Libertatem Magazine

The Personal Data Protection Bill, 2019: A Regulatory Overview

Contents of this Page

Introduction

The Personal Data Protection Bill, 2019 (Bill) was introduced in the lower house of the Indian parliament on December 11 2019 by the Ministry of Electronics and Information Technology (Central Government). The Central Government had in August 2017 formed an expert committee headed by retired justice BN Sri Krishna (Committee) to prepare draft legislation that endeavors to protect personal and sensitive information of individual citizens(along with a report on the best international practices adopted in this regard). The Committee thus submitted to the Central Government a report along with a draft personal data protection bill in July 2018, based on which the Central Government has formulated this Bill with certain changes. 

The Bill is presently being examined by the joint parliamentary committee of both houses (“JPC”) in consultation with various stakeholders. Based on the inputs received, the JPC would submit its report on the proposed amendments that must be incorporated before it is enacted by both houses of the Indian Parliament during the upcoming budget session in August 2020.

The Bill draws inspiration from the principles laid out in the General Data Protection Regulations (“GDPR”) as promulgated in the European Union and the landmark Supreme Court judgment of Justice K.S Puttaswamy & Anr vs Union of India (W.P. (Civil) No. 494 of 2012), where the apex court in India ruled that privacy of an individual citizen would be their fundamental right as enshrined in the Indian constitution (“SC Decision”). 

The Bill will most likely be applied prospectively, as the Bill is silent on its retrospective enforcement. However, the Bill will not be able to get implemented immediately as it requires a data protection authority (DPA) to be established and relevant rules and regulations are yet to be framed and notified by the Central Government. 

Once enacted, the Bill will replace Section 43 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and prevail over any other inconsistent laws in this regard (e.g., any sector-specific laws).

Applicability of the Bill

The provisions of this Bill shall apply to all ‘entities’ (or data fiduciaries) that would process the ‘data’ (or personal/sensitive information) of Indian citizens (or data principals) that has been collected, shared, disclosed within the territory of India, where the processing of such data means storage, adaptation, retrieval, dissemination, erasure and includes profiling such data for analyzing the behavioral pattern of the Data Principals (defined later).

The entities that process data include companies, individual citizens, juristic entities, and the Government, described under the Bill as Data Fiduciary/ies (defined later).The Bill broadly categorizes Data (defined later) into ‘Personal Data’ and ‘Sensitive Personal Data’ (defined later).

This Bill also extends to Data Fiduciaries that are not located within India but are processing data in connection with any business carried on in India or commercial activities involved in the provisioning of goods and services to Data Principals located within India. 

The provisions of this Bill will not apply to the data processing pertaining to foreign nationals by Data Fiduciaries located within India. 

This Bill will also not apply to the processing of anonymized data i.e. where the identity of a Data Principal cannot be determined or remains anonymous. Anonymization has been defined to mean an irreversible process of transforming or converting Personal Data to a form in which the Data Principal cannot be identified as per the standards of irreversibility. The standards of irreversibility are yet to be laid down by the DPA through the issuance of a ‘code of practice’ (i.e. procedural rules and regulations).

The Bill further empowers the Central Government to exempt any Data Processor (defined later) in India which processes the Data of Data Principals located outside India pursuant to any contract entered into between any person located outside the territory of India including and/or any company incorporated outside the territory of India with any Data Processor incorporated under Indian law.

Important Definitions under the Bill

The Bill introduces new nomenclatures to consolidate general terminologies and remove ambiguities. Some of the key terms are defined as follows:

  1. “Data” means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.
  2. “Data Fiduciary” means any person, including the State, a company, any juristic entity, or any individual who alone or in conjunction with others determines the purpose and means of the processing of Personal Data.
  3. “Data Processor” means any person, including the State, a company, any juristic entity, or any individual, who processes Personal Data on behalf of a Data Fiduciary.
  4. “Data Principal” means the natural person to whom the Personal Data relates;
  5. “Financial Data” is defined as any number or other Personal Data used to identify an account opened by, or card or payment instrument issued by a financial institution to a Data Principal or any Personal Data regarding the relationship between a financial institution and a Data Principal including financial status and credit history.
  6. “Personal Data” means data relating to a natural person who is identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or a combination of such features with any other information, and shall include any inference drawn from such data for profiling.
  7. “Sensitive Personal Data” means such Personal Data, which may reveal, be related to, or constitute Financial Data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. 
  8. “Critical Personal Data” means such Personal Data as may be notified by the Central Government to be Critical Personal Data.

Key Takeaways from the Bill

A. Obligations of Data Fiduciary

i. Consent Requirement from Data Principals with minor Exceptions

The Bill requires Data Fiduciaries to provide notice to the Data Principal to obtain their free, informed, specific, and clear consent no later than the commencement of processing of their Data and such consent must be for the intended purpose for which their Data needs to be processed by any Data Fiduciary.  To process Sensitive Personal Data, consent must additionally be informed, clear, and specific.

If consent is withdrawn without a valid reason, the Data Principal will have to bear any legal consequence for the effects of such withdrawal.

In specific instances, consent from a Data Principal for processing Personal Data and/or Sensitive Personal Data may not be required by a Data Fiduciary. This includes circumstances where the intimation of notice substantially prejudices the purpose for which the Personal Data is being processed, such as processing Personal Data for the performance of certain functions of the State, or compliance with any order of a court, or to respond to medical emergencies, disaster relief, or public order situations.

The Data Fiduciary is obliged to give notice to the Data Principal, at the time of collection of Personal Data of the Data Principal, even if such Personal Data is not being collected from the Data Principal directly. This notice must contain (i) the various purposes for which Personal Data is to be processed; (ii) the nature and categories of Personal Data being collected; (iii) the identity and contact details of the Data Fiduciary (including its data trust score, if applicable) and the data protection officer (DPO); (iv) the rights of the Data Principal (explained in part C of this note); (v) information about sharing, cross-border transfer and retention of Personal Data; (vi) the procedure for grievance redressal; (vii) and any other information as may be specified.

The Bill also provides for restriction on the retention of Personal Data beyond the term for which it was collected and requires the Data Fiduciaries to delete the data after being processed unless explicitly consented to by the Data Principal or is necessary to comply with any obligation under the law. The Data Fiduciary is also responsible for ensuring that the Data that is being processed is relevant for the purpose for which it is to be used and is not misleading. It must also ensure that the content of such Data always remains accurate, correct, and completely updated on the request of Data Principals.

ii. Exemptions to Consent Requirement from Data Principals 

Consent with some specific exceptions has been given paramount importance in the Bill. Without consent Data Fiduciary or Data Processor may not be permitted to process the Personal Data and/or Sensitive Personal Data of any Data Principal. However, there are certain exemptions to this requirement of obtaining consent from the Data Principals as mentioned below. 

(a) Government Authorities

Data may be processed without consent for the performance of any function of the state (meaning government bodies), such as for the provision of any service to the Data Principal by the state, or the issuance of any license or permit required for any activity proposed to be undertaken by the Data Principal. Processing may also be carried out without consent to comply with any law in force or order of a court or to provide assistance to any individual(s) in times of emergency or breakdown of public order.

(b) Data Fiduciary Employers

The Bill allows employers to process Personal Data (not being Sensitive Personal Data) which is necessary for the recruitment, termination, or regulation of employment of a Data Principal employed with a Data Fiduciary. Here the consent of the Data Principal is not appropriate due to the employment relationship between them.

(c) Other Exceptions 

Processing may also be carried out for other reasonable purposes.  This includes fraud, whistleblowing, mergers and acquisitions, network and information security, credit scoring/rating, recovery of debt, processing of publicly available Personal Data, and the operation of search engines. Unlike the GDPR, these grounds for reasonable processing though illustrated in the Bill are required to be specified by regulations that are yet to be notified. Until such regulations are framed and notified it is unlikely that this ground can be availed by any Data Fiduciary.

iii. Children as Data Principals 

It is important to note that in the event the Data Principal is a child i.e. below the age of 18 years, the Data Fiduciaries are required to verify the age of such Data Principals in a manner that will be prescribed. They shall also be required to obtain their parent’s consent before processing their Personal Data and/or Sensitive Personal Data. 

The Bill places additional obligations on certain Data Fiduciaries who operate commercial websites or online services directed at children or process large volumes of children’s data, which are classified under regulations as ‘guardian data fiduciaries’. Guardian data fiduciaries are prohibited from profiling, tracking, behavioral monitoring, or targeted advertising directed at children, or undertaking other processing that may cause significant harm to children.

iv. Consent Managers

The concept of ‘consent manager’ has been introduced in the Bill to mean intermediaries who obtain consent from the Data Principal on behalf of the Data Fiduciary or as agents of the Data Fiduciaries. These consent managers will be required to register themselves with the DPA and assist the Data Fiduciaries with the acquisition/withdrawal of consent from their Data Principals. 

v. Social Media Intermediaries

The Bill also establishes a concept of ‘social media intermediary/ies’ (SMI), which are entities that primarily or solely enable online interactions between users/Data Principals and allows them to exchange information among themselves for networking and entertainment purposes by creating, uploading, sharing, disseminating content using such SMI as their communication platform. However, SMIs would not include entities that primarily enable commercial or business-oriented transactions or provide access to the internet or are in the nature of search engines, email services, or online storage services.

The DPA is required to notify certain kinds of SMIs as ‘significant’ Data Fiduciaries (SDFs), based on factors such as the volume of Personal Data processed, the sensitivity of such Data, annual turnover of the Data Fiduciary, the risk of ‘Harm’ (explained in part B of this note) from any processing undertaken by the Data Fiduciary, use of new technologies, and any other factor that may be relevant in causing harm to any Data Principal as a result of such processing. These SDFs will then be required to register themselves with the DPA.

The Bill has empowered the Central Government/DPA to notify certain SMIs as SDFs given that certain SMIs are capable of having a likely impact on voting in an electoral democracy, security of the state, public order, or the sovereignty of India.

Therefore, all SMIs that may be classified as SDFs will be required to provide their users/Data Principals the ability to voluntarily verify their accounts, and all such verified accounts are required to be provided with a mark of verification which should be publicly visible.

At this stage, there is no clarity on what documents will be accepted for verification of the accounts of Data Principals and what consequences (if any) will follow from this verification.

It is also pertinent to note that SDFs are subjected to more onerous compliance obligations, such as (a) getting themselves audited, (b) maintaining records of their data cycle operations, (c) conducting data protection impact assessments before undertaking any processing of Data involving new technologies or large-scale profiling and (d) requiring to appoint a DPO to monitor their processing activities, etc.

vi. Data Localization Requirements

The Bill does not impose any restriction on transferring and processing of Personal Data outside the territory of India. 

However, while Sensitive Personal Data can be transferred outside India, a local copy of such Data must be stored in data centers or servers located in India.

The transfer of Sensitive Personal Data abroad shall not take place unless express consent is obtained from the Data Principal for such a transfer. Moreover, such transfer must be made pursuant to a contract or an intra-group scheme that is approved by the DPA. The Central Government may also notify certain countries or sections within a country where such transfer of Sensitive Personal Data will be permitted.

It is important to note that the processing of Critical Personal Data outside India is prohibited under the Bill. However, the transfer of such Critical Personal Data may be permitted without the consent of the Data Principal and without approval from the Central Government, when it is (a) only to the person(s) or entities engaged in providing health services or medical emergency services in the specified circumstances of threat to life or severe threat to the health condition of a Data Principal requiring prompt action to be taken for ensuring the safety of that Data Principal and /or (b) to any country or entity or class of entity in a country as approved by the Central Government where such a transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of India.

B. Harm

Under the Bill, ‘harm’ is defined to mean any denial or withdrawal of a service, benefit, or good (such as providing a loan or employment by a Data Fiduciary) based on an adverse ‘evaluative decision’ about the Data Principal. What constitutes an ‘evaluative decision’ has not been clearly defined in the Bill. However, it will likely include predictive decisions based on the processing of Data that determines whether a Data Principal should be provided with certain entitlements such as loans, employment, etc. 

The definition of ‘harm’ does not make a distinction between evaluative decisions that are prejudicial to or discriminatory against the Data Principal and evaluative decisions that are otherwise justifiable. Hence, it is conceivable that the mere act of denying a Data Principal certain goods, services, or benefits based on an evaluative decision could constitute as harm against such a Data Principal.

While Data Principal can only claim compensation for harm suffered as a result of any violation of any provision under the Bill, and not for a harm per se, this may have certain unintended consequences. For instance, if the Data Fiduciary is unable to provide the Data Principal with a summary of the processing undertaken by that Data Fiduciary to come to its evaluative decision about a Data Principal, it would violate the Data Principal’s ‘right to confirmation and access’(explained in part C point i. below). In such an event the Data Principal could claim compensation, even though the denial of service by the Data Fiduciary may be entirely justified.

C. Rights of the Data Principal

The rights of the Data Principal are sacrosanct to the bill. The object and intention of this Bill are for the protection of Personal Data in our digital age. 

To solidify and consolidate these rights given to the Data Principal, the Bill also prescribes the method in which a Data Principal may exercise his/her rights.

The Data Principal must first communicate his/her request in writing to the Data Fiduciary for exercising the below-mentioned rights, except the right to be forgotten (explained in point iv below) and should the request be rejected by the Data Fiduciary for any reason, the same reason shall be communicated to the Data Principal in writing along with a note stating the Data Principal’s right to appeal its decision. The Bill provides the following rights to Data Principals:-

i. Right to Confirmation and Access

The Data Principal has the right to know whether the Data Fiduciary is processing or has processed his/her Personal Data. Furthermore, they have the right to receive a summary of activities undertaken by the Data Fiduciary relating to such processed Data. The aforementioned information must be provided by the Data Fiduciary to the Data Principal whenever requested, in a concise and reasonable manner.

The Data Principal also has the right to know the Data Fiduciaries with which his/her personal data has been shared, including the category of Data that was shared in a manner that will be prescribed by the regulations.

ii. Right to Correction and Erasure 

The Data Principal has the right to compel the Data Fiduciary to correct any inaccurate data about the Data Principal, complete any missing Personal Data for the database, update any Data that may be out of date and erase the Personal Data that may not be required for the purpose for which it was processed.

However, the Data Fiduciary may invalidate these amendments made by issuing a justification to the Data Principal in writing. Should the Data Principal not agree by such justification issued, he/she may inform the Data Fiduciary that the same is disputed by him/her. 

iii. Right to Data Portability 

When the processing of data has been carried out by automated means, the Data Principal has the right to receive a structured report in a machine-readable format that contains all Personal Data about the Data Principal that the Data Fiduciary possesses, whether obtained directly or indirectly. 

Additionally, the Data Principal also has the right to have his data transferred to another Data Fiduciary. However, this right may not be exercised by the Data Principal when such a transfer would reveal trade secrets, or would not be technically feasible or would not be in compliance with the law or a judicial pronouncement.

iv. Right to be Forgotten 

The Data Principal has the right to require a Data Fiduciary to restrict or prevent the disclosure of its Personal Data where the purpose for which it was collected is no longer necessary or if such disclosure was made based on the consent that consent has since been withdrawn by the Data Principal, or if such disclosure was made contrary to any laws of India. To exercise this right, an application must be made by a Data Principal to an Adjudicating Officer.

D. Other Regulatory Compliance Obligations of Data Fiduciaries

i. Privacy by Design Policy to be certified by DPA

The Bill introduces a requirement making it mandatory for every Data Fiduciary to formulate a ‘privacy by design policy’(PDP) detailing the various elements in its PDPs that incorporate the principles of this data protection regime. While the concept of PDP has been included in most global privacy legislation, the Bill requires all Data Fiduciaries to frame it into policy and provides Data Fiduciaries with an option to have its PDP certified by the DPA. Once approved, the PDP must be published on the Data Fiduciary’s website.

ii. Transparency and Accountability Measures

The Bill details the level of transparency that a Data Fiduciary will have to maintain regarding its practices for processing   Personal Data. A Data Fiduciary must, in an easily accessible form, provide information such as (a) the categories of Personal Data collected, (b) the purpose and manner of such collection, (c) the existence and procedure for the exercise of the rights of a Data Principal and the contact details for the same, (d) the existence of the right to file complaints to the DPA, and (e) information regarding cross-border transfers of Personal Data. There is a further obligation on a Data Fiduciary to notify a Data Principal of important operations in the processing of Personal Data periodically.

iii. Safeguards for Security 

Every Data Fiduciary, as well as Data Processor, is required to implement internal controls and safeguards, including (a) the use of de-identification and encryption; (b) steps necessary to protect the integrity of Personal Data; and (c) measures to prevent misuse, unauthorized access to, modification, disclosure or destruction of Personal Data. These safeguards must be implemented taking into account the nature and scope of processing, the risks associated, and the likelihood of harm that may be caused to the Data Principal and must be reviewed periodically.

iv. Reporting of Breach of Personal Data

A Data Fiduciary must notify the DPA (as soon as possible and no later than the period that will be stipulated by the DPA in its regulations) of any Personal Data breach that is likely to cause harm to any Data Principal. Such notification must include particulars of the nature of the Personal Data breached, the number of Data Principals affected, consequences of the breach, and measures being taken to remedy it. Such information may also be provided by the Data Fiduciary in phases, as and when it becomes available.

The DPA will determine the extent of such breach and whether such breach should be reported by the Data Fiduciary to the Data Principal, taking into account the severity of harm to the Data Principal and whether some action is required from the Data Principal to mitigate such harm. The DPA may also direct the Data Fiduciary to take remedial action and to publish the details of the breach on its website, and additionally may also post such details on its website.

v. Processing of Personal Data by Third Parties 

A Data Fiduciary may engage a Data Processor to process Personal Data on its behalf only through a valid contract. Further, the processing may not be sub-contracted by a Data Processor without the authorization of the Data Fiduciary, contractually or otherwise. Further, such processing must be done only per the instructions of the Data Fiduciary unless otherwise prescribed by law.

vi. Grievance Redressal Mechanism 

Every Data Fiduciary is required to put in place a mechanism that allows Data Principals to have their grievances resolved efficiently and expeditiously. Data Principals may file a complaint to the DPO in case it is an SDF or if the officer authorized by the Data Fiduciary (for other data fiduciaries) contravenes the Bill in a manner that is likely to cause harm to the Data Principals.

These complaints are to be resolved by the DPO within 30 (Thirty) days. In the event, this timeline is not met, or if the Data Principal is not satisfied with the resolution of their complaint, they may file a complaint regarding the same with the DPA.

E. Exemptions under the Bill

The Bill carves out multiple exemptions to its applicability. They are discussed as follows:

i. Exemption to Government Agencies 

Should the Central Government feel that it is necessary for the interest of sovereignty and integrity of the nation or for national security purposes, to suspend the application of this Bill to any government agency of the state, it may do so along with justification in writing which shall be subject to the implementation of security safeguards and procedures that will be prescribed in the Bill. 

ii. Exemptions for processing certain categories of Personal Data

Certain specified provisions will not apply where Personal Data is being(a) processed in the interest of prevention, detection, investigation, and prosecution of any offense or any other contravention of law, (b) disclosed for inter alia enforcement of a legal right, (c) processed by any court or tribunal, (d) exempted by the Central Government where the processing of Personal Data is not within the territory of India, (e) processed by a natural person for any personal or domestic purpose, (f) processed for a journalistic purpose, (g) processed for research, archiving or statistical purposes and (h) processed manually by a small entity.

iii. Sandbox provision

Intending to enable Data Fiduciaries for driving innovation in emerging technologies, the Bill empowers the DPA to create a sandbox to encourage innovation in artificial intelligence, machine learning, or any other emerging technology in the public interest.

Entities included in the sandbox will be exempt from compliance requirements such as specifying the purpose of data processing, limitations on collection of Personal Data, obligations directly depended on the obligations to specify purpose and limitation on collection of Personal Data and restrictions on the retention of Personal Data. Only those Data Fiduciaries whose PDPs are certified by the DPA will be eligible to apply for inclusion in the sandbox. While applying for inclusion in the sandbox, the Data Fiduciary must provide details including (a) the term (not exceeding 12 (twelve) months) for inclusion in the sandbox, (b) the innovative use of technology and its beneficial uses, (c) the Data Principals participating or being experimented with under the proposed data processing exercise. The DPA is required to ensure safeguards during the term of inclusion in the sandbox which is subject to a total of 36 (Thirty-Six) months.

F. Data Protection Authority of India 

The three main duties of the DPA are to protect the interests of the Data Principals, ensure compliance of the Bill, and prevent any misuse of Personal Data.

The chairperson and members of the DPA will be appointed by a selection committee that shall consist of (i) the Cabinet Secretary, (ii) the Secretary of the Department of Legal Affairs, and (iii) the Secretary of the Ministry of Electronics and Information Technology.

The DPA will be tasked with the responsibility of ensuring compliance of the provisions of this Bill, taking prompt and appropriate action in response to breaches of Data, maintaining a website that would also contain names of SDFs along with their data trust score ratings as assigned to such SDFs, examining audit reports, issuing registration certificates to data auditors, conducting inquiries and investigations against Data Fiduciaries based on complaints made by Data Principals amongst other administrative functions.

The DPA has also been empowered with the power to issue directions, the power to call for information, and the power of search and seizure.

However, the most important function of the DPA will be to formulate the procedural rules and regulations that would be provided in detail in its ‘Codes of Practice’, which would relate to compliances such as the form of notices, Data retention periods, grounds for the processing, method for exercise of rights by Data Principals, specific measures or standards for security and safeguards for Personal Data, cross border transfer of Data, breaches of Personal Data, data protection impact assessments, processing of de-identified Data for research, archiving or statistical purposes, etc. 

Therefore, the new data protection regime in India will only be given life once the DPA is constituted and when the DPA frames the Codes of Practice that would be applied either generally or to a particular industry or sector. 

G. Penalties and Compensation

Similar to the European Union’s GDPR, the Bill prescribes penalties that can be imposed on a Data Fiduciary. These penalties may extend to the higher of a maximum of INR 150 million (Indian Rupees One Hundred and Fifty Million) or 4% of such Data Fiduciary’s total worldwide turnover for the preceding financial year. 

The Bill also prescribes criminal sanctions where a person re-identifies and processes Personal Data without the consent of Data Fiduciary or a Data Processor which has de-identified such Personal Data. An aggrieved Data Principal is also entitled to recover compensation from the Data Fiduciary or the Data Processor on making a complaint to the relevant adjudicating officer in event of a violation of his rights under the Bill.

Concluding Remarks

The Bill while moving in the right direction of creating a robust data protection regime in India does not provide for a transition period concerning its implementation. Given the fact that the DPA is yet to be established and the Codes of Practice (which would contain all the procedural rules and regulations)are yet to be framed, it is highly unlikely that this Bill could be enforced overnight or upon immediate notification. Even the GDPR had to provide entities in the European Union 18 (Eighteen) months to comply since segregation of data and its storage with consent would require a substantial overhaul of a company’s internal operations. 

The JPC is currently reviewing this Bill and may propose amendments to it before submitting it to both houses of the Indian Parliament for its enactment subject to further changes.


Libertatem.in is now on Telegram. Follow us for regular legal updates and judgements from the court. Follow us on Google News, InstagramLinkedInFacebook & Twitter. You can also subscribe for our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.

About the Author