By Sharanya Ranga and Aishini Mandal
With nearly half a billion internet users and rapid digitization of governance and services, India is generating mountains of data. All types of personal information and data is being collected, compiled, mined, stored, analyzed, monetized and regurgitated in some form or the other. This data collection is happening at an unprecedented level ranging from ubiquitous personal lifestyle, food and entertainment choices to location tracking, medical, health, financial and biometric data with algorithms whipping up insights and profiles from disparate data sets. Even as India rode the tech boom and spawned forth a vibrant startup ecosystem, efforts to implement a modern and robust regulatory framework for data privacy and data protection have been found wanting.
More than a year after the draft Personal Data Protection Bill, 2018 (2018 Bill) was released by the expert committee chaired by the retired Supreme Court Justice B. N. Srikrishna, the Personal Data Protection Bill, 2019 (2019 Bill) was introduced in India’s lower house of Parliament last month. With the 2019 Bill immediately referred to a Joint Parliamentary Committee for further review, it is hoped that the New Year will be the harbinger of strong privacy legislation for digital India.
Following in the footsteps of the 2018 Bill, the broad framework for the 2019 Bill remains the European Union’s General Data Protection Regulation (GDPR) and the landmark judgement upholding the fundamental right to privacy by the Supreme Court of India (Privacy Judgement). However, there are some key differences and new concepts that have been introduced in the 2019 Bill. We take a look at the key takeaways of the 2019 Bill below:
Applicability – The 2019 Bill applies to processing of personal data within India by any Indian company/citizen and state agencies where such data has been collected, disclosed, shared or processed within India. Foreign entities not situated in India but having an Indian business connection or carrying on any activity of offering goods or services within India or profiling of individuals in India will also fall under its purview.
Cut and dry…Personal data and its categories – The 2019 Bill refers to different categories of data such as personal data, sensitive personal data as well as critical personal data. Broadly, any data from which an individual is able to be directly/indirectly identified is considered to be personal data. The definition of personal data has been expanded to include both offline and online data and importantly any inference drawn from any data for the purpose of profiling (as it may end up indirectly identifying an individual). Personal data has further been categorized into sensitive personal data and critical personal data to provide extra protection given the added risk of harm associated with such data. While sensitive personal data includes financial data, health data, sexual orientation and biometric information, passwords have been omitted from the 2019 Bill.
Grounds for processing data – ‘Processing’ of personal data refers to any activity undertaken with such data such as collection, recording, organisation, storage, adaptation, alteration, retrieval, use, alignment or combination, and disclosure by transmission, restriction, erasure or destruction of personal data. Continuing with the consent framework set out in the 2018 Bill, the 2019 Bill mandates that processing of all personal data has to be based on the consent of the data principal (user) where such consent has to be free, informed, specific, clear, and capable of being withdrawn. Different categories of data require different consent standards including explicit consent for processing sensitive personal data.
Wide exemptions have been provided for the processing of personal data without consent such as, for the performance of state functions, compliance with any law or order of a court/tribunal, responding to a medical emergency, providing medical treatment during an epidemic, outbreak of disease or any threat to public health and undertaking safety measures during any disaster or any breakdown of public order, employment related purposes and other reasonable purposes as may be specified from time to time. The term ‘reasonable purposes’ has been expanded to include the operation of search engines besides prevention and detection of any unlawful activity/ fraud, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available personal data.
4. User rights –Modelled on the lines of the GDPR and following the rights framework under the 2018 Bill, the 2019 Bill grants the following rights to the data principals (user) relating to processing of their personal data namely, (a) right to confirmation and access (if the data fiduciary is processing the user’s personal data and provide access of the same); (b) right to correction and erasure (of inaccurate or misleading personal data); (c) right to data portability (i.e., the right to receive their personal data in a structured, commonly used and machine-readable format where data has been processed through automated means); and (d) right to be forgotten (to restrict or prevent continuing disclosure of personal data under specific circumstances). The 2019 Bill also provides the data principal a right to erase his/her personal data which is no longer necessary for the purpose for which it was collected.
5. What’s the data fiduciary’s role? – Like the 2018 Bill, the 2019 Bill provides for a host of transparency and accountability measures to be complied by the data fiduciary (and the data processor) such as adopting a ‘privacy by design’ policy, maintaining adequate transparency and security safeguards while processing personal data and reporting of personal data breach. The Data Protection Authority (DPA) can classify certain data fiduciaries as a significant data fiduciary having certain additional obligations like mandatory registration with the DPA, conducting data protection impact assessments and data audits, record-keeping, and appointment of a data protection officer. Unlike the 2018 Bill, the 2019 Bill provides for mandatory certification of the ‘privacy by design’ policy by the DPA and thereafter, publishing the same on the website of the data fiduciary and the DPA.
The 2019 Bill introduces the concept of a ‘consent manager’, i.e., a category of a data fiduciary that can manage the entire consent process including collection, review or withdrawal, for and on behalf of the data principal, through an accessible, transparent and interoperable platform. While the 2019 Bill refers to registration of consent managers with the DPA, it is silent on the nature of the interoperable platform and the functioning of such consent managers.
6. Social media intermediaries – Coming in the wake of growing data-related scandals involving data mining, election interference and proliferation of fake news by social media companies, the 2019 Bill introduces the concept of a social media intermediary. A social media intermediary has been defined as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”. Intermediaries primarily enabling commercial transactions or access to the internet such as e-commerce platforms, search engines, online encyclopedias, email services and online storage services have been excluded from this category. Any social media intermediary with users above a notified threshold and whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India shall be notified by the Central Government, in consultation with the DPA, as a significant data fiduciary. Once a social media intermediary is notified as a significant data fiduciary, it has to comply with voluntary verification of its user accounts in India with such prescribed demonstrable and visible mark of verification and other obligations of significant data fiduciaries as may be laid down in the rules.
7. Dilution of data localization requirement – In a welcome departure from the 2018 Bill that mandated data localization for personal data, i.e., storing at least one copy of all personal data in India, the 2019 Bill has done away with this onerous requirement for personal data. However, data localization requirements will apply for sensitive personal data. Also transfer of sensitive personal data outside India is subject to the following conditions: (a) explicit consent of the data principal for such transfer; (b) transfer to be made as per the contract or intra-group schemes approved by the DPA; (c) transfer to jurisdictions approved by the Central Government (subject to adequate level of protection in the destination country/international organization and not prejudicially affecting the enforcement of certain laws); and; (d) for any specific purpose as may be allowed by the DPA. Critical personal data has to be processed in India and may be transferred outside India under limited circumstances, such as for health or emergency services to such countries permitted by the Government.
8. Big brother in an overarching role– One of the criticisms of the 2018 Bill was the wide powers granted to the Government and the DPA. The 2019 Bill treads the same, albeit wider, path with the Government empowered to provide overarching exemptions for myriad purposes such that the 2019 Bill may end up diluting the very right it seeks to so arduously protect! For instance, the Central Government is authorised to exempt any Government agency from the purview of the 2019 Bill in the interest of sovereignty and integrity, security of the State, public order, friendly relations with foreign states or to prevent incitement of commission of any offence relating to the above. Also, as seen from the broad nature of exemptions provided, the Government can permit the processing of personal data without consent for performance of its state functions, compliance of law, etc. This is virtually a carte-blanche to the Government without any safeguards or rights to the data principal and a marked departure from the three-fold requirement for a robust privacy law stipulated by the Supreme Court in its Privacy Judgement, i.e., (a) the law must justify the encroachment on privacy; (b) the nature and content of the law must be reasonable and a guarantee against arbitrary state action; and (c) pass the test of proportionality.
While the DPA is proposed to be an independent data protection regulator to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the 2019 Bill and promote awareness of data protection, the composition of the DPA has been changed to mostly government-appointed bureaucrats, doing away with the independent composition set out in the 2018 Bill.
9. The problem of anonymised and non-personal data – While the 2019 Bill is limited to protect personal data, it strangely provides for collection of any anonymised personal data or other non-personal data by the Central Government from any data fiduciary or data processor for better targeting of service delivery or to aid evidence-based policy making. Anonymisation refers to data where all identifying elements have been removed from a set of personal data so as to re-identify the concerned persons. Once successfully anonymised, such data falls outside the scope of data privacy laws. However, the degree of such anonymisation remains controversial in the age of the Internet of Things what with tech tools available to de-anonymise such data and identify the user.
10. Harsh Penalties – The 2019 Bill prescribes stringent penalties for contravention of various provisions. A data fiduciary may be slapped with monetary penalties of upto INR 50 million or 2% of its total worldwide turnover of the preceding financial year (whichever is higher) for contravention of specific provisions such as failure to respond promptly to a data breach, failure to undertake data protection impact assessment or data audit, etc. The penalty increases to upto INR 150 million or 4% of the turnover for violations relating to processing of personal data, personal data of children, non-adherence to security standards and transfer of personal data outside India. Directors, managers and other officers of data fiduciaries shall be deemed to be guilty if it is proved that an offence was committed with their consent or connivance or attributable to neglect on their part.
11.Exemptions for Sandbox – The 2019 Bill provides for a Sandbox which can facilitate new ideas and approaches without any regulatory violations. The DPA can create a sandbox to encourage innovation and facilitate new ideas/approaches in artificial intelligence, machine-learning or any other emerging technology in public interest. On fulfillment of certain conditions, data fiduciaries whose privacy policy has been certified by the DPA shall be eligible to apply for the sandbox and, once included, such data fiduciaries shall be exempted from complying with specific provisions relating to protection of personal data. The term for utilizing the benefits of sandbox shall not exceed 12 (twelve) months and can be renewed only twice, subject to a maximum period of 36 (thirty six) months.
Our Observations:
The 2019 Bill has not come a day sooner, given the outdated Information Technology Act, 2000 and The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. It is expected to transform the way personal data is treated and build the bricks of a vibrant privacy ecosystem over time that will significantly impact both online and offline businesses alike.
One worrying aspect of the 2019 Bill is the blanket power granted to the Government that may not just lead to misuse or abuse of power but also practically nullify the fundamental right to privacy of individuals. Also, lot of definitions and concepts appear to be open-ended or rather broad, which may give rise to confusion and interpretation issues with a new regulator. This will also lead to enhanced compliance costs for business besides scoring low on the ease of doing business.
The 2019 Bill also does not provide for a transitional period for businesses to transition from the existing rudimentary framework to the new one. It is also not clear as to how processing of personal data completed before the law comes into effect is to be treated.
It is hoped that the Joint Parliamentary Committee examines these aspects at length and proposes a balanced set of regulations that protect user privacy without impacting legitimate state functions. This will also help set out a clear compliance path for businesses in sync with the technologically disruptive era we live in.
Justice K. S. Puttaswamy and Ors. v. Union of India and Ors., 2017 (10) SCC 1