Back To The Future: India's Proposed Digital Governance Framework - Data Protection - India (2023)

This is the third note of , a multipart series on data anddigital governance focused on personal and non-personal data,including with respect to their separate regulatory, legal, andcommercial implications. The previous note outlined the build-up toIndia's proposed digital governance architecture by analyzingpast trends, some of which have coalesced through specific interestconfigurations towards current developments. In this note, we willdiscuss possible trajectories for the future in respect of suchgovernance regime.

While the last note covered developments until 2020, we look atmore recent trends here, including those that may directlycontribute towards the formulation of India's new dataprotection and digital framework over the next few months.

BACKGROUND

In May last year, the Ministry of Electronics andInformation Technology ("MeitY") hadreleased a draft of the National Data Governance Framework Policy forpublic consultation ("NDGFP"). The NDGFPaims to ensure that non-personal and anonymized data from bothgovernment and private entities are accessible by research andinnovation ecosystems, including for the purpose of facilitatingacademic output and initiatives in research and development("R&D") by Indian start-ups.Further, the policy aims to provide an institutional framework ofrules relating to datasets and metadata, as well as standards,guidelines, and protocols related to the sharing of non-personaldata.

In addition, as part of the NDGFP, the government aims to buildthe India Datasets program ("IDP") -potentially comprising non-personal datasets housed withingovernment and private entities (including companies), based ondata collected from citizens and/or people living in India.Nevertheless, the NDGFP has clarified so far that obligations toshare such collected data will mandatorily apply only to governmentdepartments and bodies (while private entities may only beencouraged to share such data).

Earlier this year, while presenting the Union Budget for FY2023-24, Finance Minister Nirmala Sitharaman had indicated that the NDGFP might be finalizedsoon, thus enabling wide access to anonymized data. Significantly,the May 2022 draft of the NGDFP contained plans to monetize datasharing - which aspect, in turn, received public criticism. Forinstance, while the India Data Management Office("IDMO"), as proposed for establishmentunder the Digital India Corporation under MeitY, may be givenpowers to design and manage the IDP in terms of processing requestsfrom Indian researchers and start-ups for access to non-personaland/or anonymized datasets, Clause 6.18 of the NGDFP in its currentform allows the IDMO to charge user fees for its services.

PROPOSED DI ACT

Further to its goal of championing a 'Digital India Act'in lieu of the dated Information Technology Act, 2000 (the"IT Act"), MeitY made presentations before various stakeholders atBengaluru in March this year. While the associated timelines andconsultations (the "DIA Consultations")with respect to such exercise lacked consistency at first, pursuant to freshDIA Consultations in May 2023 across New Delhi and Mumbai, it nowappears that, pursuant to a few more rounds of engagement with select stakeholders, a draft bill for theproposed statute (the "Proposed DI Act")may be ready in a few months' time. According to media reports, the government may frame rulesfor sharing non-personal data under this law - such as in respectof data captured by invasive gadgets like spy camera glasses andwearable devices/technologies. Accordingly, dedicated provisions toregulate such devices/technologies may be introduced in theProposed DI Act, including those related to compliance with'Know-Your-Customer' (KYC) requirements as a pre-conditionto obtain approvals for sale. Meanwhile, although the revised version of a MeitY-constituted expertcommittee's first report on a national framework for datagovernance (such committee, the "DGCommittee," and such reports, the "FirstDGC Report" and the "Revised DGCReport," respectively) is yet to be acted upondespite being submitted almost three years ago, it is possible thatcertain of its key findings will be accounted for in the ProposedDI Act, especially with respect to the sharing of non-personaldata.

Absent specific information or formal clarifications issued byMeitY other than through sporadic media statements and the recentDIA Consultations between March and May 2023, certain overarching principles of the Proposed DI Actin its current conceptualization appear to include: (1) an openinternet, (2) online safety, (3) a revised intermediary framework,and (4) no/limited safe harbor.

Open internet

In terms of promoting an open internet, the Proposed DI Act mayfacilitate: (i) online diversity by improving choices andcompetition among consumers and digital actors, respectively; (ii)the ease of doing business along with corresponding compliances; aswell as (iii) fair access to digital markets for start-ups andsimilar entities. Accordingly, provisions in respect ofinteroperability (i.e., the property that allows forsharing and use of resources between different systems, components,and/or machines, including data exchanges), fair trade practices(including for dominant market players), and non-discriminatoryaccess, may be introduced with respect to digital services. In thisregard, it is possible that the proposed law may recognize the roleof 'digital gatekeepers', including in terms ofconsequences stemming from the actions of digital actors online -for instance, in respect of creating or limiting entry barriers,and establishing a level-playing field.

All of this appears to be consistent with the Revised DGCReport, where the DG Committee had identified the realization ofeconomic value from the use of non-personal data as a key priority.In other words, in terms of asserting India's data sovereignty,the Proposed DI Act may focus on generating economic benefits forcitizens and communities, including by unlocking the social,public, as well as the economic value of data. Thus, pursuant tothe DG Committee's recommendations, the Proposed DI Act mayensure that the benefits from processing non-personal data accruenot just to the organizations that collect such data, but also tothe country as a whole, as well as the community that produces thedata. Further, the DG Committee had stressed the importance ofcreating incentives for innovation, including in respect of newproducts, services, and start-ups. Nevertheless, addressing privacyconcerns, including from the re-identification of anonymizedpersonal data, as well as preventing collective harms arising fromthe processing of non-personal data, may remain key focusareas.

Online safety

The Proposed DI Act may introduce separate provisions forprotecting users against unsafe content, online harm, and variouscybercrimes - including by 'age gating' children fromaddictive technologies and from certain online/digital platforms -especially those which may seek to collect/process children'sdata.

In addition, moderating false information and/or curbing fakenews, including content published on social media platforms,messaging services, websites, and other forums, might be importantareas of focus. In this regard, the Proposed DI Act may introducecompliance requirements and/or specific measures, such as periodicrisk assessments, algorithmic transparency, and disclosures by dataintermediaries. Concomitantly, the penalty framework fornon-compliance, especially for cybercrimes and other offences, maybecome more stringent. A specialized adjudicatory mechanism foraddressing online offences may also be introduced.

Other risks

It remains to be seen whether a separate rights regime finds itsway into the Proposed DI Act (similar to Clauses 12-15 underChapter 3 of India's current draft of the Digital Personal Data Protection Bill, 2022("DPDP")), such as in respect of rightsrelated to processed and/or shared information; correction anderasure; grievance redressal; as well as rights of nominationand/or digital inheritance. However, additional digital user rightsrelated to secure electronic processing, as well as againstdiscrimination and automated decision-making, may be included inthe new law. Furthermore, certain rights that were part of previousiterations of DPDP but which have now been excluded - such as theright to be forgotten, may be subsumed within the Proposed DI Actin respect of non-personal data.

For instance, Clause 13(2)(d) of DPDP provides that a dataprincipal can request the concerned data fiduciary, such that thelatter will be obliged, to erase the personal data of the formerwhen the information is no longer needed for the sake of theoriginal processing - "unless retention is necessary for alegal purpose". However, this stipulation appears to situncomfortably with Clause 9(6)(b) of DPDP which allows datafiduciaries to hold on to personal data for 'business'purposes - in addition to legal ones - as long as the datafiduciary's assessment of such purpose remains backed byreasonable assumption. Thus, it is unclear whether a dataprincipal's request for erasure may be rejected if the datafiduciary needs (or wants) to preserve such personal data forexclusively business-related reasons, especially if and when thelatter removes the means through which the underlying personalinformation can be associated with specific individuals (see thelead-in to Clause 9(6) of DPDP) - say, through the use ofanonymization techniques. Accordingly, the current formulation inDPDP does not clarify how this conflict may be resolved, includingin respect of a potential disagreement between the data principaland the data fiduciary, respectively, about whether the collectedpersonal data is to be corrected or erased. In addition, Clause 13of DPDP does not impose an express obligation on data fiduciariesto pass on the corrections/erasures to third parties -i.e., those with whom such fiduciaries subsequently share,or have already shared, the underlying personal data.

Similarly, under Section 22 ('Correction of personaldata') of Singapore's Personal Data Protection Act2012 ("PDPAS"), an individual mayrequest an organization to correct an error or omission in herpersonal data which is in the possession, or under the control, ofthat organization. Unless the organization is satisfied onreasonable grounds that a correction should not be made,it is required to correct such data as soon as practicable.However, unlike Clause 13 of India's DPDP, pursuant to Section22(2)(b) of PDPAS, the requested organization is obliged to sendthe corrected personal data to every other organization which suchdata was disclosed to within a year prior to the date ofcorrection. Nevertheless, the latter obligation is subject to someimportant qualifications.

Further, similar to Clause 9(6) of DPDP, in Section 25('Retention of personal data') of PDPAS, anorganization must 'cease to retain' or alternatively,de-identify (anonymize), personal data as soon as it is reasonableto assume that: (a) the data is no longer serving its purpose ofcollection; and (b) its retention is 'no longer necessary forlegal or business purposes'. Here, the reference to'business purposes' may be interpreted as legitimatebusiness purposes only (i.e., encompassing justificationsbased on exceptions, notice, and consent). However, from a dataprincipal's perspective, it may be almost impossible to provethe expiry of all 'business purposes' with respect to anorganization. Further, it is unclear whether the onus to prove anoutstanding 'legitimate' purpose lies with the organizationitself. The advisory guidelines issued by the SingaporeanPersonal Data Protection Commission("SPDPC") in this regard do notexplicitly address the question of onus either. However,organizations are expected to document and/or demonstrate reasonsfor retention. According to the SPDPC, an organization will beconsidered to have ceased to retain personal data when it no longerhas the means to associate such data with particular individuals -i.e., when the personal data has been anonymized.

In this regard, in 2020, the DG Committee was of the opinionthat when the underlying data is without any personallyidentifiable information ("PII"), itshould be considered 'non-personal'. The DG Committee hadalso suggested that it was possible to formulate a generaldefinition of non-personal data according to the origins of suchinformation - such as in respect of anonymous data that wasinitially personal (i.e., prior to anonymization), but nowis not. Accordingly, data which is aggregated, and to which certaindata-transformation techniques have been applied - such thatindividual-specific events, markers, or other PII are no longeridentifiable - may be qualified as anonymous data.

However, based on the extent to which the DG Committee'srecommendations are included in the Proposed DI Act, personal datawhich is later anonymized may continue to be treated as thenon-personal data of a corresponding data principal. Accordingly, adata principal could act upon any subsequent harms arising fromre-identification (for instance, if an applied pseudonymizationtechnique is not adequately robust) or even in respect of a harmotherwise arising from such data processing.

Under the Personal Data Protection Bill, 2019("PDP 19") (a previous iteration ofDPDP, which was the draft law on personal data in India at the timeof the First and Revised DGC Reports), consent was obviouslynecessary - albeit for the collection and processing of personaldata alone. In this regard, since the conditions for valid consentunder Clause 11 of PDP 19 - involving the data principal's'specific' approval that was 'capable of beingwithdrawn' - did not apply to non-personal data, itcould not, therefore, be assumed that the consent providedfor the processing of personal data would apply automatically tonon-personal data as well, i.e., if and when such personaldata was later anonymized. Accordingly, the DG Committee hadrecommended that a data principal should be required to provide herconsent for anonymization too, as well as for the use of suchanonymized data, at the time of providing consent forcollection/use of her personal data in the first instance.Accordingly, appropriate standards of anonymization may be laterdefined to minimize and/or prevent risks of re-identification.

The DG Committee had further recommended that, at the time ofcollecting personal information, 'data collectors' (or datafiduciaries) should provide a notice with respect to - and offerthe data principal the choice to opt out of - data anonymization.Accordingly, details about anonymization ought to constitute aseparate disclosure requirement. Through such notice, dataprincipals may be informed that their personal data could beanonymized and/or used for other purposes, including in thefuture.

Moreover, the DG Committee had felt that it was important toextend the concept of 'sensitivity' to non-personal data,including when produced from anonymized personal data - especiallywhen it remained susceptible to re-identification. This was anacknowledgement of the fact that even when personal data getsconverted to a non-personal form, the possibility of harm to theoriginal data principal remains. After all, no anonymizationtechnique provides perfect irreversibility.

Further, the DG Committee had pointed out that the connectionbetween anonymized personal data and non-personal data,respectively, was well-captured within PDP 19 itself under Clause2(B) - which stated that the provisions of PDP 19 wouldnot apply to any personal data that had been anonymized.Anonymization, in turn, had been defined under PDP 19 as theirreversible process of transforming or converting personal data toa form in which a data principal could not be identified - andwhere such non-identifiable form met the standards ofirreversibility as specified by the relevant data protectionauthority. Accordingly, any personal data that had been subjectedto a de-identification process and, as a result, had beensuccessfully anonymized, would automatically become non-personaldata - thus falling beyond the purview of PDP 19. However, the DGCommittee did clarify that 'mixed' datasets - whichtypically contain both personal and non-personal data linked toeach other - would be governed by PDP 19 alone.

At present, this understanding ought to extend to DPDP too,since DPDP is India's current draft on personal data. Further,this understanding appears to be consistent with the EU'sGeneral Data Protection Regulation("GDPR") - since it has been establishedthat GDPR regulates mixed datasets when the non-personal componentsof such datasets are inextricably linked with personal datacomponents. Nevertheless, in light of the fact that DPDP isgenerally silent on both non-personal and anonymized data, aclarification in this regard may be issued later. However, giventhat the November 2022 draft of DPDP expressly clarifies that itdeals with (digital) personal data alone, such a clarification maynow be unnecessary, including in light of the Proposed DI Act.

Clarifications about overlap of regimes

The DG Committee had also recommended that PDP 19 should beamended to ensure that its provisions did not end up regulatingnon-personal data (along with personal data). For instance, whenthe committee made this recommendation, Clause 91(2) of PDP 19 hadsought to establish a framework within which even non-personal datacould be regulated (for instance, where the central government wasauthorized to direct a data processor to provide it with anonymizedpersonal data to enable better targeting of public service deliveryor for the formulation of evidence-based policies). Thus, in orderto ensure that the frameworks for personal and non-personal data,respectively, were kept separate and mutually exclusive - evenwhile operating simultaneously and harmoniously with each other -the DG Committee had suggested that such provisions should beremoved from PDP 19 altogether, and instead, the scope of suchremoved provisions ought to be included under a separate legalregime for non-personal data - and non-personal data alone.Accordingly, it would then be clear that PDP 19 did notapply to the processing of anonymized data under anycircumstances.

It is possible that the lack of reference to eitheranonymization or non-personal/anonymized data in DPDP is a resultof the DG Committee's recommendations in this regard.

Revised intermediary framework and new technologies

Certain media reports from earlier this monthsuggested that the Proposed DI Act may introduce a framework toregulate data storage, localization, social media platforms, andonline gaming. The new law may also introduce working guidelines toclassify various internet portals - such as e-commerce websites andartificial intelligence ("AI")-enabledplatforms - differently.

In that regard, the Proposed DI Act could become thecountry's default law for technology-related legislation in thefuture, including in respect of online/digital/social mediaplatforms, as well as devices and internet-based applications thatrely on new technologies such as the Internet-of-Things("IoT"), AI, machine learning("ML"), Web 3.0, wearable internet-baseddevices, autonomous systems, virtual reality("VR"), and distributed ledgertechnology/blockchain. Given the widespread use of such newtechnologies in critical fields such as healthcare, banking, andaviation - their development and deployment may be made subject torigorous requirements, including by regulating high-risk AI systemsthrough quality-testing frameworks, algorithmic accountability,threat and vulnerability assessments, as well as contentmoderation.

Further, according to reported accounts - breaking away from thecurrent catch-all method employed by the IT Act - the viability ofhaving separate categories under the Proposed DI Act for onlineintermediaries on the basis of their business and user-base haveformed a key element in discussion (e.g., bydistinguishing social media intermediaries from other onlineintermediaries, including in respect of different compliancerequirements based on varying standards of data processing). Suchintermediaries may be classified based on: (i) the nature andextent of their involvement in content transmission (includingtelecom and internet service providers), (ii) their type of work,(iii) their platform content (vis-à-visuser-generated content), as well as (iv) their role in peer-to-peerinformation sharing.

Accordingly, intermediaries under the Proposed DI Act mayinclude a wide variety of entities, including search engines andplatforms that are involved in advertisement technology (AdTech),e-commerce, social media, digital content, and online gaming.Obligations for online gaming intermediaries under the Proposed DIAct may be included in addition to the new legal regimefor operators of online games - as introduced through amendments made to the Information Technology(Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021via MeitY notification dated April 6, 2023 (the "2023Amendment Rules").

Further, certain intermediary obligations under the Proposed DIAct may be extended to entities that do not necessarily operate asintermediaries on the internet.

Data business

The DG Committee had also proposed the classification of a'data business' ("DB") for anyorganization (government or private) that collects, processes,stores, or otherwise manages personal and/or non-personal data.Further, a DB may be treated as a 'data custodian' (asdefined in the First DGC Report) or as a data processor. Accordingto the DG Committee, a data custodian ought to undertakeinformation management in the best interest of the data principal.Thus, a data custodian may be similar to a 'data fiduciary'(as defined in Clause 2(5) of DPDP), while being subject to thedirections and control of the data principal. Further, in respectof community data, data custodians may be required to exercise a'duty of care' with regard to the concerned aggregation,including in connection with handling the non-personal dataassociated with such community. Some such duties may include theadoption of anonymization standards, protocols, and safedata-sharing.

In addition, the DG Committee had envisaged 'datatrusts' as institutional structures comprising specific rulesand protocols for containing and sharing a given dataset.Accordingly, data trusts may contain data from multiple sourcesand/or data custodians, especially when such data is relevant to aparticular sector (and thereby necessary for providing digitalservices). Further, data custodians may voluntarily share the datacontained in such data trusts, including when either of private orpublic organizations share the data held by their respective selves- as envisaged under the present draft of the NDGFP. Since datatrusts may involve both mandatorily and voluntarily shared data,the government and/or data trustees may compulsorily require thesharing of important data for a particular sector with respect tospecific purposes - which task could be managed and provided bysuch data trusts.

However, a DB need not constitute an independent industry orsector. Thus, in the future, existing businesses across diversesectors may get categorized as DBs - if, and as long as, theycollect data. For example, companies operating in sectors such asbanking, finance, telecommunications, internet-enabled services,transportation, consumer goods, and travel, as well asuniversities, private research laboratories, non-governmentalorganizations, etc., may be classified as DBs, based on prescribedthresholds with respect to the amount of data collected orprocessed.

Further, a DB that collects data above a certain threshold maybe required to register in India. Threshold parameters such as inrespect of gross revenue, number of consumers/households/deviceshandled, percentage of revenue from consumer information, etc., maybe considered relevant for the purpose of ascertaining registrationrequirements. In addition, applicable thresholds within thepersonal data framework for 'Significant Data Fiduciaries'("SDFs") might be harmonized withsimilar thresholds for non-personal data. Under DPDP, pursuant toClause 11, the central government may notify any one or class ofdata fiduciaries as an SDF on the basis of specified factors.Further to such classification, additional obligations may beimposed on notified SDFs. The factors which may be considered tomake an SDF assessment will include the volume and sensitivity ofpersonal data processed, the risk of harm to the data principal,and national/public interest, as well as any other factor that maybe deemed necessary by the government for this purpose.

Furthermore, the idea of separately classifying a DB goes beyondconsiderations of non-personal data alone, since organizations maycollect and process both personal and non-personal data, andultimately utilize such data for various commercial purposes -including to provide services and other economic reasons.Accordingly, a DB may be required to share metadata along with theunderlying information pursuant to appropriate regulations framedin the future.

No/Limited safe harbor

The Proposed DI Act may modify the safe harbor principle, as contained under Section 79(1) of the IT Act,with respect to intermediaries. Broadly, protection from liabilityfor different kinds of intermediaries/platforms against contentshared by their users may be contingent under the new law upon theformer's compliance with prescribed obligations in respect ofhosting third-party information.

In this connection, the IT Act had been previously amended bythe Information Technology (Amendment) Act, 2008("the 2008 Amendment"), pursuant towhich Section 79 was introduced under a substituted Chapter XII('Intermediaries not to be liable in certaincases'). This provision sought to exempt intermediariesfrom liability for such third-party information that was onlyhosted or otherwise made available by them, albeit subject toimportant qualifications - as spelled out by the 2008 Amendmentunder subsections (2) and (3) of the revised Section 79.Thereafter, the Information Technology (Intermediaries Guidelines)Rules, 2011 (the "2011 Rules") wereframed to provide clear due diligence requirements forintermediaries (pursuant to Section 79(2)(c) of the amended ITAct). Further, the 2011 Rules prohibited content of a specificnature on the internet and required intermediaries such as websitehosts to block such prohibited content.

Subsequently, the Information Technology (Intermediary Guidelinesand Digital Media Ethics Code) Rules, 2021 (the"2021 Rules") were notified, replacingthe 2011 Rules. Key changes under the 2021 Rules includedadditional due diligence requirements for certain entities -including social media and significant social media intermediaries- as well as a framework for regulating the content of onlinepublishers with respect to news, current affairs, and curatedaudio-visual content. The 2021 Rules were further amended in 2022 to extend suchadditional due diligence obligations on online gamingintermediaries as well.

Finally, earlier this year, MeitY published draft amendments tothe 2021 Rules related to due diligence by an intermediary,inviting feedback from the public. Further to suchfeedback, a few months later, MeitY notified the 2023 AmendmentRules - which amended the 2021 Rules, especially in terms of (a)online gaming, (b) due diligence by online gaming intermediaries,as well as (c) grievance redressal in this regard.

Given that this is how things currently stand in respect ofIndia's proposed digital governance architecture, in the nextnote of , we will examine the specificconcerns related to children's data under this regime,including in light of DPDP and other data protection frameworks -such as those in the US and Europe - with respect to children'spersonal data.

This insight/article is intended only as a generaldiscussion of issues and is not intended for any solicitation ofwork. It should not be regarded as legal advice and no legal orbusiness decision should be based on its content.