The long awaited Personal Data Protection Bill, 2018 (the "Bill") was released on July 27, 2018 along with the report by the Committee of Experts under the chairmanship of Justice B. N. Srikrishna (the "Report"). The Committee, chaired by Justice Srikrishna, was constituted by the Ministry of Electronics & Information Technology, Government of India to put together a draft of data protection law for India. The Report elaborates on the Committee discussions and deliberations and throws light on the provisions of the Bill. The Bill may undergo further changes before it is adopted as law.
This is a keystone development in the evolution of data protection law in India. With India moving towards digitization, a robust and efficient data protection law was the need of the hour. The Bill has been drafted with an intention to fill in the vacuum that existed in the current data protection regime, and to enhance individual rights by providing individuals full control over their personal data, while ensuring a high level of data protection.
The Bill has been broadly based on the framework and principles of the General Data Protection Regulation (the "GDPR") recently notified in the European Union and on the foundation of the landmark judgement of the apex court: Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors (W.P. (Civil) No. 494 of 2012), wherein the Supreme Court of India upheld the right to privacy as a fundamental right under the Indian Constitution. The Bill shall come in supersession of Section 43A of the Information Technology, 2000 (the "IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "IT Rules") which was enacted under Section 43A of the IT Act.
2. KEY OBSERVATIONS
Some of our key observations on the Bill are outlined below.
2.1 Wide Definition of Sensitive Personal Data
The Bill has defined sensitive personal data to include personal data revealing or relating to password, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe. Such a broad definition of sensitive personal data (for instance, to include passwords and financial data) is not in line with international data protection laws, which have provided a much narrower definition for sensitive personal data.
Therefore, foreign companies and multinational companies would face a higher compliance requirement under the data protection law in India. Such companies may find it difficult to adhere to these unique onerous compliance requirements, which would significantly affect their ease of doing business in India.
2.2 Data Localization
Every data fiduciary is required to store one serving copy of the personal data on a server or data centre that is located within the territory of India. The data fiduciaries are likely to find this obligation onerous, as it will increase operational costs for most of them. This restriction may also operate as a trade barrier and hinder the ability of global companies to transfer and process personal data across different jurisdictions.
Importantly, this requirement does not seem to be relevant in the context of a framework that seeks to protect the right to privacy of individuals. Hopefully there will be clarifications provided or interpretations evolve in the future allowing such copies of data to be backed up over periodic cycle instead of backing up on a real time basis and this may somewhat ease the burden of this obligation on data localisation.
One alternative that may have been provided is a choice for companies to either localise or have a representative like a data protection officer who is responsible for making available any data as needed by the Data Protection Authority.
2.3 Scope of Applicability
Under the Justice B. N. SriKrishna Report, an exception has been made based on the principle of territoriality. The Report states that any entity located in India only processing personal data of foreign nationals not present in India may be exempted from the application of the Bill by the Central Government.
However, this exemption has not been brought out in the Bill. It is likely that this exemption would be provided under the rules adopted under the Bill. But, in case no such exemption is provided under the rules, the scope and applicability of the Bill may be more over-reaching than the GDPR.
Further the term in connection with 'any business that is carried out in India', in relation to exercise of jurisdiction over any data fiduciary or data processor not located within India, is vague in nature and lacks specificity.
2.4 Definition of Critical Personal Data
The Bill states that critical personal data shall be only processed in a server or data centre located in India. This effectively means that such data cannot be transferred to any country outside India. It may be a challenge for businesses to service Indian consumers solely through the data centres in India. Further, the Bill does not define the term critical personal data or give any guiding principles for its determination.
2.5 Excessive Liability
The Bill imposes liability on the directors of a company or the officers in charge for the conduct of the business of the company at the time of commission of the offence. This seems to be draconian measure and takes an extreme stand as even most international legislations such as the GDPR do not provide, in case of data breach, for liability of the person responsible for the conduct of business.
Further, due to lack of clarity in the law, the directors and officers in-charge may be held liable to pay the same quantum of penalties as may be imposed on the company. Additionally, there is lack of clarity on the nature of liability imposed inter se between a data fiduciary and a data processor, or between multiple data processors in case of data breach.
2.6 Repeal of Section 43A of IT Act and IT Rules
Under the Bill, exemption to obtaining consent of the data principal for processing their data has been granted for certain employment related matters. However, this ground for processing of personal data can only be invoked if processing of personal data on the basis of consent is not appropriate giving regard to the employer-employee relationship between the data fiduciary and the data principal or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities. With the Bill coming into effect, it may pose a possible challenge for employers to continue retaining data of their former employees, obtained during the course of employment, post their separation from the employer.
2.8Periodic Review of Stored Personal Data
Under the Bill, the data fiduciaries are under an obligation to conduct periodic review of the personal data stored with them so that it is not retained beyond the period necessary for the purpose of processing. The term periodic review is too general in nature and the Bill does not specify whether such periodic reviews need to be conducted monthly, bi-annually or annually. Further, this is mostly likely to increase operational costs for all companies.
Under the Bill, the data fiduciary is under an obligation to provide the data principal with adequate notice before collection of personal data. The notice is required to be clear and concise, and if necessary and practicable, the notice shall be in multiple languages. In a country like India with multiple languages, this may be an operational challenge and may increase the cost of compliance.
2.10 Data Protection Authority – Scope of authority
The Bill has vested the Authority with a wide range of administrative, discretionary, quasi-legislative and quasi-judicial powers. The exercise of powers vested in the Authority under the rules adopted under the Bill, should be in a manner to avoid any concentration of multiple conflicting powers and excessive delegation, thereby defeating the purpose of the Bill. Further, the Bill does not make any provision for filing of a class action suit or a representative suit in situations where a data breach affects large number of individuals.
2.11 Status of TRAI Recommendations
The Telecom Regulatory Authority of India recently released its Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector. The TRAI recommendations provide that till the adoption of a general data protection legislation, the existing rules/ license conditions applicable to telecom service providers for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
Hence, it is uncertain whether the TRAI Recommendations offering sector-specific guidelines (such as encryption standards) will be applicable to data fiduciaries operating in the telecom sector along with the provisions of the Bill, or whether the TRAI Recommendations will cease to govern the privacy, security and ownership of data in the telecom sector.
2.12 INDUSLAW View
We believe that the Bill is a positive step towards building a well trusted and strong data protection framework in India. However, apart from the challenges and observations listed above, there are certain ambiguities that needs to be addressed and certain aspects that need to be subsequently notified or determined, before the final law can be fully implemented.
We have set out our analysis in detail below.
3. APPLICABILITY AND PURPOSE
Under the current personal data protection regime in India, which is governed by the IT Rules, all government bodies and related organizations have been excluded from its purview. However, in contrast to this, GDPR makes no such exception and its application is extended to all entities, depending on the processing of personal data. The Bill has been drafted along this same principle and is applicable to all entities whether or not such entities are controlled or owned by the government.
The IT Act and hence the IT Rules applies to the whole of India and to any offence committed outside India by any person, if the conduct that amounts to an offence involves a computer, computer system or computer network located in India. The effect of the offence being felt in India or a threat to Indian security or the security of its citizens, and not presence of the offender in India, is the key to establishing jurisdiction.
The Bill has adopted an enhanced principle of extra-territorial scope from the provisions of GDPR. The Bill shall be applicable to processing1 of personal data2: (i) where personal data has been collected, disclosed, shared or processed in any manner within the Indian territory; and (ii) where the processing has been undertaken by the government, by any Indian company, by any Indian citizen or any person or body of persons that has been incorporated under the Indian laws.3
So the Bill recognises the principle of territoriality and nationality in defining the scope of application. Further, the Bill shall also be applicable to processing undertaken by a data fiduciary4 or data processor5 not located within the territory of India (i) if such processing is in connection with any business that is carried out in India or if the there is any systematic activity of offering goods and services to data principals6 within the territory of India (ii) in connection with any activity that involves profiling of data principals within the territory of India.7
The principal of extra-territorial application has been broadened under the Bill to cover offences, even in cases which do not involve a computer, computer system or computer network in India, considerably improving the privacy rights of the data principals. The long arm jurisdiction of the Bill would bring India at par with international standards of data protection. However, there is lack of clarity in the language of the law. The term 'in connection with any business that is carried out in India' is vague in nature and lacks specificity. Therefore, it would be advisable that above the term should be separately defined or an explanation should be provided.
The extra territorial jurisdiction of the Bill is in line with the terms of GDPR. However, there are certain difference between the two legislations. The GDPR shall be applicable if foreign data controllers (equivalent to data fiduciaries) or data processors are offering goods and services to the data subjects (equivalent to data principals) in the European Union. Processing of personal data in connection with business carried out in the European Union has been left out of its ambit.
Further, the Bill covers such processing of personal data in relation to a systematic activity of offering of goods or services to data subjects in India, unlike the GDPR which applies to all instances of offering of goods or services, including irregular and ad hoc processing of personal data. Further with regard to processing of personal data in relation of data subjects in the European Union, to monitor their behaviour, GDPR states that applies if such monitoring takes place within the territory of the European Union. In the case of the Bill, any processing of data involving profiling of data principals in India, regardless of where the profiling takes place, gets covered.
Under the Report, an exception has been made based on the principle of territoriality. It states that any entity located in India only processing personal data of foreign nationals not present in India may be exempted from the application of Bill by the Central Government. However, this exemption has not been brought out in the Bill. It is likely that this exemption would be provided under the rules adopted under the Bill. But, in case no such exemption is provided under the rules, the scope and applicability of the Bill may be more over-reaching than the GDPR.
Further, the Report has suggested that the Bill shall not be applicable retrospectively i.e. it shall only be applicable to on-going or future processing activities and shall not apply to processing activities that have been completed before the law comes into effect.
4. DATA PROTECTION OBLIGATIONS
The Bill sets out the data protection obligations that are required to be fulfilled for processing personal data of any data principal. The data protection obligations are as follows.
4.1 Fair and Reasonable
Processing of personal data shall be conducted in a manner that is fair and reasonable and in a manner that respects one's right to privacy.8
4.2 Data Quality
Ensure that the personal data that is processed is complete, accurate, not misleading and kept updated at all times.9
4.3 Purpose, Collection, and Storage Limitation
The personal data shall be processed only for purposes that are clear, specific and lawful. Processing of personal data shall be limited only to the purpose that has been specified or any incidental purposes reasonably expected by the data principal.10
With regard to collection of personal data, it shall only be limited to such data that would be necessary for processing.11 Hence, broadly defined purposes, such as "improving user experience" or "marketing purposes" may not meet the standard set out under the Bill and there must be a reasonable nexus between the actual use of the personal data collected and the list of purposes stated in the notice to data principals.
Additionally, the personal data shall be retained only for the time period necessary to fulfil the purpose related to the processing.12 The data fiduciary is under an obligation to undertake a periodic review of all its stored personal data to ensure that no personal data has not been retained for more than the necessary time period.13
The term periodic review is too general in nature and does not specify whether such periodic reviews need to be conducted monthly, bi-annually or annually. Although, such periodic review is likely to increase compliance costs for data fiduciaries, in the interest of privacy it is essential that provision should be retained and made more specific.
Notice is a significant step towards obtaining consent from the data principals for processing their personal data. Under the Bill, the data fiduciary is under an obligation to provide the data principal with adequate notice before collection of personal data, or as soon as reasonably possible if the personal data has not been collected directly from the data principal.
The notice shall be in a clear and concise, and if required and if practical, the notice shall be in multiple languages also.14 Providing notice in multiple languages is an additional compliance for the data fiduciaries, considerably increasing their operational costs.
Among the other requirements regarding the contents of the notice, the notice shall state the purpose for which personal data is being processed and the categories of personal data collected. The data fiduciary shall provide its identity and contact details along with the contact details of the data protection officer (if applicable). In case, the personal data has not been collected directly from the data principal, the notice shall mention the sources from which the personal data has been collected.
Other information such as name of the entities/ persons with which the personal data shall be shared, information regarding cross border transfer of personal data, the time period for which the personal data shall be retained shall also be included in the notice. Additionally, the notice shall also inform the data principal about its right to withdraw consent and the right to file a complaint against the data fiduciary.
If a credit score has been assigned to the data fiduciary, such credit score shall also be mentioned in the notice. The Data Protection Authority (the "Authority") has reserved it right to add additional information as it deems fit.
The data fiduciary shall be accountable and responsible for protecting the personal data of the data principals. It is the responsibility of all data fiduciaries to ensure compliance with the provisions of the Bill.
The obligations of data protection are similar to the principles enumerated under GDPR, bringing the data protection obligations in line with international best practices.15 The GDPR enumerates the following principles of data processing: lawfulness, fairness, transparency, purpose and storage limitation, data minimisation, accuracy, integrity and confidentiality and accountability.
However, under the IT Rules, the data protection obligations are limited only to the collection, use and storage of information falling in the category of sensitive personal information, excluding personal data from its ambit. Therefore, it is essential to extend the above data protection obligations to all personal data of a data principal, as achieved by the Bill.
Further, under the Bill a data fiduciary shall engage a data processor for processing personal data only through a valid contract between the two of them. However, there is a necessity that certain non-negotiable clauses be prescribed to be included in the contract between the data controller and the data processor. Further, the data processor is barred from sub-contracting with another data processor, unless there is specific clause in the agreement with the data fiduciary and data processor, allowing the same.16 However, assuming that the data processor is permitted to sub-contract with another data processor, the Bill does not discuss the manner in which such multiple data processors would be liable for breach of any provisions of the Bill.
5.CATEGORIES OF DATA
The Bill categorises data into three different categories - personal data, sensitive personal data and critical personal data17. Personal Data has been defined under the Bill to mean "data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such feature with any other information".18
The definition of personal data is in line with the definition of personal data enumerated under GDPR. Further, the definition also covers personal data that may indirectly lead to identification of a natural person. This is important as certain entities using modern technologies carry on targeting online advertisement and use an individual's online activities and pattern to customise their advertisements. Although such data gathered from one's online activities may not be identifiable individually, but when taken collectively, may result in identifying a person.
Sensitive personal data has been defined under the Bill to include personal data revealing or relating to password, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe.19 Currently under the IT Rules, sensitive personal information includes only seven (7) categories of information, that are - password, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information; and other details relating to the above categories for providing services, any of the above information received by body corporate to process data under lawful contract.20
Expanding the scope of sensitive personal data is not in consistent with the international standards and law, which would mean that foreign companies or multi-national companies would face stricter compliance requirements under the Indian law. Such companies may find it difficult to adhere to such onerous compliance requirements, which would significantly affect their ease of doing business in India.
However, on the positive side the remedies available to the data principal in case of data breach, extend to both breach of personal data and sensitive personal data, unlike under the IT Rules which provides for compensation only in case of breach of sensitive personal information of a data principal. With regard to the term critical personal data, the Bill does not provide any specific definition. However, it states that the Authority may notify certain categories of data to be critical personal data.
It remains to be seen whether there will be any additional data security requirements or compliances that will be prescribed in relation to critical personal data. Further, it has been stated that the Bill shall not be applicable to processing of anonymised data.21 Even though anonymised data has been excluded from the ambit of the Bill, de-identified data continues to be treated as personal data and will be governed by the provisions of the Bill.
6. GROUNDS FOR PROCESSING PERSONAL DATA AND SENSITIVE PERSONAL DATA
With regard to processing of personal data and sensitive personal data, the Bill provides the lawful grounds on which such data can be processed. Out of all, consent of the data principal is the primary ground for processing personal data or sensitive personal data. The others are the ground on which personal data or sensitive personal data can be processed without obtaining the consent of data principal. Such grounds of processing has been mentioned below. It is to be noted that the Bill does not provide for any separate grounds for processing critical personal data.
It is the basic ground for processing personal data or sensitive personal data22. The consent of the data principals shall be free, informed, specific, clear and capable of being withdrawn.23 The burden of proof to establish that the consent has been giving lawfully lies with the data fiduciary.24
For processing sensitive personal data, in addition to the above requirements, the consent shall be provided explicitly, meaning that the data principal shall be informed about the possible consequences of the processing; it shall be clear without needing to refer to context in which it had been provided; and specific in the context such that the data principal has the choice to give separate consents for different purposes, operations and use of different categories of sensitive personal data relevant to the processing.25
This means that implied consent, inactivity or pre-checked boxes that indirectly signifies consent may no longer be acceptable modes of consent under the Bill. The GDPR also recognizes the importance of consent for processing personal data and the need for explicit consent for processing special categories of personal data.26
Even in India, the IT Rules, subject to certain other provisions, consent of the individual before collecting, disclosing or transferring sensitive personal information is required. However, in the case of performance of a contract, there is a difference between the two legislations.
Under the Bill, performance of a contract cannot be made contingent on the basis of the need for consent for processing personal data that is not necessary for the purpose. This is a departure from the current IT Rules, whereby entity can deny performance of a contract (such as delivery of goods or performance of service) if consent has not been given for processing personal data, regardless of whether such data is required to be processed in connection with performance of the contract or not.
It is evident that consent is a primary ground for processing personal data. However, consent shall not be the only ground on which consent shall be processed. The Bill makes provision for other grounds on which personal or sensitive personal data can be processed, without the need to obtain consent. Such grounds are as follows:
6.2 Functions of the State
Personal data or sensitive personal data (as the case may be) can be processed if such processing is necessary for the function of the parliament or any state legislature or for exercising any function of the state such as providing any service or benefit to the data principals, or for issuing any certificate, license or permit for any activity of the data principal.27
6.3 Compliance with Law or Any Legal Order
Personal data or sensitive personal data can be processed for complying with any provision of the law or any order of a court or tribunal.28
6.4 Prompt Action
Personal data and sensitive personal data can be processed without obtaining the consent of the data principal in situations where the processing is necessary to cater to medical emergencies; providing health services during any epidemic, outbreak of disease or any kind of threat to public health.29 Further, processing of personal data can be undertaken for any prompt action that would be required in case of break down public order.30
6.5 Employment Related Action
Personal Data can be processed if it is necessary for employment related purposes such as recruitment, termination, assessment of performance, provision of any benefit to the data principal (employee), verification of attendance of the data principal.31
However, this ground for processing of personal data can only be invoked if processing of personal data on the basis of consent is not appropriate giving regard to the employer-employee relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities.32
Although such ground is a reasonable ground to process personal data, it is important to impose strict obligations on the employer (data fiduciary) to first take all reasonable steps to obtain the consent from its employee. Further, the law should clearly state that the burden of proof to establish that it was not reasonably possible for the employer to obtain consent shall strictly vest with the employer.
Additionally, many of the employers retain the personal data of their former employees for various purposes, several years post cessation of their employment. With the Bill coming into effect it may pose a challenge for employers to continue retaining data of their former employees, obtained during the course of employment, post their separation from the employer.
6.6 Reasonable Purposes
Personal Data can be processed for reasonable purposes as may be specified by the Authority. The Authority may specify the reasonable purposes for prevention and detection of unlawful activity including fraud, whistle blowing, mergers and acquisitions, network of information security, credit score, recovery of debt, processing personal data available in public. As such reasonable ground for processing of personal data will be set out by the Authority, there is a very limited scope for misusing this provision. Further, in this regard, the Authority would also be prescribing the safeguards for the protection of the rights of the data principals.
Under the current IT Rules, the scope of processing personal data without the consent is very limited. Information including sensitive personal information (as defined under IT Rules) can be shared with a third party without the consent of the information provider only with government agencies that are mandated under law to obtain such information, and for purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.33
Even under GDPR several grounds have been recognized for processing of personal data and sensitive personal data without the consent of the data subject. However, the scope under the GDPR is a little wider than the scope under Bill. For example, under GDPR, processing is also considered lawful without the consent of data subject, when such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.34
1. The term processing in relation to personal data has been defined under Section 2 (32) of the Personal Data Protection Bill, 2018 to mean an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
2. The term personal data has been defined under Section 2(29) of the Personal Data Protection Bill, 2018 to mean data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.
3. Section 2(1) of the Personal Data Protection Bill, 2018.
4. The term data fiduciary has been defined under Section 2(13) of the Personal Data Protection Bill, 2018 to mean any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
5. The term data processor has been defined under Section 2(15) of the Personal Data Protection Bill, 2018 to any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary.
6. The term data principal has been defined under Section 2(14) of Data Protection Bill, 2018 to mean any natural person whose personal data is being referred.
7. Section 2(2) of the Personal Data Protection Bill, 2018.
8. Section 4 of the Personal Data Protection Bill, 2018.
9. Section 9 of the Personal Data Protection Bill, 2018.
10. Section 5 of the Personal Data Protection Bill, 2018.
11. Section 6 of the Personal Data Protection Bill, 2018.
12. Section 10 of the Personal Data Protection Bill, 2018.
13. Section 10 of the Personal Data Protection Bill, 2018.
14.Section 8(2) of the Personal Data Protection Bill, 2018.
15. Article 5 of General Data Protection Regulation, 2016.
16. Article 37 of General Data Protection Regulation, 2016.
17. Article 40 (2) of General Data Protection Regulation, 2016.
18. Article 2(29) of General Data Protection Regulation, 2016.
19. Section 2(35) of the Personal Data Protection Bill, 2018.
21. Section 2(3) of the Personal Data Protection Bill, 2018.
22. Section 12 of the Personal Data Protection Bill, 2018.
23. Section 12 of the Personal Data Protection Bill, 2018.
24.Section 12(4) of the Personal Data Protection Bill, 2018.
25. Section 18 of Data Protection Bill, 2018.
26. Article 9 of the General Data Protection Regulation, 2016.
27. Section 13 of the Personal Data Protection Bill, 2018.
28. Section 14 of the Personal Data Protection Bill, 2018.
29. Section 15 of the Personal Data Protection Bill, 2018.
30. Section 15 (c) of the Personal Data Protection Bill, 2018.
31. Section 16(1) of the Personal Data Protection Bill, 2018.
32.Section 16(2) of the Personal Data Protection Bill, 2018.
33. Rule 6(1), proviso of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
34. Article 6(1) (b) of General Data Protection Regulation, 2016.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.