INTRODUCTION
On November 18, 2022, the Government of India released the long awaited fourth draft of India’s proposed privacy law, now renamed as the Digital Personal Data Protection Bill (“Bill”). The Government has sought for feedback on the draft Bill by December 17, 2022.
At first glance, the Bill is quite a surprise – it is a completely new draft and not a redraft of the previous versions of the Bill and is much shorter and simpler. It departs substantially from the GDPR model of privacy laws that is quite commonplace today.
APPLICABILITY
The law applies only to personal data that is collected online or which is collected offline, but which is digitized. The law will apply to processing of personal data outside India if such processing is in connection with any profiling of principals in India or activity of offering goods or services within the territory of India. The law also exempts processing of data in India of persons located outside India under a cross border contractual arrangement - this essentially covers the offshore/outsourcing industry.
DEFINITIONS
The Bill uses similar nomenclature as the previous versions. A data subject is referred to as a data principal and a data controller is referred to as a data fiduciary. There is no concept or definition of sensitive personal data. The DPA is referred to as the Data Protection Board of India (“DPBI”).
GROUNDS FOR COLLECTION AND PROCESSING
Consent continues to be the main ground for processing of personal data. It must be “freely given”, “’specific”, “informed” and an “unambiguous indication of consent” through a “clear affirmative action”. It seems clear that explicit consent would be required. Consent can also be withdrawn, the consequences of which would be borne by the data subject.
The draft Bill also includes obvious grounds for processing of personal data such as compliance with laws and court orders, actions dealing with epidemics or law & order situations.
The concept of legitimate interest appears to be captured in different ways. Several situations are mentioned whereby consent is deemed to have been given. These include processing of personal data “in public interest” including to prevent or detect fraud, for network and information security, credit scoring, processing of publicly available personal data and for recovery of debt. It seems unclear though whether private enterprises can use these grounds given that the processing needs to be “in public interest”. There is also the ground of “fair and reasonable purpose” but in this case, the government has to notify what is a fair and reasonable purpose. In this regard, the law prescribes that the government can consider legitimate interests of the data fiduciary.
One key ground is where processing of personal data is “necessary” and where personal data is provided voluntarily and “it is reasonably expected that the data subject would provide such personal data”. One would have to show that the processing is “necessary” and the personal data was provided “voluntarily” and the data principal would reasonably be expected to provide such data. On wonders whether this provision could have been drafted better, assuming this is intended to be a legitimate interest type of ground. It will likely become the most important provision of the new statute for businesses that do not wish to go down the consent route.