1.1 Draft Digital Personal Data Protection Bill, 2022

India does not have one specific law on the protection of personal data law and a large part of the current regulatory framework relating to protection of personal data is derived from the Information Technology Act, 2000 (IT Act) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).

On 18 November 2022, however, the Indian government released a draft of the Digital Personal Data Protection Bill, 2022 (Bill), to pass a comprehensive data protection law in India. The Bill governs data fiduciaries (i.e., data controllers), data processors and data principals (i.e., data subjects) and is set to regulate the processing of individual personal data which is either collected online or is digitised after it is collected offline. Such processing should be for a lawful purpose. Unlike the SPDI Rules, the Bill has done away with the categorisation of personal data into sensitive personal data or information (such as passwords, biometric and financial information, medical records and history etc.), and the hierarchisation of data fiduciary’s obligations basis the type of personal data processed.

Some key concepts introduced under the Bill include:

• The concept of ‘deemed’ consent: Consent of data principals remains a key ground for processing personal data but is a very different conception of consent than under the SPDI Rules or the EU General Data Protection Regulation (GDPR). In addition to affirmative consent (which should be free, specific, informed, and unambiguous and can be withdrawn), the Bill recognises deemed consent, which will be an exception to affirmative consent. Deemed consent for processing of personal data can be relied on in the following situations: (i) when data is voluntarily given with the reasonable expectation that the data must be provided for the said purpose, (ii) in relation to legal or judicial purposes, medical emergencies and health services or breakdown of public order, (iii) in relation to employment, and (iv) in public interest (which includes data processed in relation to M&A and corporate restructuring transactions, credit scoring, fraud prevention, etc. or for any fair and reasonable purpose as may be prescribed);

• Obligation to provide notice: Disclosure obligations continue to apply to data fiduciaries, who are now required to provide a clear and itemised notice (with a description of the personal data sought and the purpose of collecting such data) to concerned data principals to seek their consent. It is not, however, clear how the notice obligation will apply in cases where deemed consent is being relied on;

• Notification of companies as ‘significant data fiduciaries’: The obligations of data fiduciaries remain largely similar to the SPDI Rules. They are mandated to employ technical and organizational measures to comply with the obligations under the Bill, maintain accuracy and completeness of personal data, maintain data security by taking reasonable security safeguards, provide notice to data principals to seek consent, follow the principle of storage limitation, and employ a grievance redressal mechanism. The Bill, however, introduces a separate category of ‘significant’ data fiduciaries, designated as such based on factors like volume and sensitivity of data processed, risk of harm to data principals and potential impact on India’s security and public order. Significant data fiduciaries have to comply with additional obligations like conducting data protection impact assessments and appointing an independent data auditor and a data protection officer;

• Additional obligations in relation to protection of children’s personal data: The processing of data belonging to children below the age of 18 years requires verifiable parental consent and such processing cannot be used to track or monitor children, direct targeted advertising at them or cause them harm;

• Data principals’ rights: These include: (i) right of information such as, status of processing, summary of the data processed, and the names of companies the data has been shared with, (ii) right of nomination of any other individual, (iii) right of correction and erasure of data and (iv) right of grievance redressal;

• Data principals’ duties: The Bill has included certain duties to be complied with by data principals and the financial penalty for failing to comply with the same. Failure to furnish true and verifiable information and filing frivolous complaints attracts penalties up to INR 10,000 (approximately Euro 112);

• Reduced thresholds for cross-border data transfers: Under the SPDI Rules, transfers of sensitive personal data to a third party (within or outside India) are permitted based on factors such as the necessity of the transfer for performance of a lawful contract or information provider’s consent. Additionally, cross-border transfers require such third party to provide the same level of data protection mandated pursuant to the SPDI Rules. The Bill removes reference to such qualitative thresholds and states that data transfers will be permitted to jurisdictions that the Indian government ‘may prescribe’. It appears that data transfers will only be permitted to countries that fall within a government whitelist;

• Establishment of the Data Protection Board of India (Board) to ensure compliance and penalise non-compliance: The Board has the power to conduct inquiries based on suo motocomplaints or complaints from affected individuals/ references from the government and issue orders. Such orders can be further reviewed by the Board or be appealed before relevant High Courts;

• Introduction of government exemptions: State entities can be exempted from the provisions of the Bill by the Indian government in the interests of the State’s security, sovereignty and integrity or to maintain public order. Certain companies can also be exempted from certain specified obligations, and many obligations of data fiduciaries do not apply when processing is necessary for judicial/ quasi-judicial or legal purposes; and

• Penalties for non-compliance: Individual penalties for specific breaches and non-compliance of the Bill have been provided, subject to a maximum of INR 500 crores (approximately Euro 60m). Unlike GDPR, penalties are not linked to the entity’s world-wide turnover. There are no provisions for criminal sanctions or compensation under the Bill.

The Bill is proposed to be tabled before the Indian Parliament in 2023 and will have to be passed by both houses of the Indian Parliament and notified in the official gazette before it becomes the law. Even after enactment, the Bill is likely to be implemented in a phased manner over a certain time period. The Indian government will also subsequently make rules to carry out the provisions of the Bill.

1.2 India establishes a new, more onerous cyber security framework

The Indian Computer Emergency Response Team (CERT-In), appointed under Section 70B of the IT Act read with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules), is the nodal agency for addressing various matters relating to cyber security incidents in India.

CERT-In is responsible for collecting, analysing and disseminating information on cyber security incidents and employing emergency measures to handle such incidents. In order to provide timely action, the CERT-In Rules require service providers, intermediaries, data centers and body corporates (Regulated Entities) to report cyber security incidents to CERT-In within a reasonable time of occurrence/ them noticing the incident.

On 28 April 2022, CERT-In released ‘Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ (Directions). This was followed by a 28-page FAQs, issued on 18 May 2022 (FAQs), to explain the nuances of the Directions.

The Directions mark a major shift from the current more relaxed reporting obligations under the CERT-In Rules and impose mandatory reporting obligations of cyber security incidents on Regulated Entities within a six-hour timeframe.

Cyber incidents listed in Annexure I of the Directions (which contains 20 such incidents as compared to the 11 incidents listed in the CERT-In Rules) have to be reported to CERT-In. These, inter alia, include incidents which are of a severe nature on any part of the public information infrastructure, data breaches or data leaks, large scale or frequent incidents such as intrusion into computer resources, websites etc., and cyber incidents impacting the safety of human beings.

The FAQs have clarified that Regulated Entities can (i) provide information then available in relation to a cyber security incident within the six-hour timeframe and any additional information subsequently within a reasonable time; and (ii) report incidents that have not been reported for a long time within six hours of them noticing the incident/ the incident being brought to their notice.

Some other obligations of Regulated Entities include:

• taking action or providing information or assisting CERT-In in relation to cyber security mitigation actions and enhanced cyber security awareness, pursuant to CERT-In’s orders or directions;
• enabling logging of their ICT systems and maintaining them securely in India for a rolling period of 180 days. These logs have to be made available to CERT-In when required; and
• designating a point of contact to interface with CERT-In.

Failure to furnish information to CERT-In, or failure to comply with the Directions, is punishable with up to one year in prison and/or a fine of up to INR 1,00,000 (approximately Euro 1120), as per Section 70B(7) of the IT Act.

Author: Deepa Christopher – Partner has contributed to the India Chapter of APAC Privacy News 2023, published by Global Privacy Law Review with Wolters Kluwer

Disclaimer: This publication highlights only key issues and is not intended to be comprehensive. The contents of this publication do not constitute any opinion or determination on, or certification in respect of, the application of Indian law by Talwar Thakore & Associates (“TT&A”). No part of this publication should be considered an advertisement or solicitation of TT&A’s professional services.