OVERVIEW OF THE PERSONAL DATA PROTECTION BILL
INTRODUCTION
With a growing online footprint, one is at a higher risk of privacy breach than ever before. Also, at this juncture employees and customers are increasingly becoming sensitive about their privacy rights. So, legal framework was required to include policies that support innovation, but which, simultaneously protects individuals and entities from risks associated with data. Thus, data privacy measures are both critical and can provide companies a real business advantage if handled well.
The Ministry of IT, Govt. of India (“MeitY”) constituted a committee of experts chaired by Justice Sri Krishna for issues related to data protection in India on July 31, 2017 (the “Sri Krishna Committee”). It submitted its report titled “Free and Fair Digital Economy, Protecting Privacy and Empowering Indians” (“Report”) and also the Personal Data Protection Bill, 2018 (“PDPB 2018”) on July 27, 2018.
The Report says that legal regime must aspire to the common public good of both a ‘free’ and ‘fair’ digital economy. The Freeimplies autonomy of the individual with regard to their personal data. And the Fairness pertains to developing a regulatory framework where the existing inequalities in bargaining power between individual and the entities that process such personal data is mitigated.
In August 2017, the Supreme Court in K. S. Puttaswamy v. Union of India(the “Judgement”) recognised right to privacy as a Fundamental Right. The court stated that every person should have the right to control commercial use of their identity. The Judgement, therefore, established that people (citizens and non-citizens) could assert their individual rights against unlawful government invasions to their privacy and it also imposed an obligation on the state to protect the individual’s right to privacy by private entities.
Globally, the enactment of the EU General Data Protection Regulation (“GDPR”) in 2016 which came into force in May, 2018 established a global norm in personal data protection. The PDPB 2018 reflects principles contained in the GDPR, while simultaneously attempting to bespoke the law to Indian needs.
Now, finally, the Government has tabled a modified Personal Data Protection Bill, 2019 (the “PDPB 2019”) in the parliament on December 11, 2019. It has been sent to 20 members Joint Parliamentary Committee for further deliberations. The Committee is expected to submit its Report in the budget session (i.e., February, 2019).
HIGHLIGHTS
The PDPB 2019 applies to those who process personal data of natural persons. The natural person whose data is being processed is referred to as a “Data Principal”. And those who are collecting data are referred to as “Data Fiduciary”. A third actor is “Data Processor” who process data on behalf of a Data Fiduciary.
Scope and Applicability
It applies to any ‘processing’ of personal data;
1. within the territory of India. (Territorial)
2. by the Indian State, Indian companies, Indian citizens, any incorporate body. (Nationality)
3. by Data Fiduciaries (or Data Processors) not present within the territory of India if the personal data of individuals located in India is processed with respect to any business or activity that involves offering goods or services or the profiling of such individuals. (Extraterritorial)
2. by the Indian State, Indian companies, Indian citizens, any incorporate body. (Nationality)
3. by Data Fiduciaries (or Data Processors) not present within the territory of India if the personal data of individuals located in India is processed with respect to any business or activity that involves offering goods or services or the profiling of such individuals. (Extraterritorial)
[The PDPB 2019 exempts small entities who are carrying out manual processing from the following requirements]
What is processing?
Processing is an operation or set of operations performed on data (here personal data). It has an inclusive definition and may include collection, organization, storage, alteration, retrieval, use, indexing, disclosure, etc. And it applies to both manual and automated processing.
Categories of Data
It categorises data into Personal Data, Sensitive Personal Data and Critical Data. It does not apply to anonymised and non-personal data.
Personal data is defined as data about or relating to a natural person who is directly or indirectlyidentifiable, having regard to any (or combination of) characteristic, trait, attribute, or any other feature of the identity of such person.
[It would include both online or offline data and for clarification it is emphasized that it would include any inference drawn from such data for the purpose of profiling.]
Sensitive Personal Data is a subset of personal data and consists of specified types of data, such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief, etc. The Data Protection Authority of India (explained below) has the power to declare further categories of data as Sensitive Personal Data.
[‘passwords’ in the previous PDPB 2018 was included as a sensitive personal data]
Anonymised data is when data is irreversibly converted in such a way where data principal cannot be identified.
Non-Personal Data is not defined but imply, whatever is not personal.
Critical Personal Data is such data which will be notified as such by the central government and can only be processed in a server or data centre located in India.
Major Obligations
Consent
The Report recognised that often consent is uninformed, not meaningful, and operates in an all or nothing fashion. It wants to treat consent not a means to an end but as an end in itself. In the PDPB 2019 a test is devised for consent to be a ‘valid consent’ for personal data, i.e. consent which is free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, ‘explicit consent’ is required for which the terms ‘informed’, ‘clear and ‘specific’ need to meet a higher threshold.
Notice
The data fiduciary is obligated to provide a data principal with adequate notice prior to collection of personal data. This notice should be clear, concise and comprehensible and a notice may be issued in multiple languages whenever necessary.
Purpose Limitation
Data fiduciaries will only collect data that is necessary for the purposes of processing; and the processing may be done only for the purposes specified to the data principals, or for any other incidental purpose that the data principals would reasonably expect it to be used. So, using data for new purposes should therefore need fresh consent.
Data Limitation
Personal data may be retained only until the purpose of collection is completed. Data fiduciaries must have a data retention policy in place outlining the length of time they will hold on to the personal information of its users, as there is a positive obligation to delete such data in certain situations.
Data Quality
Personal data processed should be complete, accurate, not misleading and updated, having regard to the purpose for which it is processed. Data fiduciary is expected to understand the nature of the personal data like how likely is it to be used to make a decision about the data principle and accordingly segregate them into data based on facts from those based on opinions or personal assessment.
Children
Parental consent will be necessary for the processing of personal data of children below the age of eighteen years. Data fiduciaries who operate commercial websites/online services directed at children; or process large volumes have higher level of obligations.
Privacy by Design
The data fiduciaries will be required to implement managerial, organizational, business and technical systems, policies and measures to ensure that the user privacy of the user is protected. A privacy by design policy requirement exists for data fiduciaries which may be submitted to the DPA for certification.
Some of the standards of compliance that were earlier in PBPB 2018 subject to a “reasonable” standard have now been subjected to a “necessary” standard – such as, necessary security safeguards as opposed to reasonable security safeguard to be the standard for data fiduciaries and data processors in relation to activities such as de-identification and encryption, to prevent misuse, unauthorized access of personal data; necessary steps to ensure accuracy of personal data, etc.
Grounds for Processing
The primary basis for processing of personal data must be individual consent.
Processing of personal data can also be done without consent on these grounds i.e., 1. the function of the state, 2. compliance with law, or any order of any court or tribunal, 3. to respond to any medical emergency, 4. to undertake any measure to ensure safety during any disaster or breakdown of public order, 5. for a reasonable purpose.
And for purposes related to employment but only those personal data which are not sensitive personal data.
Rights of Data Principles
The Report says that data principal is the one who legitimizes such data, therefore, they must continue to exercise clearly delineated rights over such data. And data fiduciaries have to provision for the exercise of these rights.
Right to Confirmation and Access
The Law provides detailed rights to the data principal to access and correct their data. With regards to a right of review, the Law grants rights to: (a) a confirmation about the fact of processing; (b) a brief summary of the personal data being processed; and (c) a brief summary of processing activities. It additionally provides the right to access in one place the identities of all data fiduciaries with whom their personal data has been shared.
Right to Correction and Erasure
The right of correction, completion, updating and erasure has been provided for inaccurate or misleading, incomplete, out of date, no longer necessary personal data respectively into a detailed step-wise process. Data Fiduciary can reject such application with reasons.
Right to Data Portability
Data principals may seek from the data fiduciary, their personal data in a ‘structured, commonly used and machine-readable format’. It would consist of: (i) data already provided by the Data Principal to the Data Fiduciary; (ii) data which has been generated by the Data Fiduciary; (iii) data which forms part of any profile on the Data Principal, or which the Data Fiduciary has otherwise obtained. Data principal can ask the data fiduciary to transfer such personal data to any other data fiduciary in the prescribed format.
Right to be Forgotten
Data Principal can request entities to remove their personal data from their storage and processing. It can though be exercised only through an order of an adjudicating authority on the basis of reasonability of the request.
Data Localization
It allows free flow of personal data. It can be processed and transferred outside India. This is departure from the earlier PDPA 2018 where a copy of personal data was to be stored in India.
Nevertheless, for sensitive personal data at least one copy of all personal data should be stored on a server or a data centre located in India, unless specifically exempted from this requirement.
Nevertheless, for sensitive personal data at least one copy of all personal data should be stored on a server or a data centre located in India, unless specifically exempted from this requirement.
Certain critical personal data may be identified by the Government which should be processed only in servers / data centres in India.
Cross Border Transfer of Data
The Report recognised free flow of data essential but also observed that it can’t be unfettered. Also delved into the fact that national interest might require local storage and processing.
The PDPB 2019 proposes that personal data can be transferred outside India. It places conditions only on sensitive personal data. A data fiduciary may only transfer such sensitive personal data if it obtains the explicit consent of the data principal. In addition to obtaining explicit consent, the data fiduciary must additionally meet any of the following conditions:
(i) if the transfer is made subject to a contract or intra-group schemes that have been approved by the DPA. In order to obtain approval, contracts and inter-group schemes under this provision are required to ensure protection of the rights of the data principal as well as liability of the data fiduciary for harm caused due to any non-compliance.
[This is a deviation from the earlier PDPB 2018, which permitted transfers based on standard contractual clauses, in line with global frameworks such as the GDPR.]
(ii) subject to an adequacy determination by the Central Government.
(iii) if the transfer of sensitive personal data or a class of sensitive personal data approved by the DPA for a specific purpose.
The PDP Bill also permits critical personal data to be transferred outside the country for certain limited purposes such as:
(i) for prompt action including transfers to persons or entities engaged in health or emergency services.
(ii) to a country, an entity or a class of entity in a country or, an international organisation under the adequacy determination. In addition, the Central Government must also be satisfied that such a transfer would not prejudicially affect the security and strategic interest of the nation.
Breach Notification
If there is a breach of personal data, the data fiduciary should notify the Data Protection Authority of India (the “DPAI”) of such breach. The notifications should contain certain particulars, either submitted to the DPAI together or in phases. Such reporting is to be done as soon as possible. The DPAI, once set up, may prescribe a certain time period for reporting
Data Protection Officer
All data fiduciary notified or registered as significant data fiduciary has to appoint Data Protection Officers (DPO). Those Data Fiduciaries who are situated outside India must appoint a DPO located in India.
They would monitor the data fiduciaries processing activities to ensure compliance with the Law, advise the data fiduciary, assist and cooperate with the DPAI.
Grievance Redressal
All data fiduciary shall have effective procedure and mechanisms to redress the grievance of data principal. A complaint made by data fiduciary has to be resolved expeditiously not later than thirty days from the receipt of such complaint.
KEY PROVISIONS
Significant Data Fiduciary
The DPAI is empowered to notify certain data fiduciaries or entire classes of data fiduciaries as ‘Significant Data Fiduciary’. It identifies and regulates entities that are capable of causing significantly greater harm to data principals as a consequence of their data processing activities. They would be required to register themselves with the DPAI.
Those identified are prescribed greater levels of compliances. These would include inter alia carrying out data protection impact assessments, record keeping, data audits, and the appointment of a data protection officer.
Consent Manager
The PDPB 2019 introduces the construct of consent managers, who are data fiduciaries (registered with the DPA) that provide a data principal to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform.
Data principals may provide their consent to these consent managers for the purpose of sharing their information to various data fiduciaries and may even withdraw their consent through these consent managers. This is a unique construct and appears to have been introduced to support the Data Empowerment and Protection Architecture (DEPA) for financial and telecom data that currently powers the Account Aggregators licensed by the Reserve Bank of India (RBI).
Social Media Intermediaries
The PDPB 2019 introduces the construct of social media intermediaries, which are entities that primarily or solely enable online interactions between users and allow them to exchange information between themselves. The Central Government can notify those social media intermediaries that have a specified number of users, and whose actions are likely to have a significant impact on electoral democracy, security of state, public order, or the sovereignty of India, as ‘significant data fiduciary’.
However, entities that primarily enable commercial or business-oriented transactions, provide access to the internet or are in the nature of search engines, email services or online storage services are however not included within this definition. The definition aims to target social media companies and exclude e- commerce companies, telecom service providers and search engines.
All social media intermediaries that are significant data fiduciaries are required to provide their users the ability to voluntarilyverify their accounts and all such verified accounts are required to be provided with a mark of verification which is publicly visible.
There is, at this stage, no clarity on what documents will be accepted for the purpose of verification and what consequences (if any) will follow from this verification.
Reasonable Purpose Defined
One of the grounds for processing of personal data without consent (as explained earlier) is those activities which are for reasonable purpose. The PDPB 2019 (provides a non-exhaustive list) includes; prevention and detection of unlawful activity, whistle blowing, m&a, credit scoring, recovery of debt, processing of publically available personal data, and the operation of search engines.
Though what is reasonable purpose has to be justified as ‘necessary’ first to qualify for such exemption.
Governmental Access to Non-Personal and Anonymised Data.
Government can in consultation with DPAI require any data fiduciary or data processor to provide any anonymised data that it holds and provide this to the Government.
In addition, it also allows for the Central Government to call for non-personal data from fiduciaries and processors. This data is to be used by the Central Government to enable better targeting of delivery of services or formulation of evidence-based policies.
Sandbox
The DPAI may create a sandbox for the purposes of encouraging innovation in artificial intelligence, machine learning and other emerging technology in public interest. Exemptions will be provided from specific compliances such as purpose limitation, collection limitation and retention limitation, for a limited time, for any data fiduciary operating within the sandbox.
Enforcement Mechanism
The Report acknowledges that enforcement is critical. And therefore suggest both internal and an external element. It recognise that the enforcement should be an ex ante as opposed to post facto i.e., compliance by entities with substantive and proactive obligation.
It contemplates the creation of an independent Data Protection Authority of India (DPAI) which hitherto did not exist in India. It has wide powers which includes (i) monitoring and enforcement of the PDPB 2019; (ii) legal affairs, policy and standard setting of the framework; (iii) research and awareness of the bill; (iv) inquiry, grievance handling and adjudication.
More particular ones include inter alia specifying residual categories of sensitive personal data, specifying circumstances a DPIA needs to be undertaken, registering SDFs and Data Auditors, etc.
Penalties
It specifies strict penalties for the contravention of its provisions. The penalty from gross violation can go upto INR 15 Crore or 4% of the global turnover, whichever is higher. Minor violations can attract penalty upto INR 5 Crores or 2% of global turnover, whichever is higher.
The penalties may only be imposed after an inquiry has been conducted by an Adjudicating Officer of the DPA and the data fiduciary has been provided with a reasonable opportunity of being heard. An inquiry can only be initiated upon a complaint made by the DPA.
Criminal Liability
It includes criminal liability (upto 3 years of imprisonment or a fine which may extend to INR 20,000) for intentionally and knowingly re-identification of de-identified data.
Compensation
It allows the data principal to apply to the adjudicating authority to seek compensation either from the data processor or the data fiduciary, for harmsuffered as a result of any infringement of any provision. It also appears to allow for the institution of class action suit by data principals, who have suffered harm by the same data fiduciary or data processor.
Compensation is also decided by an Adjudicating Officer and may be sought by the data principal by making an application to the Adjudicating Officer. The orders of the Adjudicating Officer are appealable before the Appellate Tribunal. A data processor will only be held liable to pay compensation if it is found to have acted in a negligent manner or not incorporated adequate security safeguards or, if it has violated any provisions of the PDP B 2019.
Exemptions
It sets out various exemptions to the applicability of the PDPB 2019. These exemptions are :
Any agency of the Government
If the Central Government, by a written order, is satisfied that it is necessary in the interest of or for preventing incitement to the commission of a cognisable offence relating to the (i) sovereignty and integrity of India, (ii) security of the State, (iii) friendly relations with foreign states, (iv) public order, direct that the provisions of the Act will not apply to any agency of the government for processing personal data.
For certain types of processing of personal data
Certain specified provisions will not apply where personal data is (i) processed in the interest of prevention, detection, investigation and prosecution of any offence or any other contravention of law, (ii) disclosed for inter alia enforcing a legal right, (iii) processed by any court or tribunal, (iv) exempted by the Central Government where processing of personal data of data principals not within the territory of India, (v) processed by a natural person for any personal or domestic purpose, (vi) processed for a journalistic purpose, (vii) processed for research, archiving or statistical purposes, (viii) processed manually by a small entity.
Conclusion
The PDPB 2019 is all set to establish a full-fledged data protection framework in India. As also noted in the Report it is envisaged that data protection officers and the courts will develop these principals on case to case basis overtime.
It is estimated that the business entities will be given at least one year to make changes in their structure to adhere to the provisions of the PDPB 2019 once it is notified.