Gear up for the privacy debate: India’s Personal Data Protection Bill 2019

The last couple of years have seen private and public sector enterprises across the globe harnessing the power of data extensively, delivering insights and enhancing user experience. However, the notion of data privacy has gained importance only recently. Astute consumers have become wary of assenting to user consent, having their personal information leveraged for commercial purposes and countries have questioned the schematics of the great privacy debate.

India recognized the need to introduce the “right to privacy” as an independently enforceable right to its residents, and the government further extended this mandate to set up the Srikrishna Committee led by Justice B.N. Srikrishna, former Supreme Court judge. The Committee submitted the first draft of the Indian Personal Data Protection Bill 2018 (thereafter referred to as the “Bill”) to strengthen the protection of personal data and grant exclusive privacy rights to Indian residents. Subsequently, the Bill underwent a series of consultations and reviews to adjust to the current landscape and thereafter received the Union Cabinet’s approval on 4 December 2019. It is now referred to as the “Indian Personal Data Protection Bill 2019.”

Similar to EU’s Global Data Protection Regulation (GDPR), which was introduced in May 2018, the Bill attempts to strike a balance between the rights of the data principals (individuals) and growth of a data driven economy.

Scope and applicability

The Bill classifies data in three categories – personal, sensitive and critical. Personal data refers to that directly or indirectly identifies any individual either itself or through its combination with any other information. Sensitive personal data includes passwords, financial data, biometric and genetic data, social, political and religious data.

Irrespective of their geographical location, both public and private entities fall under the ambit of the Bill that may process the personal or sensitive personal data of Indian residents. However, anonymized processed data, wherein an individual cannot be identified is outside the scope of the proposed law.

Data fiduciaries – roles and responsibilities

Data fiduciaries are simply agencies processing user data. The Bill outlines that they must comply with certain criteria when collecting, processing, using, sharing, retaining and disposing of the personal or sensitive personal data. This would include:

  1. Being fair and reasonable to respect and protect the rights of the data principal
  2. Limiting the collection and processing of data to specific and lawful purposes
  3. Maintaining data as per quality standards and retaining until necessary to fulfill the purpose of data collection
  4. Giving a privacy notice with information on the subject’s rights at the time of data collection. As per the mandatory requirements specified in the Bill, the privacy notice should include:
    • The purpose and categories of the data processed
    • Identity and include contact details of the data fiduciaries and its Data Protection Officer (DPO)
    • Identities of the entities with whom the data would be shared, including cross-border data transfers
    • Existence and procedures to exercise data principal rights
    • Procedure for grievance redressal and the right to file a complaint with the Data Protection Authority (DPA)
  5. Sensitive data can be processed outside India’s territorial borders only after explicit consent is given by the data subject, but it must be stored only in India. Critical personal data can be processed and stored only within the Indian territory.
  6. Data fiduciaries would be held accountable for complying with all obligations defined in the Bill, irrespective if the data processing is undertaken by them or on their behalf by a third party

Drawing a parallel with GDPR – privacy rights and principles

The proposed draft of the Bill bears similarity to the GDPR in terms of its requirements, covering the principles of privacy by design, transparency, minimum security safeguards, accountability, mandatory data protection impact assessment, penalties and establishment of a DPA. Other similarities include the consent framework which states seeking specific, clear and freely given consent and which can be withdrawn at any point of time; for sensitive personal data, explicit consent needs to be taken.

The data principal rights that have been defined include:

  • Right to confirmation of data processing and access to processed personal data
  • Right to correct inaccurate, outdated or incomplete personal data
  • Right to data portability to enable subjects to receive their processed personal data in a structured and machine-readable format
  • Right to be forgotten to allow data principals to restrict or prevent data-processing under certain conditions.

In line with other data protection legislation, the Bill highlights data fiduciaries to mandatorily report a breach to the DPA as soon as its discovered. Depending on the sensitivity, they may be directed by the DPA to inform the data principal as well as publish the details on their website for public information. The notification is expected to include the category and volume of personal data breach, number of data principals impacted, possible consequences and the remedial action taken till date.

Potential roadblocks

As India seeks to create a new but complex legal regime to support data protection and privacy, there will be challenges to overcome around implementation and rollout. Some of the potential issues where key aspects may have to be clarified are as follows:

  • Cross-border data transfer – Data fiduciaries are expected to take explicit consent from the data principal, in addition to contractual clauses and intra-group schemes agreed between the transferring and receiving data entities. Certain jurisdictions may be exempted from this obligation if they may have adequate safeguards in place already, but subject to the government’s discretion and decision.
  • Data localization – Data fiduciaries are expected to store personal sensitive data records only in servers located in India. However, the industry has expressed some concerns over the categorization of financial data as sensitive data. This is largely because maintaining sensitive data copies only in India would increase their infrastructure cost of setting local servers. Additionally, the definition of critical personal data that should only be processed and stored within India is yet to clarified, and is a topic of discussion in the industry at large.
  • Data principal rights – The Bill mentions “right to be forgotten” as a data principal right allowing them to restrict or prevent the processing of data under certain conditions. But right now, there is still ambiguity if the data will be deleted by the fiduciaries or remain non-functional in the repositories, if user consent is withdrawn.
  • Privacy notice and consent – Being a multi-lingual nation where an average consumer doesn’t really read the “terms and conditions” can prove an uphill task when providing a privacy notice and seeking written consent. This is especially so when the “burden of proof” is expected to rest on the data fiduciaries.
  • Data breaches – Organizations are expected to inform DPA in case of data breach “as soon as possible”, but with no defined timeline. The decision to inform the data principals in case of a personal data breach rests on the DPA, which may introduce latency to notify those impacted.

Exemptions

Akin to most legislation, the Bill has exemptions for certain data processing activities. For instance, processing an individual’s personal data will not be subject to the obligations specified above, and the data principal will not have the rights defined if their personal data is processed for the purposes of the following:

  • Interest of national security
  • Prevention, detection, investigation and prosecution of any offence or contraventions to a law
  • Legal proceedings by court of law or any Tribunal in India
  • Personal or domestic purposes, with no connection to a professional or commercial activity
  • Journalistic purposes to exercise right to freedom of expression and information
  • Research, archival and statistical purpose
  • Manual processing by small organizations with an annual turnover of less than INR 20 lakhs and which do not process personal data of more than 100 data principals per day

Overall, the Bill has introduced a mix of privacy rights and already familiar GDPR principles, peppered with a unique set of data protection requirements. The industry as well as consumers are eager to understand more and align with its objective and requirements. Approved by the Union Cabinet during the Winter session of the Parliament, it has now been referred to a joint committee of the government for further refinement and is likely to be brought up during the Budget session. As we await more developments to unfold, it will be interesting to see how businesses will adjust to future changes around data processing activities as it evolves further.