‘Lessons Learned’ in Data Regulation: A first look at India’s new Data Privacy Bill

Vikram Jeet Singh

Last week India released a new draft Digital Personal Data Protection Bill, 2022 (“2022 Bill”). The 2022 Bill follows a previous draft bill that was first released in 2018, revised in 2019 and finally withdrawn in 2022, primarily owing to strong criticism from a Parliamentary review committee. The last bill was heavily inspired by the EU GDPR, the global ‘gold standard’; but may be its very complexity was a factor in its demise. The 2022 Bill seems to have learnt from the fate of its predecessor, and will likely forge its own path in furthering data regulation for the Indian context.

The 2022 Bill can be viewed here, and certain explanatory notes are available here. The notes, in particular, make for useful reading, in particular laying down a set of ‘seven principals’ that have guided the formulation of this new bill.

The 2022 Bill is up for public comments until December 17, 2022.

A shorter, more focused draft

The 2022 Bill is much shorter than its 2019 counterpart – coming in at 30 Sections over the earlier version’s 98 Sections. As noted, the 2019 bill was heavily inspired by the EU GDPR and sought to import a number of GDPR concepts wholesale, including detailed grounds for processing data, ‘privacy by design’ requirements, and identical data subject rights. The 2022 Bill is much more focused on data principals’ and data fiduciaries’ rights and obligations, while leaving some aspects to be worked out in subordinate legislation (for example, how to collect children’s data).

As a whole, the 2022 Bill seems to have borrowed provisions from Singapore’s Personal Data Protection Act, 2012. Concepts for deemed consent, voluntary undertakings (for non-compliance), and factors for determining the financial penalties, bear a striking resemblance to the wordings in the Singapore data law. Perhaps most importantly, the 2022 Bill swerves the pitfall of trying to regulate non-personal data within the same law! This was a recommendation in the old 2019 bill pursuant to the review by the Parliamentary expert committee, though it is difficult to see how this would have been implemented.

In plain language (With added Illustrations!)

A (perhaps surprising) feature of the 2022 Bill is that it explains certain concepts and provisions by way of factual illustrations. While not unknown, this is definitely not common in Indian law-making. But the 11 illustrations in the 2022 Bill do help in clarifying the scope of certain Sections, and are quite an elegant way of clearly communicating the legislative intent. In addition, these illustrations provide courts and regulators with a clear idea of what the regulatory intent behind a particular provision is, and promotes predictable outcomes. It helps that some of the more onerous compliances, like data audits, are only required of ‘significant’ data fiduciaries.

In fact, a through-line in the 2022 Bill is to keep matters clear – the draft itself uses the term ‘plain language’ thrice in its wordings, and the aim to use “plain and simple language to facilitate ease of understanding” is also found in the public notice releasing the draft. This will come as a welcome development to businesses, who would appreciate the maximum level of clarity possible when dealing with a law that can lead to heavy penalties (up to INR 500 crores!)

Familiar Concepts, but no more ‘Sensitive’ Data

Despite looking very different from the 2019 version, the 2022 Bill keeps the broad framework suggested in the previous version. There are still ‘data fiduciaries’ who have to ensure compliance with law while ‘processing’ data of ‘data principals’, while the Data Protection Board of India will be created to enforce the law. The draft law applies to any processing of data outside India if done in connection with profiling Indians or offering goods or services within India. All processing has to be for a ‘lawful purpose’, and with prior consent obtained through a notice.

But at the same time, the 2022 Bill does away with a few concepts, likely in order to simplify compliance. There is no separate category of sensitive data; only children’s’ data is treated differently than other data (which makes sense, since the line between personal data and sensitive data is difficult to demarcate). In line with the Singapore data law, the draft 2022 Bill accords limited rights to data principals. Perhaps more interestingly, the new 2022 Bill also requires that data subjects fulfil certain ‘duties’, and prescribes penalties if they do not. These duties include an obligation not to supply false information, and a duty to only furnish authentic information while exercising their rights.

Easier cross border flows, limited localisation

The draft 2019 data bill worried Indian start-ups and businesses in particular, by prescribing data localisation for a number of data sets. In fact, under the 2019 draft certain ‘critical data’ could not be stored abroad at all, and had to remain in India. Predictably, this worried digital majors and businesses who send data abroad as part of their operations. This requirement has been diluted in the new 2022 Bill, which makes a number of significant concessions on sending and storing data outside India.

The 2022 Bill contemplates the Indian government notifying countries or territories to whom a data fiduciary may transfer data. Presumably, this will be done taking into account corresponding data security levels, etc., and may lead to bilateral data transfer arrangements with countries. If these can be realized, the prospect of free cross border data flows with ‘trusted’ jurisdictions would appeal to businesses, as it would take away a lot of uncertainty around data transfers. The 2022 Bill also provides an exemption for processing personal data by the Government for public interest and national security. Such provisions are, as always, concerning for businesses who need to predict the scope and frequency of access requests.

Simple Enough to Pass

Arguably, being a more comprehensive draft, the 2019 data bill also made for a bigger target – it sought to import certain concepts into Indian law that had hitherto not been present, and it was not clear as to how these would be complied with (‘Privacy by Design’, for example); and in some cases it promised rights and procedures that could not work under a single regulator who would be in charge of a much larger population than all European regulators combined (for example, breach notifications to data principals were intended to be controlled by the data regulator, in the 2019 draft).

Of course, some matters would need to be clarified further. For instance, there appears to be overlap between the 2022 Bill and the recently issued cybersecurity regulations in relation to reporting data breaches/ cybersecurity threats. That said, by concentrating focus on relatively straightforward, non-controversial aspects, and limiting itself to data that is in digital form, the 2022 Bill may make the job of lawmakers a little easier. After the discourse around the earlier 2019 law, this new version may present a good ‘middle’ ground solution towards data privacy regulations. And this may mean that this 2022 Bill faces a much easier path to passage through Parliament, perhaps as soon as Spring 2023.