23 October 2024
Read More3 October 2024
Read More26 September 2024
Read MoreWe are a family of strong 800+ people including 470+ professionals working from 14 locations across India.
We have a rich heritage and enduring legacy which are pivotal in shaping trust, excellence, and unparalleled legal expertise, thus building a strong reputation and a trusted brand.
Read MoreWe started in 1985 in a single room set up by the two founders with no prior experience of working in a law firm. Both the founders had outstanding academic records and focused on their deep understanding of the law to form the foundation of the firm.
Integrity, Knowledge and Passion are the principles that resonate with every member of our LKS family and the work that we do. These values drive us to build a community of legally sound professionals and well-serviced clients.
Everything we have accomplished over the last four decades is a result of our unique way of thinking which is deeply influenced by our core values and principles that define us.
Read MoreWe and our professionals consistently garner appreciation for the quality of our services and the depth of our legal expertise. This consistent acknowledgment serves as a testament to our unwavering commitment to exceed expectations.
23 November 2022
The Digital Personal Data Protection Bill, 2022 (the “Bill”) has been proposed by the Ministry of Electronics and Information Technology on November 18, 2022 for public consultation. This was released pursuant to the Joint Parliamentary Committee’s Data Protection Bill, 2021 (“2021 Draft”) and a series of drafts following the judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd) v. Union of India.
The Bill is applicable to all Data Fiduciaries and Processors who process digital personal data within India where such personal data is collected from Data Principals online and personal data collected offline, when digitized. It also applies to processing of personal data outside India in connection with offering of goods or services to Data Principals in India or profiling of Data Principals in India. As the Bill sets to take center stage in public consultations amid reports of it being introduced in the upcoming budget session of the Parliament, our key takeaways from the Bill (both positive and negative) are presented below:
The Bill proposes a simplified framework that reduces the compliance burden on Data Fiduciaries and Processors operating in the technology and digital space in India. Many obligations such as extensive consent requirement (and their management), accountability measures, reduced notice requirements, privacy by design policy, maintenance of records have been dropped or reduced under the Bill, thereby reducing compliance requirements to the extent required to safeguard user rights.
Unlike its 2021 counterpart, the Bill does not subcategorize personal data and does not mandatorily require Data Fiduciaries to store any data within India, even when such data is transferred outside India on legally valid grounds. This relaxation may be particularly helpful for entities operating outside India, who may otherwise be required to operate servers in India to host or mirror data.
The Bill enables wider grounds for processing personal data by introducing concept of deemed consent and makes processing of personal data more accessible, especially for certain sectors, such as customer-facing service providers.
The Bill is not applicable to non-personal data or data which does not identify an individual and is only applicable to digital personal data. This helps training datasets used for artificial intelligence, machine learning and other innovative technologies which do not contain personal data to be outside the purview of the Bill.
The Bill enables the determination by the Data Protection Board of complaints that may better be resolved by mediation or other processes of alternative dispute resolution and proposes a process for reference of such complaints to mediation or such methods. This is a positive step in promoting alternative dispute settlement methods in disputes in data protection.
The Bill provides a different definitional ambit of personal data as data about an individual who is identifiable in relation to such data. Earlier drafts also included inferences drawn from data for purpose of profiling as also being personal data.
The Bill provides for additional set of obligations governing significant data fiduciaries. These include:
The Bill is ambiguous with respect to international data transfers through arrangements involving intra-group schemes, standard contracts or the like. Instead, transfers of personal data outside India are only based on adequacy of certain territories as notified by the Central Government, with very limited exceptions. Such an approach may not be consistently reliable.
The Bill proposes substantial penalties for non-compliance, while taking a step forward in eliminating offences linked to imprisonment. While the maximum penalty under the 2021 Draft was capped at Rs. 15 crores (~USD 1.8 million), the limits under the Bill were increased to Rs. 500 crores (~USD 61 million).
The Bill retains ambiguity around various provisions which have been left to be prescribed by regulations or rules such as notice requirements, fair and reasonable purposes for deemed consent, compliance requirements associated with significant data fiduciaries, criteria for notification of adequate territories for cross-border transfers, terms and conditions for cross-border transfer etc.
The Digital Personal Data Protection Bill is a step in the right direction in providing much-needed simplicity to the proposed data protection law framework in India. However, certain aspects of the Bill may have to be relooked and reimagined in the context of the evolving digital paradigm. As transactions and data flow faster than ever before, the Bill may have to reimagine faster international data flows by enabling contractual and intra-group tools for such transfers.