February 24, 2020

The Chairperson,
Joint Parliamentary Committee,
Personal Data Protection Bill, 2019,
Lok Sabha Secretariat,
Ground Floor, Parliament House Annexe,
New Delhi - 110001

Madam Chairperson,

In response to a call for public suggestions issued vide the Press Communique of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, dated February 04, 2020, we have provided our comments and suggestions below on the PDP Bill.

Who We Are

GameChanger Law Advisors is a boutique corporate commercial law firm based in Bengaluru and New Delhi. The Firm has been in existence since October 2011, and is currently a team of corporate, commercial and technology lawyers who have extensive experience in representing clients across a wide range of industries on a range of legal and compliance matters. We have developed a specialised practice for the Technology, Media and Telecom industries. We advise clients across industries on data protection issues on a regular basis.

Summary of Comments and Suggestions

Given the broad application of the Personal Data Protection Bill, 2019 ("PDP Bill"), its scope is of relevance to a significant number of our clientele. We welcome India's shift to a robust data protection regime, and believe that principles of privacy and data protection must be balanced with an adequate emphasis on transparent processes, procedural fairness and commercial viability in any data protection legislation. While many of our clients and technological companies which work with customer data will be impacted by the PDP Bill, the intention is always to comply with the law of the land and provide whatever support we can as lawyers, towards achieving the larger goal of better data protection and privacy for the citizens of India.

Our key suggestions, highlighted in detail in the note ("Note") below, are as follows:

  1. The Bill must prescribe a transition period for businesses to suitably implement its provisions;
  2. The discretionary powers of the Central Government under the PDP Bill are broad and overarching, and must be limited;
  3. The exemptions available to the Central Government and government agencies under the PDP Bill must be limited by application of principles of necessity and proportionality;
  4. The concept of 'Social Media Intermediaries' is superfluous and must be omitted from the PDP Bill; and
  5. The governance of anonymised data is beyond the scope of the PDP Bill and must be left to the purview of a distinct legislation on non-personal data.

We thank you for providing us with this opportunity to outline our comments and suggestions on the PDP Bill. This Note has been authored by a GameChanger Law Advisors Team comprising of:

  1. Mr. Amrut Joshi, Founding Partner;
  2. Ms. Atulaa Krishnamurthy, Associate; and
  3. Mr. Srikanth Bhaskar, Associate.

For GameChanger Law Advisors,

Amrut Joshi
Founding Partner

NOTE CONTAINING GAMECHANGER LAW ADVISORS' COMMENTS AND SUGGESTIONS ON THE PERSONAL DATA PROTECTION BILL, 2019

1. No explicit transition period provided for under the PDP Bill

1.1. Observations

1.1.1. Section 1(2) of the PDP Bill stipulates that different portions of the PDP Bill will come into force on the date on which they are notified in the Official Gazette.

1.1.2. The Justice Srikrishna Committee, in its draft of Personal Data Protection Bill ("JSC Bill") provided for a timeline where different chapters/sections of the JSC Bill would come into force.

1.1.3. As proposed by the JSC Bill, the following sections would come into effect on the date of notification –

  1. Chapter X of the JSC Bill – Dealt with the constitution and functioning of the Data Protection Authority of India ("DPA").
  2. Section 107 and 108 of the JSC Bill – Granted the DPA the power to make rules and regulations.
  3. Section 40 of the JSC Bill – Restrictions on cross border transfer of personal data.

1.1.4. Under the provisions of the JSC Bill, the Central Government was to constitute the DPA within 3 (Three) months of the date on which the JSC Bill was notified.

1.1.5. Within 12 months from the date on which the JSC Bill was to be notified, the DPA was to:

  1. Formulate regulations relating to reasonable purposes for which personal data could be processed (covered under Section 14 of the PDP Bill).
  2. Formulate codes of conduct and notices pertaining to - data quality, storage limits, processing of personal information and sensitive personal information, security safeguards, research purposes, exercise of data principal rights, methods of de-identification and anonymization, and transparency and accountability measures.

1.1.6. Finally, Section 97 (8) of the JSC Bill stipulated that the remaining provisions of the JSC Bill would become effective within 18 (Eighteen) months of the date on which the JSC Bill was notified.

1.1.7. Currently, the primary regulation in India on data security is the Information Technology (Reasonable security practices and procedures and sensitive persona data or information) Rules, 2011) ("SPI Rules"). However, the PDP Bill places a much greater obligation on processors when compared to the SPI Rules (for example, there are territorial restrictions on processing certain categories of personal information in the PDP Bill, whereas such restrictions are not present in the SPI Rules).

1.1.8. In such a scenario, processors in India will need to make operational changes, invest in new technology and amend their products and processes in order to ensure that they are compliant with the PDP Bill. These activities will take time and hence, a transition period must be provided to these businesses to achieve effective compliance with law. In the event a transition period is not provided, business entities may be forced to temporarily suspend operations till such time they are compliant with the obligations stipulated under the PDP Bill, and this can have an immensely chilling effect on business in India.

1.1.9. It has been global best practice to provide a transition period in comprehensive data protection bills. For instance, the European Union provided a 2 (Two) year transition period for the provisions of the General Data Protection Regulation ("GDPR") to take effect. The transition period for the GDPR commenced on April 14, 2016. The GDPR came into effect on May 25, 2018.

1.2. GLA Recommendation

1.2.1. In its current form, if the PDP Bill is notified in its entirety, it will result in an un- implementable law until such time that the DPA can be constituted and made operational. A milestone-based staggered timeline, with sufficient time being given to implement each step, is necessary so that the institutional enforcement framework under the DPA is put in place. Thereafter, specific regulations or codes of practice can be formulated in consultation with various stakeholders. This will also allow stakeholders to put in place their compliance mechanisms to ensure that as and when the law comes into force and regulations and codes of practice are prescribed by the DPA, they are in a position to be compliant with the law.

1.2.2. The breadth of functions assigned to the DPA (See Section 49 of the PDP Bill) and to data fiduciaries and data processors (See Chapters II to VII of the PDP Bill) to whom the law will be applicable is substantial. Hence, we would recommend incorporating a method similar to the method adopted in Section 97 of the JSC Bill, that of enabling a milestone based staggered timeline, with longer time periods prescribed for compliance with operational aspects of the PDP Bill. We recommend that only after the codes of practice and regulations are put in place by the DPA, should any time period apply for applicability of the PDP Bill, rather than the date of notification of the PDP Bill itself.

Click here to continue reading ...

Originally published 09 March, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.