By: Sharanya Ranga and Aishini Mandal
The much-awaited draft of The Personal Data Protection Bill, 2018 (Bill) was released by the Committee of Experts chaired by the retired Supreme Court Justice B. N. Srikrishna (Committee) on July 27, 2018.
The Committee was set up by the Ministry of Electronics and Information Technology, Government of India (MEITY) in July 2017 to prepare a data protection framework for India and issued a White Paper in November 2017 inviting stakeholder comments. After deliberation of the stakeholder responses received and discussions, the Committee submitted the Bill to MEITY along with a report titled “A Free And Fair Digital Economy Protecting Privacy, Empowering Indians” explaining the salient features of the Bill. Based on MEITY’s suggestions, the Bill (with or without revisions) will be introduced in Parliament and expected to amend The Information Technology Act, 2000 and replace The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The Bill comes at a time when India’s digital economy is growing by leaps and bounds and digitization and data analytics is percolating into most aspects of governance. Given the present archaic data protection regime in India, the Bill builds on the broad framework of the European Union’s General Data Protection Regulation (GDPR) and the landmark judgement upholding the fundamental right to privacy by the Supreme Court of India[1] necessitating the protection of personal data as an essential facet of informational privacy. It is expected to transform the data protection regulatory landscape in India empowering users with rights to control their personal data (PD) and sets out various compliances and obligations for businesses processing PD.
The Bill:
recognises the role of the data principal (the natural person whose PD is being collected), the data fiduciary (the person determining the purpose and processing of PD), and the data processor (the person processing the PD on behalf of the data fiduciary);
provides different grounds for processing different categories of PD;
provides the data protection obligations and transparency and accountability measures to be adopted by data fiduciaries and data processors;
lists the rights of data principals;
moots the establishment of a data regulator, the Data Protection Authority of India (DPA); and
sets out penalties and grievance redressal mechanisms for breaches of PD.
We have summarized 10 significant aspects of the Bill below:
1. Personal Data and Sensitive Personal Data
The Bill refers to different categories of data such as PD, sensitive PD as well as critical PD and outlines specific obligations accordingly. PD refers to data about or relating to a natural person (data principal) who is directly or indirectly identifiable, having regard to any characteristic or feature or a combination thereof.
The term ‘Sensitive Personal Data’ has a wide import to include any PD revealing or related to passwords, financial data, health data, official identifier (such as Aadhaar), sex life, sexual orientation, biometric data, genetic data, transgender/intersex status, caste, tribe, religious/political belief or affiliation, or any other category of data that may be specified by the DPA.
While critical PD has not been defined under the Bill, the Central Government may notify certain categories of PD as critical PD that should be mandatorily processed only in India.
2. Extra-territorial Applicability
The Bill applies to the:
processing of all PD within India by both state and non-state actors (i.e., any Indian entity or Indian citizen) and foreign entities where such data has been collected, disclosed, shared or processed within India; and
foreign entities not situated in India but having an Indian business connection.
The extra-territorial applicability principle on the lines of the GDPR has been adopted for data processing by foreign entities not situated in India, if there is an Indian business connection. So foreign entities undertaking data processing in connection with any business carried on in India, including any systematic activity of offering goods or services within India and profiling of individuals in India will come under the ambit of the proposed law.
Processing of anonymised data (i.e., where the PD goes through an irreversible process of transformation or conversion to a form where the data principal cannot be identified) is exempted from the Bill.
3. Data Protection Obligations
The Bill aims to create a trust-based relationship between the data principal and the data fiduciary/data processor with the data fiduciary expected to process/use the PD of the data principal in a fair manner that respects the interests of the data principal. The data fiduciary/data processor has been mandated to comply with some of the following data protection obligations:
Fair, reasonable and lawful processing: Fair and reasonable processing of PD that respects the privacy of the data principal and is lawful.
Purpose, collection and storage limitation: Processing of PD to be limited for only such purposes that have been specified in a clear, lawful and specific form at the time of collection. Collection of PD to be limited to such data that is necessary for the purposes of processing. PD shall be retained only for such time as is necessary for the purpose for which it was processed unless required for a longer time period to comply with applicable laws. Periodic reviews to be undertaken in this regard to determine data retention (or deletion).
Notice obligations: The notice and choice framework to secure an individual’s consent is the bulwark on which data processing practices in the digital economy are founded. Therefore, detailed notice requirements have to be provided by the data fiduciary in the following manner:
Notice has to be provided in a clear, concise and easily comprehensible manner and in multiple languages where necessary and practicable, either at the time of collection of PD, or as soon as reasonably practicable if PD is not directly collected from the data principal.
The notice has to provide information relating to the a) purpose of processing PD and categories of PD being collected, b) identity and contacts of the data fiduciary or data protection officer (as applicable), c) other entities with whom such PD may be shared, d) cross-border transfer of PD to be carried out by the data fiduciary, e) data retention period, f) data principal rights and grievance redressal procedure, and g) ratings/data trust score (as applicable).
Data quality and accountability: Reasonable steps have to be taken to ensure that PD that is being processed is complete, accurate, not misleading and updated. The data fiduciary has to comply with all its obligations under the Bill in respect of processing of PD as well as demonstrate such compliance.
4. Grounds for Processing of Personal Data and Sensitive Personal Data
‘Processing’ of PD has been defined broadly as performance of operations on PD including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment, indexation, dissemination, disclosure by transmission, restriction and destruction.
Consent to processing data forms the foundation of most data protection laws across the world and the Bill also adopts this approach. Thus, there are different standards of consent for different kinds of PD and PD has to be processed only for the specific purpose consented to by the data principal. Processing of all PD has to be based on the consent of the data principal where such consent has to be free, informed, specific, clear, and capable of being withdrawn. Explicit consent is required for processing of sensitive PD.
Exceptions to the consent principle for processing PD are provided if such processing is necessary for the following purposes:
Functions of the State (Parliament or any State Legislature).
Compliance with any law or order of a court/tribunal.
Prompt action such as response to any medical emergency, providing medical treatment during an epidemic, outbreak of disease or other threats to public health, undertaking safety measures during any disaster or breakdown of public order.
Employment related purposes such as recruitment and termination, provision of any service/benefit to the employee (i.e., the data principal), verification of attendance, assessment of performance of the employee and related activities. This is subject to consent not being appropriate considering the employment relationship between the employer (i.e., data fiduciary) and the employee, or would involve disproportionate effort on the part of the employer.
Other reasonable purposes which is in public interest, inter alia, security of the State, prevention and detection of crime, investigation and prosecution of contraventions of law, legal proceedings, research, archiving or statistical purposes, personal or domestic purposes, journalistic purposes and manual processing by small entities.
Exceptions to the consent principle for processing sensitive PD are limited to the exceptions stated in i), ii) and iii) above.
5. Processing of Personal and Sensitive Personal Data of Children
Every data fiduciary has to process PD of children in a manner that protects and advances the rights and best interests of the child, i.e., a person below the age of 18 years (the age recognising competence to contract as per the [Indian] Contract Act, 1872).
Data fiduciaries must ensure to build in appropriate mechanisms for age verification and parental consent to process PD of children. The Bill introduces the concept of guardian data fiduciaries being data fiduciaries operating commercial websites or online services targeted at children, or processing large volumes of children’s PD. Guardian data fiduciaries have been barred from profiling, tracking, monitoring behavior, conducting targeted advertising, or undertaking any processing which may cause significant harm to children. The only entities exempted are those that exclusively provide counseling or child protection services.
6. Rights of Data Principal
Modelled on the lines of the GDPR, the Bill aims to grant the following rights to the data principal relating to processing of their PD:
Right to confirmation and access: Right to obtain a confirmation from the data fiduciary if it is processing its PD as well as obtain brief summaries of both the PD being processed and the processing activities respectively.
Right to correction: Right to obtain the correction of inaccurate or misleading PD, completion of incomplete PD, and updation of outdated PD from the data fiduciary.
Right to data portability: Right to obtain/receive their PD from the data fiduciary in a structured, commonly used and machine-readable format where data has been processed through automated means. This covers data provided to the data fiduciary by the data principal or obtained by the data fiduciary, data which has been generated by the data fiduciary in the course of provision of services, and data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained. This is not applicable if the processing is necessary for functions of the State or in compliance of law or would result in disclosing a trade secret of the data fiduciary or not be technically feasible.
Right to be forgotten: Right to restrict or prevent continuing disclosure of PD by a data fiduciary in limited circumstances where such disclosure – a) has served the purpose for which it was made or is no longer necessary; b) was made on the basis of consent which has since been withdrawn; or c) was made contrary to the provisions of the Bill or other laws. To ensure that the right to be forgotten does not override the right to freedom of speech and expression, this right may be exercised by filing an application to the adjudicating officer who will consider it based on certain parameters laid down in the Bill.
7. Transparency and Accountability Measures
Taking a cue from the data governance and accountability framework of the GDPR, the Bill introduces a host of transparency and accountability measures to be complied by the data fiduciary (and the data processor). Some of the significant measures include:
Privacy by design: All business practices and technical systems have to be designed so as to anticipate, identify and avoid harm to the data principal and processes put in place to embed ‘privacy by design’ into projects. This is through adoption of certified standards or commercially accepted technology, achievement of legitimate interests of business without compromising privacy interests, protection of privacy throughout processing from the point of collection to deletion of PD, and accounting for the interest of the data principal at every stage of data processing.
Transparency and security safeguards: The data fiduciary has to adopt a transparent manner of processing of PD, maintain transparency regarding its general practices of processing PD, and provide such information in an easily accessible form. Appropriate security safeguards such as de-identification and encryption, etc. shall be implemented.
Data protection impact assessment: A data protection impact assessment has to be undertaken if the data fiduciary intends to undertake any new processing technologies or large scale profiling or use sensitive PD or other processing which carries a risk of significant harm to data principals.
Record keeping and data audits: Accurate and up-to-date records of important operations in the data life-cycle have to be maintained by the data fiduciary. The data fiduciary has to conduct an annual audit of its policies and processing of PD by an independent data auditor, who will evaluate the compliance of the data fiduciary with the various provisions of the Bill.
Relationship with data processor: The data fiduciary must engage the data processor only on the basis of a valid contract and further contracting with another data processor shall be as permitted under contract and authorized by the data fiduciary.
Personal data breach: PD breach refers to any unauthorized or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of PD that compromises the confidentiality, integrity or availability of PD to a data principal. A data fiduciary has to notify the DPA of a PD breach, where such breach is likely to cause harm to any data principal as soon as possible and no later than the time stipulated by the DPA after accounting for any time required to adopt urgent measures to remedy the breach or mitigate immediate harm. The data breach notification has to contain details such as nature of PD being the subject matter of the breach, number of data principals affected by the breach, possible consequences of the breach and remedial measures adopted by the data fiduciary. On receiving the notification, the DPA shall determine if such breach has to be reported by the data fiduciary to the data principal whose personal data has been breached considering the severity of harm that may be caused to the data principal. Additionally, the DPA shall post the details of such breach on its website and the website of the data fiduciary besides directing the data fiduciary to take remedial steps. Data audits shall also be conducted wherein an external independent data auditor shall evaluate the compliance of data fiduciary in relation to instances of personal data breach.
Significant data fiduciary: DPA shall classify certain data fiduciaries as significant data fiduciaries based on the volume of PD processed, sensitivity of PD processed, degree of risk or cause of significant harm as a consequence of data processing activities, and use of new technologies for processing. Certain additional obligations have also been placed on such significant data fiduciaries, namely, mandatory registration with the DPA, conducting data protection impact assessments and data audits, record-keeping, and appointment of data protection officer. Civil penalties may also be imposed on significant data fiduciaries for contravening the provisions of the Bill.
Grievance redressal: Every data fiduciary shall adopt proper procedures and effective mechanisms to address grievances of data principals efficiently and in a speedy manner. The data principal may raise a grievance to the data protection officer (in case of a significant data fiduciary) or the designated officer (in case of any other data fiduciary). The grievance must be resolved as soon as possible, within a period of 30 days from the date of its receipt. If the grievance is not resolved within the stipulated time period or if the data principal is not satisfied with the manner of grievance redressal or if the data fiduciary has rejected the grievance raised, the data principal has the right to file a complaint with the adjudication wing of the DPA. The data principal can appeal to the appellate tribunal against the order of the adjudication officer.
Data Protection Officer: The data fiduciary shall appoint a data protection officer to ensure compliance with the provisions of the Bill. Such an officer has to be mandatorily appointed in cases where a data fiduciary is not present in India but carries on processing of PD under the ambit of the Bill. The officer shall be based in India and represent the data fiduciary to comply with its various obligations under the Bill.
8. Cross Border Transfer of Data and Data Localization
The Bill proposes onerous restrictions on cross-border data transfers, i.e., transfer of PD outside India and mandates data localization. Every data fiduciary shall ensure to store at least one serving copy of PD on a server or a data centre located in India. Further, the Central Government may exempt certain categories of data to be stored in India on grounds of necessity or strategic interests of the State. This exemption will however not be permitted for sensitive PD. Some of the conditions for transferring PD outside the territory of India are as follows:
Transfer has to be made as per the standard contractual clauses or intra-group schemes that have been approved by DPA; or
Transfer to jurisdictions approved by Central Government and DPA subject to adequate level of protection in the destination country/international organization; or
Particular transfer/s approved by DPA on grounds of necessity.
Transfer of sensitive PD is possible to a particular entity or person providing health or emergency services for prompt action, and to jurisdictions approved by the Central Government and the DPA. While consent of the data principal has to be explicitly provided for transfer of PD or sensitive PD, it may not be required for critical PD as notified by Central Government.
9. Regulators under the Bill
Data Protection Authority of India: The Bill introduces an independent data protection regulator in the form of the DPA to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Bill and promote awareness of data protection. The DPA has been vested with wide powers ranging from enforcing the provisions of the Bill, certifications to data auditors and significant data fiduciaries, issuing directions to data fiduciary/data processor, calling for information, and conducting inquiries. The DPA shall issue codes of practice to promote good practices of data protection and facilitate the compliance of various obligations under the Bill. These codes may be issued on matters relating to model forms or guidance on notice requirements, data quality, data storage limitation, consent, processing of PD for reasonable purposes, exercise of rights by data principals, transparency and accountability measures, security standards and methods of de-identification, anonymisation, destruction and erasure of data, action to be taken in response to a personal data breach and cross-border transfers of PD.
Adjudicating Officer: The Bill proposes the appointment of an adjudicating officer who shall be responsible for imposing penalties on data fiduciaries and awarding compensation to affected data principals. Appeal from the adjudicating officer shall lie to the appellate tribunal to be set up under the Bill and further appeals from the appellate tribunal shall be in the Supreme Court of India.
10. Penalties, Remedies and Offences
Civil Penalties: Modeled on similar lines of the GDPR, the Bill prescribes strict (and different) penalties for contravention of various provisions. A data fiduciary may be slapped with monetary penalties of upto INR 50 million or 2% of its total worldwide turnover of the preceding financial year (whichever is higher) for contravention of PD breach provisions, failure to undertake data protection impact assessment or data audit, not appointing data protection officer and non-registration with the DPA. For violations relating to processing of PD, sensitive PD, PD of children, non- adherence to security standards and cross-border transfer of PD outside India, the data fiduciary may be liable for a higher penalty of upto INR 150 million or 4% of its total worldwide turnover of the preceding financial year (whichever is higher).
Compensation to Data Principals: The Bill also provides for compensation to data principals. A data principal, who has suffered harm as a result of violation of any provision, has the right to seek compensation from the concerned data fiduciary/data processor, as the case may be, by way of filing a complaint before the adjudicating officer. The adjudicating officer shall decide to award compensation and the amount of compensation after evaluating various factors relating to such violation/s. The Bill also provides for the institution of class action suits by data principals, who have suffered harm by the same data fiduciary or data processor.
Offences: Offences punishable under the Bill are cognizable and non-bailable. Also, various offences shall be punishable with imprisonment of a term upto 3 years or a monetary fine upto INR 200,000 or both. These include knowingly or intentionally or recklessly obtaining, disclosing, transferring or selling PD resulting in significant harm to a data principal or re-identification and processing of de-identified personal data without the consent of the data fiduciary/processor.
Liability of directors, managers: Every company and every person who, at the time of commission of an offence, was in charge of and responsible to the company for the conduct of business of the company shall be deemed to be guilty in the event of commission of any offence by the company and be liable for punishment accordingly. Directors, managers, secretaries or other officers of the company shall be deemed to be guilty if it is proved that an offence was committed with their consent or connivance or attributable to neglect on their part.
Our Observations
Overall, the Bill provides a comprehensive framework of protection of PD and aims to usher in a holistic change in the way PD is treated/handled in India through strict regulation. While the Bill is no doubt a positive beginning given the outdated legislative framework for data protection and data privacy in India as on date, some aspects outlined below require re-consideration and have to be ironed out before the Bill becomes law.
Given the elaborate standards and practices to be implemented across board by data fiduciaries/processors, operational and compliance costs of companies are set to rise northwards. The provisions relating to extra-territorial applicability of the law with reference to a business connection in India, cross-border transfer of PD, data localisation appear to be a overkill and have to be re-examined such that India does not lose its competitive edge in the digital age. Also, some of the obligations imposed on data fiduciaries and data processors, especially foreign entities (and their personnel) literally make it difficult to do business in India.
There is no clarity on what constitutes critical PD and if processing of critical PD shall be subject to further stringent safeguards or compliances. Also the definition of ‘sensitive PD’ appears to be quite broad and has to be narrowed down to a curated (sensitive) set of identifiers.
From a data principal perspective, the DPA and the government appear to have been given wide powers to provide overarching exemptions for a host of factors such that some data principal rights may end up getting significantly diluted practically rendering such rights meaningless.
While the Bill does not have retrospective applicability, it is not clear as to how processing of PD completed before the law comes into effect is to be treated and consequences of misuse of such PD by data fiduciaries have to be deliberated upon. It is also hoped that a practical transitional period be provided for businesses to transition from the existing framework to that of the new robust legislation.
[1] Justice K. S. Puttaswamy and Ors. v. Union of India and Ors., 2017 (10) SCC 1