on the sovereignty and integrity of India, and public order. A significant data fiduciary is subject to additional obligations. Among other things, a significant data fiduciary is required to appoint a “Data Protection Officer” who shall be based in India and represent the significant data fiduciary※6, appoint an “Independent Data Auditor” who shall evaluate the compliance of the significant data fiduciary, undertake other measures as may be prescribed.

Rights and Duties of Data Principals: Data principals have several rights under the draft Bill, including the right to know whether their personal data has been processed and the right to correct and erase personal data that is no longer necessary for the purpose for which it was processed. Interestingly, the draft Bill also sets forth certain duties for data principals, such as complying with all applicable laws while exercising their rights and not providing false particulars or registering a false or frivolous grievance or complaint.

No Requirement for Data Localization/Cross-Border Transfer: The draft Bill, unlike the previous iteration of the data protection bills, does not make it obligatory for data fiduciaries to store critical personal data in India. Instead, the draft Bill specifies that the Central Government after an assessment of necessary factors (which have not been specified in the draft Bill) will notify countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.

Penalties: The draft Bill proposes to establish a “Data Protection Board of India” ("Board”), the primary function of which is to determine non-compliance and impose penalty. The Board would be empowered to impose penalties of up to INR 500 crore (approximately USD 62 million) in each instance. The draft Bill also prescribes monetary penalties for certain violations, which do not exceed do not exceed INR 250 crores (approximately USD 31 million).

Personal Data Breach: The draft Bill prescribes that in the event there is unauthorized processing of personal data or accidental disclosure, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data, the data fiduciary or data processor must notify the Board. The Board may, in such event, direct the data fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to data principals.

Conclusion

The draft Bill departs substantially from its previous iterations which were influenced from the GDPR model of privacy legislation. The draft Bill is concise and more reader friendly. Several provisions of the draft Bill also contain illustrations that provide a better understanding of the provisions. The specifics of the proposed legislation will be outlined in the rules that will be issued in the future. The draft Bill is in a preliminary stage and the Central Government invited comments from various stakeholders on the draft Bill by December 17, 2022; therefore, it remains to be seen how the final legislation will look. In its current form, the draft Bill appears to be friendly to commercial interests. Once implemented, companies (both domestic and foreign) to which the law will apply would need to take appropriate measures to comply with their obligations under the enacted law, including giving notice, seeking consent from data principals, appointment of authorized individuals to communicate with data principals, and data breach response.

Endnotes

*2
Under the draft Bill, “Personal Data” means any data about an individual who is identifiable by or in relation to such data. There is no concept or definition of sensitive personal data under the draft Bill unlike its previous iterations.

*3
Under the draft Bill, “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.

*4
Under the draft Bill, “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

*5
Under the draft Bill, “Data Processor” means any person who processes personal data on behalf of a data fiduciary.

*6
While significant data fiduciaries are required to appoint a data protection officer, every data fiduciary must appoint a person to act as the point of contact for anyone who wishes to file a grievance.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

India Related Publications

Apply Select Practice Areas
Apply