India Enacted the Digital Personal Data Protection Bill in 2023: What is the Sentiment Around it? – Part 1

Lately, India has been rearranging the personal data protection compliance framework and the normative structure of how the personal data is treated in this regard and making a enacting a new digital personal data protection bill.

As of 2023, the estimations suggest that India has a population base of approximately 1,43 billion people. This shows that the market in India has a lot of businesses that operate within it, both internal ones, and international one, in many sectors.

Having in mind the above-mentioned, as followed upon the efforts of India to create a modern data protection system in the digital age, the Digital Personal Data Protection Bill has been enacted in 2023. In addition, let’s see what the normative structure of this legislation is consisted upon.

The Normative Structure of the Digital Personal Data Protection Bill

The Bill has used different terminologies from the GDPR for the same functions. For example:

Interestingly is that this Bill is scoping and providing the definition of what constitutes as a person. As the Bill suggests, a ‘person’ in context of personal data can be:

– an individual;

– a Hindu Undivided Family;

– a company;

– a firm;

– an association of persons or a body of individuals, whether incorporated or not;

– the State; and

– every artificial juristic person, not falling within any of the preceding sub-clauses;

The Bill is also laying out the applicability of the normative structure of the provisions. When it comes to the applicability question, the Bill suggests that the applicability of the normative structure of the provisions relates to the territory of India where:

– such personal data is collected from Data Principals online; and

– such personal data collected offline, is digitized.

From the opposite perspective, the Bill is not applicable in instances that relate to:

– non-automated processing of personal data

– offline personal data

– personal data processed by an individual for any personal or domestic purpose; and

– personal data about an individual that is contained in a record that has been in existence for at least 100 years.

Scope of the Bill

The Bill only applies to digital personal data, such as to:

– the processing of digital personal data within the territory of India, where the personal data is collected either in digital form or in non-digital form and subsequently digitized; and

– the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.

Lawful Basis for Processing Personal Data and Consent Management

Under the obligations of the Data Fiduciary (the Data Controller essentially), a person (meaning either an individual, a Hindu Undivided Family, a company, a firm, an association of persons or a body of individuals, the State, or every artificial juristic person) data can be processed if the person has given consent.

In addition to the abovementioned, the “lawful purpose” for processing personal data is defined as any purpose that is not expressly forbidden by law. The following suggests that the notion of lawful purpose of processing data is very extensive in particular regards.

The Bill also incorporates a mechanism to withdraw consent, while also stipulating obligations for the Data Fiduciary to develop a Consent Manager to help handle giving, managing, reviewing and withdrawing consent through an accessible, transparent and interoperable platform. The accountability for the Consent Manager is set to the Data Principal, and the Consent Manager should be registered with the Data Protection Authority of India (named: Data Protection Board).

The obtainment of consent is divided into two areas: “standard” consent and deemed consent.

Standard consent:

– Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes signifies agreement to the processing of her personal data for the specified purpose

– Presented in a clear and plain language

Deemed consent:

– in a situation where the Data Principal voluntarily provides her personal data to the Data Fiduciary and it is reasonably expected that she would provide such personal data:

– performance of any function under any law, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State;

-compliance with any judgment or order issued under any law;

– responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

– taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;

– taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order;

– for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance;

– in public interest, including for: prevention and detection of fraud, mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws, network and information security, credit scoring, operation of search engines for processing of publicly available personal data, processing of publicly available personal data, recovery of debt;

– for any fair and reasonable purpose as may be prescribed after taking into consideration: whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal, any public interest in processing for that purpose, the reasonable expectations of the Data Principal having regard to the context of the processing.

The Bill requires data fiduciaries to inform data principals about:

– The data being collected and the purpose of its collection;

– The way a data principal can exercise its rights on providing or withdrawing consent, or seek recourse to grievance redressal mechanisms

– The way the data principal may make a complaint to the Data Protection Board

Rights and Duties of the Data Principal

Rights

Duties

– Comply with the provisions of all applicable laws while exercising rights under the provisions of this Act.

– Not registering a false or frivolous grievance or complaint with a Data Fiduciary or the Board.

– Not furnishing any false particulars or suppress any material information or impersonate another person.

Administrative Fines

When it comes to financial fines, the Bill suggests that the Data Protection Board is responsible for issuing fines. The upper bracket of the maximum amount of the fine has been set on 500 crore rupees (around 55,576,600.00 Euros currently). The Bill a bit varies from the GDPR when in comes to mind the administrative fines section, since the GDPR is providing two scenarios, the first one to issue a fine of up to 20M euros, or the second to issue a fine of up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. While the India Digital Personal Data Protection Bill favours the numerical fines approach rather than the percentage-based one.

The imposition of the financial penalty by the Data Protection Board is being determined while considering the following:

– the nature, gravity and duration of the non-compliance;

– the type and nature of the personal data affected by the non-compliance;

– repetitive nature of the non-compliance;

– whether the person, as a result of the non-compliance, has realized a gain or avoided any loss;

– whether the person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action;

– when the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the provisions of this Act; and

– the likely impact of the imposition of the financial penalty on the person.