By Arya Tripathy and Rishi Sehgal on December 20, 2021
Introduction
India does not have a dedicated privacy and data protection law and its draft maiden law, the Personal Data Protection Bill, 2019 (PDP Bill) created much anticipation. PDP Bill was referred to a Joint Parliamentary Committee (JPC) for further review and discussion. After almost 2 years and hundreds of meetings with several stakeholders gathering evidence, statements and research, JPC has finalised and adopted its recommendations to PDP Bill. The revised bill is called the Data Protection Bill, 2021 (DP Bill)[1] and captures the JPC’s recommendations on proposed changes, significant being the widened scope of the bill, which now will seek to regulate personal and non-personal data. This post aims at providing an overview of some of the key changes in the DP Bill and their possible impact on businesses.
Timeline: A brief timeline of events leading up to DP Bill:
- 2000: Information Technology Act was passed. It was primarily aimed at validating e-transactions & e-governance with informational privacy not at its focal point.
- 2011: Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were notified. The rules dealt with the security practices and procedures, which body corporates or any person must follow while collecting, receiving possessing, storing, or handling personal information including sensitive information.
- 2017: Constitutional Bench of nine judges of the Supreme Court of India (SC) in Justice K.S. Puttaswamy (Retd.) v. Union of India (Puttaswamy judgment)[2] upheld that privacy is a fundamental right, which is entrenched in right to life and personal liberty under Article 21 of the Constitution. The SC also observed that protection of privacy requires a dedicated privacy and data protection law. This led to the formulation of the Justice Srikrishna Committee which submitted its report along with a draft Personal Data Protection Bill, 2018 for comments from the stakeholders. The Ministry of Information and Technology (MeitY) also drafted a White Paper to solicit public comments on what shape a data protection law must take.
- 2019: PDP Bill was tabled in Lok Sabha (lower house of Indian Parliament).
- 2020: PDP Bill was referred to JPC for further deliberations and review.
- 2021: JPC finalised and adopted its recommendations in DP Bill and the report has been tabled before the Parliament in its winter session.
Acronyms, terms and concepts used: Acronyms and brief explanation of the key concepts used in our analysis are below:
- Anonymisation: Irreversible process of transforming or converting PD to a form in which a data principal cannot be identified, provided the standards of irreversibility shall be specified by the Authority
- Anonymised data: PD that has undergone the anonymisation process
- CG: Central Government
- DP: Data principal being the natural person to whom PD relates to
- DF: Data fiduciary being the legal or natural person that alone or in conjunction with others determines the purpose and means of processing of PD and will include State, companies, not-for-profit organisations, body corporate and any individual; based on certain criteria, certain DFs will be classified as Significant Data Fiduciaries (SDFs) => Under the extant Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data) Rules, 2011, State and not-for-profit organisations are exempted. This meant that not-profits need not comply with sensitive personal data processing norms with respect to their beneficiary data. With enactment of DP Bill, they would no longer be exempted and must comply with processing norms
- Data: Includes representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means => wide scope to include opinions and concepts, contained in manual or electronic forms
- Data breach: Any unauthorised including accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to NPD tat compromises the confidentiality, integrity or availability of PD or NPD, as the case may be
- DPA: Data Protection Authority established under Clause 41 of DP Bill
- DPIA: Data protection impact assessment which is one of the specific obligations imposed on SDFs
- DPO: Data Protection Officer
- Harm: Includes (i) bodily or mental injury, (ii) loss, distortion or theft of identity, (iii) financial loos or loss of property, (iv) loss of reputation or humiliation, employment, (v) any discriminatory treatment, (vi) being subjected to blackmail or extortion, (vii) any denial or withdrawal of services/benefit/goods resulting from an evaluative decision making about DP, (viii) any restriction placed or suffered directly or indirectly on speech, movement, (ix) any other action arising out of surveillance fear, and (x) any observation or surveillance that is not reasonably expected by DP => the definition is limited to provide for harm under DP Bill only in context of PD and not NPD
- IT Act: Information Technology Act, 2000
- Intermediary Guidelines: Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- NPD: Non-personal data means the data other than PD => this concept has been introduced into DP Bill, and now, DP Bill aims at regulating manner of dealing with NPD, although large portion of it shall be subject matter of delegated legislation
- PD: Personal data is data (i) about or relating to a natural person, (ii) who is directly or indirectly identifiable having regard to any characteristic, trait, attribute or any other identification feature of such natural person, including inference drawn from such data, (iii) either standalone or in combination with other information, and (iv) which is present online or offline modes
- Processing: Means an operation(s) performed on PD such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction => will cover all kinds of dealing with PD; there is no definition of processing with relation to NPD
- Processor: Data processor being the legal or natural person that processes PD on behalf of DF and will include State, companies, not-for-profit organisations, body corporate and any individual
- SPD: Sensitive personal data which is PD that may reveal, be related to, or constitute: (i) financial data, (ii) health data, (iii) official identifier, (iv) sex life, (v) sexual orientation, (vi) biometric data, (vii) genetic data, (viii) transgender status, (ix) intersex status, (x) caste or tribe, (xi) religious or political belief or affiliation, or (xii) any data that will be categorised as SPD by CG in exercise of powers under Clause 15 => the wide scope will include a whole array of PD; for example, most Indian names reveal the caste and religion of DP, and relying on the definition, it could qualify as SPD
- Significant harm: Harm that has been aggravated having regard to nature of PD processed, impact, continuity, persistence or irreversibility of the harm
- Social Media: A platform which primarily or solely enables online transaction between 2 or more users and allows them to create, upload, share, disseminate, modify or access information using its services => PDP Bill provided for social media intermediaries and certain exceptions for e-commerce platforms, internet service providers, cloud service providers, etc. Social media platform has no such exceptions (discussed later)
Analysis:
# | Aspect | PDP Bill | DP Bill | Analysis |
1. | Objects | The objects of PDP Bill are:protection of DP’s privacy and their rightsregulating flow and usage of PD including cross-border data transfer, accountability matrix and data breaccreating trust relationship between DP and DF and Processorscreating framework for information security measureslaying out norms for social mediaestablishing DPA | The law should not be limited to PD, but also include NPD. Consequently, it aims at protecting digital privacy for PD, and expands the other objectives to regulate PD and NPD processing ecosystem. Additionally, it adds a new objective to ensure interest and security of the State. | The scope and reach of DP Bill are wider than PDP. The Puttaswamy judgment[3] mandated government to design a law for informational privacy. Subsequently, MeitY White Paper and the Srikrishna Committee report elaborated on contours of PD protection with the aim of striking a balance between individual rights and digital economy. Alongside, MeitY constituted the NPD committee with the mandate to provide pointers for a separate NPD regulatory framework. However, with the expanded scope of DP Bill, it is likely that rules and regulations will be made on NPD under DP Bill. This approach is quite uncommon and typically, data protection laws across different jurisdictions cater to individual privacy rights. While organisations will have to take a holistic approach on data assets and its management versus a segregated one, it is also imperative that rules and regulations made are not overlapping or conflicting in nature. Where they do, implementation and compliance could pose unique challenges. |
2. | Application | Direct territorial application – processing of PD (i) where it is collected, disclosed, shared or otherwise processed in India, or (ii) by State, any Indian company, or person, or body of persons created or incorporated under Indian law => twin criteria. Long-arm jurisdiction – processing of PD by foreign entities (not present in India) where it is in connection with (i) business carried on in India, or systematic activity of offering goods or services to DP within India, or (ii) activity which involves profiling of DP within India => similar to EU GDPR and aimed at protecting PD of a natural person physically in India. Exception – Does not apply to anonymised data, other than anonymised data disclosure that may be mandated under Clause 91. Clause 91 – CG in consultation with DPA could require any DF or processor to provide anonymised data or other NPD to: (i) enable better delivery of services, or (ii) formulation of evidence-based policies => this clause has been debated a lot as it enables CG to make regulations concerning NPD under PDP Bill framework. | On the twin criteria for direct territorial application, DP Bill specifically mentions that it will cover storage in India. Processing by State and Indian entities or persons is now replaced with processing of PD by any person under Indian law.Long-arm jurisdiction is retained as is. The exception to anonymised data is removed. Consequently, Clause 2(d) states processing of NPD including anonymised personal data will be within scope of DP Bill. | The proposal creates several ambiguities. PD processing by State, Indian entity or person or body of persons incorporated under Indian laws meant that it would apply to those juristic and natural persons who are established and governed under Indian laws, such as an Indian company, LLP, etc. However, processing of PD by any person under Indian law creates confusion. Person is defined widely to include any natural or legal person, irrespective whether they are incorporated or resident or operational in India. This will include foreign companies as well. Now, consider a situation where a foreign company contractually agrees to avail data server and storage facilities from an Indian vendor. The data belongs to natural persons of a foreign jurisdiction, and the foreign company does not carry any direct or indirect business activity or profiling of Indian DPs. This contract provides Indian law as governing law. In this factual pattern, foreign company is not covered through the long-arm jurisdiction; hence, not a DF under PDP Bill, and need not comply with DF obligations. With regards to the Indian vendor, storage is processing of PD in India and will be covered under DP Bill. It must therefore, fulfil the obligations that apply to processors. The revised language under DP Bill might be interpreted to mean that since governing law is Indian law, processing is done under Indian law, and hence, DP Bill applies to the foreign company, even where it is not carrying business or providing goods/services or profiling any DP in India. Globally, anonymised data is an exception to personal data protection laws. This exception provides organisations with the ability to freely process PD once it is stripped off its identifying attributes irreversibly. However, this will no longer be the case, and rules will be made for regulating anonymised data and breach situations thereof (discussed later). |
3. | SDFs and social media platform | Some DFs can be categorized as SDFs under Clause 26. DPA shall notify SDFs factoring: (i) volume of PD processed, (ii) sensitivity of PD, (iii) turnover, (iv) risk of harm involved with processing activities, (v) use of new processing technology, and (vi) other factors that could cause harm. SDFs must register with DPA in the prescribed manner and comply with certain additional obligations. Further, Clause 26 deals with the criteria basis which CG in consultation with DPA will notify a “social media intermediary” as SDF. Social media intermediary would mean those who primarily or solely enable online interaction between users allowing them to create, upload, share, disseminate, modify or access information BUT shall not include those intermediaries who primarily (i) enable commercial transactions (such as e-commerce platforms), (ii) provide access to internet (ISPs), (iii) operate search engines, online encyclopedias, e-mail services or online storage services (like cloud). A user-based threshold will be prescribed, and if their actions have or are likely to have a significant impact on electoral democracy, State security, public order, or India’s sovereignty and integrity, they shall be notified as SDF. | In addition to the factors mentioned for determining SDFs, a new criterion is provided – processing of data relating to children or provision of services to them. Social media intermediaries are now replaced with social media platform. The exception created for platforms that aid commercial transactions, internet service providers, search engines, encyclopedias and other similar platforms is deleted. Any social media platform that would meet the user-based criteria and other factors can be notified as SDF. | The IT Act defines intermediary as any person who on behalf of another, receives, stores, or transmits the message, or provides any service with respect to that message. This definition does not provide carve outs for e-commerce, internet service providers, search engines, etc. and rightly so. The definition from IT Act is further clarified in the context of social media intermediary under the Intermediary Guidelines. It defines them as intermediary who primarily or solely enables online interaction between users, allowing them to create, upload, share, disseminate, modify or access information. Here also, there are no exceptions. DP Bill’s definition of social media platform is verbatim similar to social media intermediary under the Intermediary Guidelines. JPC report explains the rationale and states that most social media intermediaries perform dual roles i.e., acting as internet intermediaries and providing platforms for people to communicate. The intent is thus, to include all internet intermediaries as provided under IT Act, irrespective of whether they are providing interaction between users, such as cloud and search engines. Additionally, the new SDF criteria – processing of data relating to children or provision of services to them can include SDFs processing PD or NPD. This ambiguity must be clarified and ideally, limited to PD only. |
4. | Obligations of SDFs | Clause 27: Undertake DPIA before using new technology, carrying out profiling at a large scale, using SPD, or any processing which carries a risk of significant harm to DPs. DPA on review and assessment of DPIA findings could direct cessation of processing activities, or impose additional conditions.Clause 28: SDF shall maintain up-to-date and accurate records for specified items such as important operations in data life-cycle, DPIAs, review of security safeguards, etc. Further, if SDF is social media intermediary, they shall enable an option for users to verify their accounts. Anyone who verifies must be provided a visible verification mark.Clause 29: SDFs must annually audit its policies and its processing practices through data auditors. Clause 30: SDFs must appoint a DPO who is resident in India for performing certain functions such as advising DF on its obligations under PDP, monitoring processing activities, assist in DPIA, etc. One of the functions is to assist and cooperate with DPA on matters of compliance by DF. | SDF specific obligations have been retained with only few changes: Regarding DPIA, powers of DPA to impose conditions for processing or to require cessation will be subject to DPIA regulations. Interestingly, these regulations will be made by DPA itself.No change in record keeping obligation, although verification option on social media platforms now have to be enabled for all persons and not just users.Apart from annual audits, DPA shall encourage the practice of concurrent audits. Concurrent audits in finance are understood as audits at the time of a new transaction. There is no clarification on scope of concurrent audits.Clarifying on who can be appointed as DPO, it is proposed that DPO could be any senior level officer in India or key managerial personnel (KMP) of the entity or any equivalent position held by an employee. There is no change to the resident requirement, and KMP is defined similarly as is provided in Companies Act, 2013 i.e., Managing Director/Chief Executive Officer/manager, Company Secretary, whole-time director, Chief Finance Officer or such other personnel as may be prescribed. | There are various ambiguities. PDP Bill required social media intermediaries to only allow verification of its users. DP Bill uses the term “persons” instead of users. But this cannot be interpreted in isolation and would only mean persons who register for social media platform’s services in India, or use those services in India. In a way, it’s the same thing as users. The term “concurrent audit” has not been explained but in the context of data processing, it would mean frequent audits. While concurrent audits are optional, DPA must provide guidance on situations and manner of conducting concurrent audits including clarification on whether such audits should be done internally or through external data auditors. The specific eligibility criteria for appointment of DPOs could create conflict of interest, specifically where DPO is mandated to assist DPA for compliance matters. Typically, liability for breach by corporates is fixed on KMP and officers, unless they showcase absence of direct or indirect knowledge about the breach. With KMPs being appointed as DPOs, there is a direct conflict of interest where they have to in their capacity as DPO aid DPA for non-compliance matters and at the same time also represent DF as part of its management. |
5. | Basis of processing | Clause 11: Consent is the primary basis of processing. It must befree as provided under contract lawinformed by providing notice under Clause 7; Clause 7 requires DF to provide detailed notice at time of collection or as soon as reasonably practical where PD is collected from other source than DPspecific as to whether DP can determine the scope of consent in context of purpose of processingclear as indicated through an affirmative actioncapable of being withdrawn with similar ease through which it was obtained.In context of SPD, consent must be obtained explicitly after informing DP about purpose of such processing activity that is likely to cause significant harm to DP, in clear terms without any inference from context, and providing them with a choice of separately consenting to such purpose of processing. Provision of goods, services, their quality, performance of contract or enjoyment of legal right shall not be conditional on processing of any PD that is not necessary for the purpose. Where DP withdraws consent from processing of PD without any valid reason, all legal consequences for effects of such withdrawal shall be borne by DP. Clause 12: PD can be processed without consent in the following instancesfor performance of any function of State authorised by law for providing any service or benefit to DP from the State or issuance of any certification, license, permit to DP by State,under applicable law made by Parliament or State legislaturecompliance with any order or judgment of court or tribunalresponse to any medical emergency involving threat to life or severe threat to health of DP or other individualcarry out measures for providing medical treatment or health services to any individual during epidemic, outbreak of disease or threat to public healthundertake any measure to ensure safety of, or provide assistance or services to any individual during disaster or breakdown of public order. Clause 13: With respect to certain employment matters, PD can be processed for certain purposes without consent as long as: (i) it is not SPD, and (ii) obtaining consent is not appropriate having regard to the employment relationship between DF and DP, or where it would involve disproportionate effort on part of DF due to nature of processing:recruitment or termination of employmentprovision of any service to or benefit sought by the employee DPverifying attendance of DPany other activity related to performance assessment of DP Clause 14: Apart from the listed basis of processing, PD can also be processed without consent, if such processing is necessary for reasonable purposes as may be specified in regulations; these regulations should take into account: (i) interest of DF in processing for that purpose, (ii) whether DF can reasonably be expected to obtain DP consent, (iii) any public interest involved in processing, (iv) effect of processing activity on rights of DP, (v) reasonable expectation of DP having regard to context of processing. Reasonable purposes may include prevention and detection of any unlawful activity, whistle-blowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data, operation of search engines. The regulations specifying reasonable purposes must lay down such safeguards that are appropriate to protect DP’s rights and also determine where provision of notice is relevant. Clause 16: For processing PD of child, i.e., below and up to 18 years of age, processing must be done in such manner that protects rights and is in the best interest of the child. Before processing, age must be verified and consent must be obtained from parent or guardian. DPA can classify DFs as guardian DFs who operate commercial websites or online services directed at children, or process large volumes of children PD. These shall be barred from profiling, tracking or behaviourally monitoring, or targeted advertising directed at children, or any other processing that can cause significant harm to child. Guardian DF providing exclusive counselling or child protection services shall not be needed to take consent from parent or guardian. | Consent requirements under Clause 11 are mostly retained as is, with minor clarifications. Provision of goods or service or quality thereof, or performance of contract or enjoyment of legal right shall not be made conditional on the processing of any PD not necessary for that purpose, and cannot be denied based on exercise of choice. All consequences and not just legal consequences shall be borne by DP where they withdraw consent. Exceptions to consent under Clause 12 are also retained. However, performance of State function is changed to an inclusive list, which means that PD can be processed by State without consent for any other function and not just provision of any service or benefit, or license to DP. Further, apart from courts and tribunals, power is also vested with quasi-judicial authorities such as Enforcement Directorate. New factors have been added to Clause 14 that DPA must consider while listing reasonable purposes; these are: (i) legitimate interest of DF and not just interest, (ii) whether consent is reasonable and practicable, (iii) the degree of any adverse effect. Additionally, the illustrations for reasonable purposes have been retained, with clarification on mergers and acquisitions to include any similar combinations or corporate restructuring transactions. Regarding children PD, now DF does not need to determine if processing is in the best interest of the child. The concept of guardian DF is removed and consequently, the specific terms for guardian DF will apply to all DFs who process children PD. | Consent remains the primary basis for processing. While there is a residual category where DPA could notify all other reasonable processes, additional safeguards and conditions, until such time DPA promulgates them, consent will be the only basis for most cases. State’s ability to process PD in discharge of State function is structured as an inclusive list and hence, expanded. This can be used to bypass consent requirement as long as State or its agencies can substantiate that the processing is necessary for a State function. As a move in the right direction, it has been clarified that interest of DF has to be a legitimate interest, as otherwise, any interest could have formed the basis of processing. But what is legitimate is a mixed question of fact and law, and it would be interesting to see what reasonable purposes are notified factoring the revised set of criteria. It is also a positive move that they have removed the distinction between DF and guardian DF. So, all other obligations will apply to any DF. |
6. | Quality of PD processed | Clause 8 requires DF to take necessary steps to ensure that PD processed is complete, accurate, not misleading, updated having regard to purpose of processing. In this exercise, DF must account for evaluating whether PD will be used to arrive at decisions about DP, or is likely to be disclosed to others, or if PD is based on facts or opinions. If PD is disclosed to a third-party, and DF finds out that PD is incomplete, or inaccurate, or misleading, or outdated, it must take reasonable steps to notify the third-party recipient. | Now, DF is positively obligated to notify the recipient where PD is incomplete, inaccurate, misleading, outdated having regard to the processing purposes. These steps to notify are no longer qualified by whether it is reasonable or not. However, the above obligation shall not apply where such notice requirement prejudices the processing purposes. A new sub-clause is added to state that DF may share, transfer or transmit PD to any person as part of business transaction in such manner as may be prescribed; provided that such regulations will not apply if they are prejudicial to processing purposes. | JPC believes that ensuring quality of PD processed is a protective clause and DF should not have any discretion in deciding when to notify third-parties who have onward received PD. It also mentions in the report, that this will aid government and its agencies for processing of PD. However, in practice, it will be important to see if the obligation to notify can be made absolute, or should it be to the extent reasonably possible. For instance, it is quite common for businesses to store PD on clouds, where cloud service provider has no need to deal with stored PD in any manner. The practical utility of ensuring that DF notifies cloud service provider about inaccuracy of PD is futile, having regard to the purpose and means of processing i.e., storage. More facts have to be weaved in to determine if it is necessary. Thus, the revised provision denies businesses the ability to undertake cost benefit analysis factoring the circumstances listed in Clause 8 i.e., decision making about DP, purpose of processing, and future disclosure. Alongside, it seems to contemplate putting regulations where PD has to be transferred as part of a business transaction. The rationale provided by JPC is that this will check the “mindless sharing” of PD between entities under the garb of services. This could be counterproductive as the law already contemplates the basis of processing, rights of DP, and other data protection norms. What additionally will be provided under the proposed regulations and whether it will be for all or certain specific business transactions is unclear. However, any regulation made in this space will require businesses to prepare for ensuing compliances before they can engage in business transactions that involve sharing of PD. |
7. | DP rights | Clause 17: Right to access and confirmation; requires DF to provide DP with confirmation that PD is being processed, summary of PD processed and that of processing activities undertaken, and details of third-party recipients, in a clear and concise manner, easily comprehensible to a reasonable person. Clause 18: Allows DP to exercise their right to seek correction of inaccurate or misleading PD, completion of incomplete PD, updation where PD is outdated, and erasure if PD is no longer required, provided it is necessary having regard to the purposes of processing and regulations that would be made in this regard. DF must comply with such request and if not, it must provide adequate justification in writing for rejecting the request. If request is complied with, DF shall take necessary steps to notify recipients about actions undertaken, particularly where they have an impact on rights and interests of DP or decisions regarding them. Clause 19: Where processing has been carried out using automated means, DP shall have a right to data portability (of PD provided, generated in course of processing or those that form part of profile) by receiving it in a structured commonly used, machine readable format and get it transferred to another DF. Such right cannot be exercised where processing is by State, or judiciary in compliance with law, or where portability request will reveal trade secret of DF, or where portability is not feasible. Clause 20: Right to be forgotten; it states that DP shall have the right to restrict or prevent continual disclosure of PD by DF if such disclosure: (i) has served the purpose for which it was collected and is no longer necessary, (ii) was made with consent which has been withdrawn, or (iii) was made in breach of any applicable law. In order for DP to exercise this right, DP must obtain an order from Adjudicating Officer. | Clause 17 right to confirmation and access has been enlarged to deal with the rights of a deceased DP, and a new sub-clause has been added. It allows DP to avail 3 options on how their PD will be dealt with after their demise – (i) nominate their legal heir/representative as nominee, (ii) exercise right to be forgotten, and (iii) append the terms of agreement with respect to processing of PD in event of death of DP. Clause 18 remains mostly as is, but with respect to the obligation to notify third-party recipients, it clarifies that the DF shall take necessary and practicable steps to notify having regard to the impact on DPs. Clause 19 exceptions are revised. Now, portability as long as it is as per requirements cannot be denied on grounds of disclosure of trade secrets. Refusal can only be limited to technical non-feasibility. Clause 20 dealing with right to be forgotten has been enlarged. Now, DP can also seek to restrict processing and not just onward disclosure. Further, it states that Adjudicating Officer shall not make an order for exercise of right to be forgotten unless DP shows that his interests and rights override the freedom of speech and expression, right to information of any citizen, or rights of DF to retain, use and process. | Globally, data protection laws do not deal with PD of dead persons, except in certain cases such as requirement of deletion under Hong Kong Personal Data Protection Ordinance. Nonetheless, almost all contemplate the ability of DP to nominate someone that can decide how PD can be dealt with. Adding the new sub-clause to right to access and confirmation is a positive step from DP’s perspective as it would allow them to exercise some control over their PD after their demise. However, this will also mean that businesses will incur additional costs to enable modules in their data subject rights regimes for making nominations and allowing DP to avail the provided options. Further, businesses should thoroughly evaluate the terms regarding processing of PD of deceased DP that they would incorporate in their service conditions or terms of use. Changes to Clause 18 where DF is required to take practicable steps only, is a positive change. Nonetheless, this creates ambiguity with requirements on DF to maintain quality of PD processed, as the standard there is stricter. See our analysis at #6 above. Revised Clause 19 further narrows the exceptions to portability obligation of DF, and denies businesses the right to evaluate if deciphered data sets which may qualify as PD can be denied portability if they reveal or contain any trade secret. JPC is of the view that trade secret is a very domain specific concept and anything can be argued as part of trade secret to dilute portability rights. Portability often helps DP to avail services/goods across platforms without having to go through the entire process of registration and provision of personal details to a DF. Deciphered data on the other hand is an outcome of analytics and algorithmic exercises performed by DF and the actual necessity or purpose solved by porting this to another DF is not clear. Alongside, it would have been beneficial if JPC would have illustrated what deciphered data or information could be treated as trade secret and what is not. This could aid implementation of portability norms. Regarding right to be forgotten, several high courts in recent times have dealt with related claims. These judgments adopt a conventional notion on what are the contours of right to be forgotten and equate it with the right to seek deletion of PD. JPC’s proposal for right to be forgotten is not in line with what is commonly understood, and cannot be synonymous with the right to seek complete purging of data. It is only understood as a right that will restrict processing. Perhaps, this is because DP Bill also provides for right to erasure. In any event, in order to exercise this limited right to be forgotten, DP has to obtain order from Adjudicating Officer and substantiate that his rights and interests in restricting/limiting disclosure or processing is paramount. This will be a difficult threshold to substantiate and will largely depend on facts of the case. |
8. | Data breach | Clause 25 deals with data breach. It states that DF shall notify DPA about breach of any PD where such breach is likely to cause harm to DP. The notice must include (i) nature of PD subjected to breach, (ii) number of DPs affected, (iii) possible consequences, and (iv) action taken to remedy breach. This notice must be sent as soon as possible and within such period as may be prescribed in regulations. If all information as needed in notice cannot be provided within the timeframe, DF shall provide details in phases without undue delay. After receipt of notice, DPA shall determine whether such breach should be reported by DF to DP taking into account severity of harm that may be caused to DP, or whether any action is required by DP to mitigate the potential harm. DPA may also require DF to take appropriate remedial action as soon as possible and conspicuously post the details on its website. | Data breach related obligations have been revised to include not just breach scenario that involves PD but also those that involve NPD. It vests DPA with the power to take such necessary steps where there is a NPD breach and details will be prescribed in delegated legislation. Regarding PD breach, it states that every DF shall by notice report to DPA about breach of any PD processed. The format of the notice will be prescribed under regulations and alongside other details listed that must be provided in the notice, DF must not just mention action, but list out remedial actions undertaken. The timeline for reporting has been fixed at 72 hours from the time when DF becomes aware of the breach. The DPA can after due consideration require notifying the breach to DPs, posting on DF’s website, direct taking remedial actions and also require DF to undertake urgent steps for redressing breach consequences. | The concept of harm and significant harm as provided in DP Bill is limited to PD and impact on DP. Similar concepts have not been provided for NPD. In absence of such fundamental clarity on what harm is contemplated where there is breach of NPD in the main statute, every aspect of NPD breach scenario has been left to delegated powers. This may result in lack of proper legislative checks and balances on what is notified as rules or regulations for NPD breach. Nonetheless, it is clear that in due course, businesses will have to comply with certain breach notification and mitigation steps in NPD breach situations as may be defined in rules. Further clarity has been provided on PD breach notification requirements. However, JPC believes that there is no need to inform each DP whose PD has been subjected to a breach as this could result in chaos and affect public order as well. It is only left to DPA’s judgment as to whether it should be notified, and this could lead to arbitrary decisions. In the least, this dilutes the control that DP should exercise over its PD. |
9. | Cross-border data transfer | Clauses 33 & 34 deal with cross-border data transfer. Partial localisation of SPD – SPD can be transferred and processed outside BUT a copy must be continually stored in India; transfer must be with explicit consent PLUS any one of the below criteria: (i) approved contract or intra-group scheme (akin to SCCs and binding corporate rules under EU-GDPR), or (ii) if recipient jurisdiction/entity has been conferred with adequacy decision from Indian government, or (iii) transfer is for specific purpose as permitted by DPA. Complete localisation of critical PD – Critical PD will be those as may be notified by government, and they cannot be transferred and must always be processed in India; limited exceptions: (i) recipient is engaged in provision of healthcare/emergency services and transfer is necessary for prompt action, or (ii) Indian government has approved the recipient. | Cross-border data transfer localisation norms have been retained. DPA is vested with the power to approve contracts and group scheme, but only in consultation with CG, which was not the case under PDP Bill. Further, a submitted contract or group scheme shall not be approved if the object of data transfer is against public or State policy, unless provisions are made for effective protection of rights of DP, and affixing liability on DF due to harm caused by such transfer. Regarding adequacy route, it is now provided that even where Central Government has allowed transfer of SPD by recognising a country/entity as adequate, they cannot further transfer it to another country/entity without taking prior approval from the Central Government. | Localisation has received varied criticisms. To understand the full nature of cross-border restrictions as proposed under PDP Bill, access here. JPC believes that localisation conditions are essential for law enforcement, State security, sovereignty and specifically, in light of changing international political relations. It also believes that locating data physically in India would facilitate and aid law enforcement who could have access to this data when required basis certain grounds. But it does not analyse the economic and practical implications for businesses and perhaps, takes a unilateral stance on localisation. Further, there is no clarity on how DPA and CG would like to deal with cross-border transfer of NPD. It is possible that regulations deal with this aspect. CG has been vested with wide powers to regulate how data transfers will take place outside of India. From standard contracts, binding group rules to adequacy decisions, CG will play a key role in devising and allowing data transfers. There will be no ability to transfer onward, unless prior approval has been taken, giving CG more power to stop free flow of data even where there are group schemes or adequacy decisions. Consequently, cross border data transfer will be one key compliance and regulatory issue that organisations have to factor while streamlining their data inventory and processing systems. It is likely that compliance and revamping of existing transfer practices will entail significant costs. |
10. | Exemption to State | Clause 35 empowers CG to exempt any government agency from provisions of PDP Bill, if it is satisfied that it is necessary and expedient: (i) in interest of sovereignty and integrity of India, security of State, friendly relations with foreign State, public order, or (ii) for preventing incitement to commission of cognizable offence, relating to the above criteria. In such case, CG will pass an order that will record reasons in writing and the procedure, safeguards and oversight mechanism subject to which exempt agencies can process PD. | Revised Clause 35 retains the power of CG to exempt government from entire DP Bill and makes this a non-obstante provision, which means that such exemption can be granted irrespective of anything contrary to any effective law. It also requires the CG to provide for just, fair, reasonable and proportionate measures in the procedure that will be followed by exempt entities. | The revisions bring in some checks and balances given right to privacy is a fundamental right under Article 21 of the Indian Constitution and can only be deviated from through just and proportionate measures. Thus, now when CG will seek to exempt any of its agencies from compliance with DP Bill, the order must necessarily provide processes that exempt entities will follow, and specifically whether such deviation is proportionate. This will be helpful in holding State accountable for actions undertaken and is a positive step. |
11. | DPA | DPA shall comprise of Chairperson and maximum of six whole-time members, of which 1 will be a person having qualification and experience in law. The DPA and its members of DPA shall be appointed by the CG on the recommendation of a selection committee, consisting of: (i) the Cabinet Secretary, (ii) the Secretary to the Ministry or Department of Legal Affairs, and (iii) Secretary to the Ministry or Department of Electronics and Information Technology. | DPA composition remains the same, but 1 out of the six-whole time members must be an expert in data protection law having the prescribed experience and qualifications. In addition to who all would constitute the selection committee as provided under PDP Bill, there is a new mandate where the committee will also have (i) Attorney General of India, and (ii) 3 other nominated members i.e., an expert in the field of data protection, IT, data management, data science, data security, cyber and internet laws, public administration or related subjects; Director of any Indian Institute of Technology, and Director of any Indian Institute of Management. | The inclusion of an expert in data protection law is likely to ensure that DPA is well-equipped to take into account technical and practical considerations while dealing with issues related to data protection. A data protection authority under any data protection law is expected to act as an independent regulator that would enforce the rights and obligations. To bring the expected independence, it is also relevant that the appointing authority has requisite competence and independence, so that their appointees to the data authority are well informed, and free from bias. Revised composition of selection committee that appoints DPA members continues to remain a point of concern. It consists of six members directly appointed by CG, or serving at the pleasure of the union council of ministers. There is also a lack of adequate number of judicial members. These raise concerns over the independence of the appointees to DPA and the extent to which it will buckle down to State interference. |
12. | Penalties | Two degrees of penalty can be imposed for DF’s contravention of certain provisions. INR 50 million or 2% of worldwide turnover, whichever is higher when DF fails to:take prompt and apt response to data breachregister as SDFundertake DPIAconduct data auditappoint DPOFor similar contraventions by State, penalty cannot exceed INR 50 million INR 150 million or 4% of worldwide turnover, whichever is higher when DF:processes PD in contravention of the processing principles and permitted grounds (such as consent, special requirements for processing children’s personal data, etc.)fails to adhere to security safeguardstransfers PD in violation of cross-border transfer requirementsThe penalty for similar contraventions by government have also been capped at INR 150 million. | Penalty provisions have been revised. The proposal is that CG can prescribe any penalty, which shall not exceed:INR 50 million or 2% of worldwide turnover, in case DF fails to take prompt and apt response to data breaches, register as SDF, undertake DPIAs, conduct data audit, or appoint DPO; andINR 150 million or 4% of worldwide turnover when DF processes PD in contravention of the processing principles and permitted grounds, fails to adhere to security safeguards, or transfers PD in violation of cross-border transfer requirements. The cap on government’s penalty is removed. In fact, CG is now empowered to prescribe maximum penalty that it will be subjected to for non-compliances and defaults. | DP Bill retains upper cap for penalties, and the actual amounts for specific violations will be notified by CG. These upper caps do not apply to government breaches, and the power to prescribe the penalty for State has also been left to CG. There should be no distinction on what penalty can be imposed on a private person and State as DP Bill applies in spirit to State. Further, no factors or principles have been provided that CG must follow while determining the final amounts. There is conflict of interest as CG will decide what its own penalty limits will be, and ideally, this should have been provided in DP Bill. |
Conclusion
JPC’s recommendations and the DP Bill gives an indication of what India’s data regulation architecture will look like. The proposed law paints a broader canvas for data ecosystem regulation, but misses the opportunity of addressing long-standing concerns around state power and accountability in private matters of citizens. It gives the central government the power to exempt its agencies from the ambit of the data protection regulation and mould the manner in which detailed regulations and rules will be made. The government will review JPC recommendations and may revise DP Bill. If they do, a revised proposal will be tabled before Parliament houses, and tentatively, this could stretch the legislative process till the next session.
The authors acknowledge Syantika Ganguly for her research and assistance in this post
[1] Copy of the published JPC report and DP Bill can be accessed here – http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
[2] (2017) 10 S.C.C. 1
[3] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 S.C.C. 1