The More Things Change … Unpacking the draft Digital Personal Data Protection Bill, 2022
Vikram Jeet Singh and Prashant Daga
[This article is the second article in a two-part series on the subject. You may read the first article, Third Time's the Charm? Unpacking the draft Digital Personal Data Protection Bill, 2022, by clicking here. In the first part, we examined the draft law's applicability, definitions, entities subject to this law, and obligations of Data Fiduciaries.]
In this article, we examine the thorny issue of cross-border data transfers, exemptions available to Data Fiduciaries, the rights and obligations of Data Principals, and consequences of non-compliance. The drafters of the 2022 Bill have listened to feedback on a number of issues, but on certain other matters their formulations will worry businesses.
CROSS-BORDER ‘CARTE BLANCHE’?
Taking note of the significant pushback from industry stakeholders on the onerous conditions for cross-border data transfers and data localization, the 2022 Bill skips any hard localization requirement. The localization/mirroring by default requirement of older drafts has been done away with (but note that any localization requirements contained in other sectoral laws or regulations are not affected). Now, the Central Government may notify countries or territories to whom data transfers can be freely made.
There are 2 ways of reading this provision – the first one is that the Government may make this determination – if it does not make it, all data transfers to all countries are kosher. A (likely more realistic) reading says that this provision is likely modelled on the "adequacy decision" mechanism of the European Data Protection Board. The central government would assess jurisdictions based on relevant factors and notify countries to which data may be transferred; absent such determination, no transfers are allowed.
The ambiguity of the cross-border provision also does not eliminate the specter of data localization completely. It implies that data has to be stored locally until the transfer is permitted via a notification. As such, there is still lack of clarity on what the Central Government will prescribe for data transfers as on the day the 2022 Bill is made law. Alternative methods, such as SCCs, Binding Corporate Rules, etc., are not mentioned in this regard, but it may be that the facility to transfer data under their auspices is provided in subordinate legislation.
NEW BOARD, AND SOME EXEMPTIONS
Data Protection Board's Powers and Duties: Like the earlier drafts, the 2022 Bill provides for setting up a Data Protection Board ("Board"), which will be tasked with (inter alia) determining non-compliances, conducting inquiries in relation to complaints of a Data Principal, impose penalties, and issue directions for compliance with the law (including mitigation measures to be adopted in the event of a data breach). The Board has been conferred the status of a civil court, and also accorded the powers of one.
Exemptions: The 2022 Bill identifies both entities and instances to which its provisions do not apply. The following circumstances are exempt, for instance: a) Processing data for exercising legal rights / claim; b) Processing data for court proceedings, law enforcement agencies, etc.; and c) Processing data of foreigner's personal data by Data Processors in India under a contract with an overseas entity.
Apart from the above, the central government reserves the right to exempt applicability of the 2022 Bill on processing of personal data by state bodies for sovereignty, security of state, external affairs, public order, law enforcement etc., and when required for research, statistics, etc. In addition, the restriction on data storage does not apply to instrumentalities of the state. This are wide ranging exemptions, continuing the trend towards firewalling Government data access and surveillance activities from regulation.
WHAT ARE THE RIGHTS AND DUTIES OF A DATA PRINCIPAL?
Right to information: Data principals have the right to obtain details about their personal data processed by the data fiduciary, the nature of processing activities carried out, and entities it has been shared with.
Right to correction and erasure: In-line with existing rights, Data Principals may seek correction and erasure of their personal data from a Data Fiduciary. In response to such a request, the Data Fiduciary shall have to update the personal data as requested, and erase the personal data no longer required, unless it is to be retained for a legal purpose.
Right to grievance redressal: Like the current IT Personal Data Rights 2011, Data Principals can register grievances with Data Fiduciaries and are entitled to receiving a response within 7 days. Appeals against a Data Fiduciary's response (or failure to respond) can be filed with the Board.
Right to nominate: In a first, the 2022 Bill allows Data Principals to nominate an individual who shall have the authority to exercise rights on their behalf in case they expire or are incapacitated. As per the explanatory note supporting the bill, this right has been based on similar rights accorded to individuals in other sectors (such as financial services, insurance, etc.).
Right to withdraw consent: Data Principals can withdraw their consent for processing their personal data. This would not impact the legality of past-processing activities. The ease of withdrawing consent should be comparable to the ease of granting consent. For instance, if consent is obtained via a "click-through mechanism", mode of withdrawing such consent should be similar.
Duties: The 2022 Bill imposes certain duties on Data Principals to ensure there is no misuse of rights. These include (inter alia) the duty to not submit false details, suppress material information or impersonate another person while providing information to a Data Fiduciary; furnish 'verifiably' authentic information to exercise their right to erasure; and not file frivolous / false grievances with the Board.
WHAT PENALTIES APPLY?
High Financial Penalties: Non-compliances that are ‘significant’ may result in imposition of penalties ranging from INR 50 Crores to INR 250 Crores. These can be for failure to prevent a data breach, lapse in notifying a breach, etc. In aggregate, the penalty levied on a single entity for multiple non-compliances has been restricted to INR 500 Crores. Notably, even Data Principals may be subject to penalties up to INR 10,000 for not abiding by their duties.
Factors for determining penalty: If an entity is found to be non-compliant, the Board is to arrive at the appropriate penalty taking into consideration: a) Nature, gravity and duration of non-compliance; b) Type and nature of personal data affected; c) Frequency of non-compliances; d) How has the non-compliant entity benefitted by such an act (viz., realized a gain or avoided any loss); e) Countermeasures for addressing the non-compliance, reaction-time, and effectiveness of such measures; f) If the penalty is proportionate and effective for achieving compliance and as a deterrent; and g) Potential impact on the non-compliant entity due to such financial penalty.
Voluntary Undertakings and ADR: The facility to provide voluntary undertakings for a non-compliance is a new provision under this draft bill. In cases of non-compliances, entities may submit 'voluntary undertaking' to the Board, to take or refrain from taking a specific action. The Board may also allow the Data Fiduciary to resolve the dispute via mediation through a body designated by the Board.