THE PERSONAL DATA PROTECTION BILL, 2018, in a nutshell!
Personal Data Protection Bill, Aadhaar (Amendment) Bill, and DNA Technology Regulations Bill are part of a 25-page bulletin, with a list of bills proposed to be introduced in the Budget session, uploaded on the Lok Sabha website on Friday, 21st June 2019
The data protection bill in short called as PDP Bill, sets out how the personal data of individuals is processed by the government and private entities incorporated in India and abroad. The government believes storing and processing of all critical personal data and storing a copy of all personal data within Indian shores is important for national security and access. The bill is likely to be referred to the yet-to-be-formed standing committee on information technology before finalizing it, something that might not happen before this winter session for due deliberation.
The bill seeks to safeguard privacy by organizing the relationship between citizens and firms/state agencies based on data principals (whose data is collected) and data fiduciaries (who collects the data). It mandates the fiduciaries to seek consent for the use and processing of sensitive personal data. It also aims at balancing the growth of the digital economy and utilization of data. The Bill has recognized the right to privacy as a fundamental right and protection of personal data as an essential facet of informational privacy.
The intent of the Bill is to:
- Protect individual autonomy in relation to their personal data; Specify where flow and usage of personal data is appropriate;
- Create a relation of trust between persons and entities; Specify rights of individuals towards their data;
- Create a framework for processing of personal data; Layout norms for cross-border transfer of personal data;
- To ensure accountability of entities processing personal data; Provide remedies for unauthorised and harmful processing of data;
- Establish a Data Protection Authority for overseeing processing activities.
Last week, industry bodies, including NASSCOM, had informed commerce minister Piyush Goyal that the consultations for the Data Protection Bill by MeitY was satisfactory, but as a lot of time had elapsed the industry was not sure about the final shape of the Bill. The RBI in April 2018 put out a circular requiring that all “data relating to payment systems” are “stored in a system only in India” within six months. International giants usually store data on global servers and the requirement to store data locally would require them to make an additional investment. But policymakers in India believe storing data locally would help monitor and conduct investigations if the need arises.
E-commerce and tech companies across all segments, foreign MNCs participated in the meeting that was called to “understand their concerns and take their suggestions towards building a robust data protection framework that will achieve the dual purpose of privacy and innovation and strengthen India’s position as a global tech leader with focus on trust and innovation. The meeting was attended by Secretary Department for Promotion of Industry and Internal Trade (DPIIT), Secretary Department of Commerce, Secretary MeitY, Deputy Governor of RBI and senior officials from Ministry of External Affairs. The meeting discussed principles of data protection and privacy at length and industry representatives requested the minister to ensure that the bill will have more clarity around classification of data and the manner of cross border flow of data.
let us look at the key highlights of the proposed bill…
- The Bill requires that a serving copy of personal data be stored within the territory of India. Certain critical personal data must be stored solely within the country.
- The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
- The data principal has several rights with respect to their data, such as seeking correction or seeking access to their data which is stored with the fiduciary.
- The fiduciary has certain obligations towards the individual while processing their data, such as notifying them of the nature and purposes of data processing.
- The Bill allows exemptions for certain kinds of data processing, such as processing in the interest of national security, for legal proceedings, or for journalistic purposes.
- A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries.
Why is the need for such law?
With a billion population, India has the second highest internet user base in the world. Therefore, a strong data protection law is needed to protect their personal data. Large amounts of personal data have been collected by state agencies and private companies and their flow across national boundaries has been a cause for concern. There are many instances that the state and private agencies who are using the personal data are not transparent on the purpose for which the data is being utilized. Remember the recent past Facebook admitted that the data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica? The very thought of personal data being used for unknown intentions, had sent ripples across the globe.
Very recently, the EU had enacted the General Data Protection Regulation (GDPR) which establishes the right to privacy as one of the fundamental rights. It requires explicit consent from consumers for usage of their data. The Personal Data Protection Bill 2018 in India follows the implementation of the GDPR and has also taken cues from the legal frameworks in other countries. Until now, the only legal framework for the information technology in India is the Information Technology Act, 2000. However, it doesn’t provide for guidelines or norms for data collection, storage, and processing. The need for legislation also got attention particularly after the landmark judgement of Supreme Court (SC) in Justice K.S Puttaswamy vs Union of India case, that maintained the right to privacy as an inherent part of the fundamental right under Article 21 of the constitution
- Definitions: The Bill defines (i) ‘personal data’ as any information which renders an individual identifiable, (ii) data ‘processing’ as any operation, including collection, manipulation, sharing or storage of data, (iii) ‘data principal’ as the individual whose personal data is being processed, (iv) ‘data fiduciary’ as the entity or individual who decides the means and purposes of processing data, and (v) ‘data processor’ as the entity or individual who processes data on behalf of the fiduciary.
- Territorial applicability: The Bill governs the processing of personal data by (i) both government and private entities incorporated in India, and (ii) entities incorporated overseas, if they systematically deal with data principals within the territory of India. The central government may exempt Indian entities exclusively dealing with data principals outside the territory of India by a notification.
- Grounds for data processing: The Bill allows data processing by fiduciaries if consent is provided by the individual. However, in certain circumstances, processing of data may be permitted without the consent of the individual. These include (i) any function of Parliament or state legislature, or if required by the State for providing benefits to the individual, (ii) if required under law or for compliance with any court judgement, (iii) to respond to a medical emergency, or a breakdown of public order, (iv) purposes related to employment, such as recruitment, or, (v) for reasonable purposes specified by the Data Protection Authority with regard to activities such as fraud detection, debt recovery, credit scoring, and whistle blowing.
- Sensitive personal data: Sensitive personal data is defined in the Bill to include passwords, financial data, biometric and genetic data, caste, religious or political beliefs. The Bill specifies more stringent grounds for processing of sensitive personal data, such as seeking explicit consent of an individual prior to processing.
- Rights of the data principal: The Bill sets out certain rights of the data principal whose data is being processed. These include (i) the right to obtain a summary of their personal data held with the data fiduciary, (ii) the right to seek correction of inaccurate, incomplete, or outdated personal data, (iii) the right to have personal data transferred to any other data fiduciary in certain circumstances, and (iv) the right ‘to be forgotten’, which allows the data principal to restrict or prevent continuing disclosure of their personal data.
- Obligations of the data fiduciary:The Bill lays down certain obligations on the data fiduciary who is processing personal data. These include (i) processing personal data in a fair and reasonable manner, (ii) notifying the data principal of the nature and purposes of data collection, and their rights, among others, and (iii) collecting only as much data as is needed for a specified purpose, and storing it no longer than necessary.
- Exemptions: The Bill provides exemptions to certain data processing activities. It states that processing of an individual’s personal data will not be subject to the obligations specified, and the data principal will not have the rights defined in the Bill, if their personal data is processed for the purposes of (i) national security (pursuant to a law), (ii) prevention, detection, investigation and prosecution of contraventions to a law, (iii) legal proceedings, (iv) personal or domestic purposes, and (v) journalistic purposes.
- The only restrictions on data processing for these purposes are those of (i) processing personal data in a fair and reasonable manner, and (ii) ensuring appropriate security safeguards while processing the data.
- Data processing for research purposes may also be exempted to the extent specified by the Data Protection Authority set up under the Bill. Small entities having turnover of less than twenty lakh rupees, manually processing data of less than one hundred data principals are also exempt from most provisions of the Bill.
- Data Protection Authority: The Bill provides for the establishment of a Data Protection Authority (DPA). The DPA is empowered to (i) draft specific regulations for all data fiduciaries across different sectors, (ii) supervise and monitor data fiduciaries, (iii) assess compliance with the Bill and initiate enforcement actions, and (iv) receive, handle and redress complaints from data principals. It shall consist of a chairperson and six members, with knowledge of at least ten years in the field of data protection and information technology.
- The DPA shall have a separate adjudication wing to impose penalties and award compensation. Adjudicating Officers shall be specialists with at least seven years of professional experience in subjects including cyber and constitutional law, and data protection. Orders of the DPA can be appealed to an appellate Tribunal set up by the central government, and appeals from the Tribunal will go to the Supreme Court.
- Cross-border storage of data: The Bill states that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India. The central government may notify certain categories of personal data as exempt from this requirement on grounds of necessity or strategic interests of the State. The central government may also notify certain categories of personal data as ‘critical personal data’, which may be processed only in servers located in India.
- Transfer of data outside the country: Personal data (except sensitive personal data which is ‘critical’) may be transferred outside India under certain circumstances. These include cases where (i) the central government prescribes that transfers to a particular country are permissible, or (ii) the DPA approves the transfer in a situation of necessity.
- Offences and penalties: Under the Bill, the DPA may levy penalties on the fiduciary for various contraventions to the law. These include failure to comply with (i) data processing obligations, (ii) directions issued by the DPA, and (iii) cross-border data storage and transfer requirements. For example, the fiduciary has to notify the DPA of any data breach which is likely to cause harm to the principal. Failure to promptly notify the DPA can attract a penalty of the higher of five crore rupees or two percent of the worldwide turnover of the fiduciary.
- Further, any person who obtains, discloses, transfers, sells or offers to sell personal and sensitive personal data shall be punishable with imprisonment ranging up to five years, or a fine of up to three lakh rupees.
Schedules Annexed to the Act
- Schedule 1 amends the Information and Technology Act, 2000 (“the IT Act”) by omitting Section 43A (Compensation for failure to protect Data) and changing the Rule making power of the Central Government in a particular case under the IT Act.
- Schedule 2 seeks to amend the Right to Information Act, 2005 (“the RTI”) and replace Section 8(1)(j) of the RTI appropriately to give effect to changes made under the Personal Data Protection Bill, 2018. Section 8 of the RTI provides exemptions from the disclosure of information.
- Lastly, Section 43A of the Information Technology Act, 2000, on compensation for failure to protect data, is to be omitted. Section 72A of the IT Act (Punishment for disclosure of information in breach of lawful contract) has been retained.
What’s the issue?
Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data. In India, usage of personal data or information of citizens is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the Information Technology Act, 2000. The Rules define personal information of an individual as any information which may be used to identify them. They hold the body corporate (who is using the data) liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. Over the years, rapid technological advances have led to large volumes of data being generated through various activities and increasing reliance of businesses on data-driven decision making and the thin line that separates the fair usage of data is seen diminishing. The data localization section of the new privacy bill thus might be the most prominently controversial element of the legislation.
The bill requires data fiduciaries to store “at least one serving copy” of personal data on a server or data center located within India. The government can exempt certain categories of personal data from this requirement. It can also declare certain categories of data “critical” and require that they be stored only in India. In other words, foreign internet intermediaries and services, such as Facebook, Uber, Google, Twitter, AirBnB, Telegram, WhatsApp, and Signal may all be required to physically host user data in India. The only discernible reason for such a requirement is to give law enforcement easy access to this data.
Localization is not the only issue. The new law is expected to address, as well, the question of who owns data – the user or the technical platform.
There are some who feel that the India’s draft on data protection lacks the needed punch and does not address some of the key issues. Ownership of data for one has been completely ignored. The Telecom Regulatory Authority of India (TRAI) in its recent recommendations, had stated that each user owns his data and the entities processing such data are mere custodians. But the draft only treats data as a matter of ‘trust’ and not property unlike under the GDPR. Also under GDPR, the consumers have the right to demand deletion of their past records any time. Under Srikrishna Committee’s draft, the ‘right to be forgotten’, is defined differently — right to restrict or prevent continuing disclosure of personal data. The process of justifying why the consumer does not want to continue giving consent is also long-winded.
- No guidelines for processing of data in a ‘fair and reasonable’ manner – even though the Bill defines ‘data principal’ as the individual whose data is being processed. The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services. While processing the data, the fiduciary is obligated to ensure that data is processed ‘in a fair and reasonable manner that respects the privacy of the individual’. Further, the fiduciary has to be able to demonstrate to the Data Protection Authority (DPA) that data has been processed in a fair and reasonable manner. While the Bill places this obligation on all data fiduciaries, it does not specify any principles or guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing. The absence of guiding principles could allow fairness and reasonability standards to vary across fiduciaries processing similar types of data; and fiduciaries in the same industry may develop and follow different standards.
- Conflict of interest could arise from optional reporting of data breaches – The Data fiduciaries are regulated by the DPA set up under the Bill, which assesses their compliance with the law and initiates appropriate enforcement actions and penalties. The Bill states that the fiduciary shall inform the DPA in the event of a data breach (i.e., an accidental or unauthorised use or disclosure of data) only if such a breach is likely to cause harm to any data principal. The question is whether the fiduciary should have the discretion to determine whether a data breach needs to be reported to the DPA. Selective reporting of data breaches will avoid the DPA from being burdened with high volume of low-impact data breach reports, and also not make the burden of reporting too onerous on the fiduciary. However, there may be a conflict of interest while determining whether a breach is to be reported, as the fiduciary is regulated by the DPA
- Storage of a copy of data within the territory of India - The Bill states that every data fiduciary shall keep a ‘serving copy’ of all personal and sensitive personal data in a server in India. The central government may notify certain categories of personal data as exempt from this requirement on grounds of necessity or strategic interests of the State. Also, the government may notify certain ‘critical personal data’ which shall be processed only in servers located in India. It is unclear what is meant by a ‘serving copy’ of data. It could be a live, real time replication of data on a server within India, or it could be a backup at a specified frequency. The specification is needed, as costs, implications and implementation timelines for fiduciaries would vary significantly with the exact nature of a ‘serving copy’. Further, it may be argued that the broad criteria for classifying data as ‘critical’ needs to be specified in the law, as this is necessary for fiduciaries to prepare for the requirement of storing this data solely in India.
- A complaint may be raised only if there is a possibility of harm - The Bill places several restrictions on the processing of data (such as, collection of only as much data as needed for specified purposes, among others), and also provides certain rights to the data principal to take control of their data. However, the data principal may raise a complaint only if a violation of the provisions of the Bill has caused or may cause them harm. It could be questioned why the mere violation of the rights of the principal is not enough to raise a complaint. The data principal additionally has to demonstrate and prove that harm has been caused to them by unlawful data processing; and this may place undue burden on the data principal.
- Enforcement of penalties and compensation orders of the DPA does not require a court order - The Bill allows the DPA to impose penalties on data fiduciaries for violation of provisions of the law. Recovery Officers appointed by the DPA shall have the power to enforce penalties and compensation orders of the DPA. The Officers, per the orders of the DPA, may conduct several enforcement actions against the data fiduciary, including (i) attachment or sale of movable and immovable property, and (ii) arrest and detention in prison. The Bill does not specify that a court order would be required for the above enforcement actions. Other Acts allow regulators such as the RBI or the IRDA to take actions such as attachment and sale of property and arrest of persons only after the approval of a court.
- Exercising the ‘right to be forgotten’ involves adjudication by an officer who may not be competent - Under the Bill, the data principal can exercise certain rights, such as (i) the right to obtain a summary of their personal data held with the fiduciary, (ii) the right to seek correction of inaccurate personal data, and (iii) the right ‘to be forgotten’, which allows the data principal to restrict or prevent continuing disclosure of their data. The exercise of the right to be forgotten requires the data principal to approach the DPA with a written request. An Adjudicating Officer of the DPA has to determine whether the right to freedom of speech or the right to information of any other citizen could be violated by the exercise of the right to be forgotten by the data principal. Such matters are typically interpreted by courts of law. While one of the eligibility criteria for Adjudicating Officers is knowledge and expertise in constitutional law, the Officer may be an expert in a different field, such as data protection. In such a situation, the Officer may not have the expertise to determine the constitutional question of a possible violation of freedom of speech.
In Summary, The Bill seeks to bring about a number of significant changes to the existing general data protection regime in India. Complying with it will mean that Indian Data Fiduciaries will be aligned with global best practices on Personal Data. For Indian corporates, this will mean reassessing the nature and quantum of Personal Data they collect, store and process, re-evaluating their current practices surrounding consent and notice, and deciding on the treatment of their legacy data. The structured and phase-wise 18 month enactment schedule that the Bill envisages, may serve to mitigate some of these growing pains. Given the importance of the Bill and the framework it envisages, it will likely form the basis for much debate, and potentially some modification, before its enactment, for sure.
June 2019. Compilation from various publicly available internet sources, authors views are personal.