The Data Protection Bill, 2021

India does not presently have an omnibus data protection legislation. Given the rising importance of technology-based businesses, the Parliament had undertaken an exercise to formulate India’s data protection regime. On 11 December 2019, the Ministry of Electronics and Information Technology (MeitY) introduced the draft Personal Data Protection Bill, 2019 (PDP Bill) before the Parliament, which was referred to a Joint Parliamentary Committee (JPC) for further consideration. After carrying out a series of consultations with stakeholders, on 16 December 2021, the JPC published its report along with the finalised Data Protection Bill 2021 (DP Bill).

This update provides a brief overview of the key provisions of the DP Bill relating to the rights of data principals, obligations of data fiduciaries, grounds for which personal data can be processed, data breach reporting requirements, classification of significant data fiduciaries, and an enhanced penalty regime.

Applicability

The DP Bill applies to the processing of personal data that has been collected, disclosed, shared or otherwise processed in India, or to the processing of personal data by the State or State bodies, Indian corporate entities and Indian citizens. Personal data is defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to a feature of identity or a combination of such features(whether virtual or physical) and also includes inferences drawn from such data for the purpose of profiling.

A separate class of data – sensitive personal data is also recognised in the DP Bill and is subject to enhanced thresholds. Sensitive personal data is personal data that reveals, is related to, or constitutes financial data, health data, official identifiers,sex life and sexual orientation, biometric data, genetic data, transgenderstatus, intersex status, and caste or tribe, religious, political belief or affiliation, and any other category as may be notified. The term ‘financial data’ is defined narrowly in the DP Bill. Section 3(21) defines financial data as any number or other personal data that is used to identify (i) an account opened by a data fiduciary, or (ii) a card or payment instrument issued by a financial institution. It also includes personal data regarding the relationship between a financial institution and a data principal including financial status and credit status. Other types of data like account statements, data relating to other financial products and investment information are not included within the definition of financial data.

The DP Bill also applies to the processing of any personal data by entities located outside India if the personal data is processed with respect to any business or activity that involves offering goods or services to individuals located in India or the profiling of data principals within India. However, any such activity must specifically target Indian citizens and the provision of goods or services must not be incidental. Additionally, the DP Bill gives powers to the Central Government to exempt from the application of the Bill, the processing of personal data of data principals not within the territory of India, pursuant to a contract entered with any person/company incorporated outside India, by any data processor incorporated under Indian law.

In a departure from previous drafts of this law, non-personal data has also been included within the scope of the DP Bill. Non-personal data has been defined to include all data other than personal data. This will potentially include anonymised data (personal data which has undergone anonymisation). Anonymisation is defined as an irreversible process of transforming or converting personal data to a form in which the data principal cannot be identified as per the standards of irreversibility laid down by the Data Protection Authority (DPA). Accordingly, until the DPA specifies the technical threshold for anonymisation, it will not be possible to categorically stipulate what constitutes anonymised data. Unlike in relation to personal data, the DP Bill does not clarify whether there are any territorial limitsto the applicability of its provisionsin respect of non-personal data. However, the provisions of the current draft regulate such data only to the extent of data breaches, and the Central Government’s ability to issue directions to data fiduciaries and processors to provide such data for targeted delivery of services or evidence-based policy formulation.

Key Obligations of Data Fiduciaries

The DP Bill creates a concept of a data fiduciary – similar to the GDPR notion of a data controller. The entity that determines the purpose or means of processing the personal data of the data principal is referred to as the ‘data fiduciary’. Data fiduciaries can include the State, corporate entities and individuals. On the other hand, the natural person whose personal data is collected is referred to as the ‘data principal’. The DP Bill conceptualisesthe processing of data broadly to include most operationsthat are carried out on data including storage, adaptation, retrieval, dissemination, and erasure or destruction.

Similar to other privacy legislations, the DP Bill imposes several obligations on data fiduciaries with respect to the collection and processing of personal data as follows:

• Notice

  The data fiduciary is obliged to provide notice to the data principal at the time of collection of personal data of the data principal, even if such personal data is not being collected from the data principal directly. This notice must contain thefollowing:

  • the various purposes for which personal data is to be processed
  • The nature and categories of personal data being collected
  • The identity and contact details of the data fiduciary (including its data trust score, if applicable) and Data Protection Officer (DPO)
  • The rights of the data principal
  • Information pertaining to sharing, cross-border transfer and retention of personal data
  • The procedure for grievance redressal
  • Any other information as specified by the regulations.

  Such a notice must be clear, concise, easily comprehensible and in multiple languages to the extent necessary and practicable.

  Data fiduciaries will not be required to provide notice in specific instances where the provision of notice substantially prejudices the purpose of processing of personal data, such as processing personal data for performance of certain functions of the State, for compliance with any order of a court, or to respond to medical emergencies, disaster relief, or public order situations.

Download PDF to read more