India: Observations/Recommendations On Personal Data Protection Bill, 2018

Last Updated: 9 September 2018
Article by Anuja Nair
Most Read Contributor in India, January 2019

A historic military data sharing pact, COMCASA was inked yesterday by India-US at the 2+2 bilateral summit. As per the pact, high-end encrypted communication and satellite data would be shared giving Indian military access on platforms installed by the US. This is said to give us real-time information about the movements of other army troops and is said to be safer and more secure than the system India is currently using. The pact was signed amidst security concerns being raised for which a legal framework is put in place for the transfer or sharing of data. The US has also agreed that the data obtained by them through these systems agreeable through the pact would not be shared with a third party without consent. The Data Protection Bill which is under due consideration around the same time however gives the Government extensive freedom to process personal data for necessity and security reasons.

Around few months before the landmark judgment wherein the Hon'ble Supreme Court has asserted 'Right to Privacy' to be a fundamental right, the Government had announced demonetization, encouraging the country to be on the path of being a digital economy. Digitalization would involve a lot of data to be shared, escalating the risk of it being misused or manipulated. How are we supposed to digitize to connect globally and also safeguard our fundamental right of privacy the same time?Laws on 'Data Protection' have been long-awaited and requisite at this moment.

In July 2018, the TRAI chief RS Sharma had challenged the twitterati to show him that the government claimed secure Aadhar number could by misused by posting his 12 digit number on social media. This came with the statement that a person's Aadhar details are safe and secure and there are no privacy concerns. However, in no time, the post that was heavily shared, his personal details were dug out and leaked by the ethical hackers who made the payment of 1 Re in his account via Aadhar enabled payment service only using apps like PayTM. The UIDAI contested that the personal details were in the public domain and were not obtained by misusing his Aadhar number. The Supreme Court is yet to decide on the constitutionality fate of the Aadhar that is under challenge through various petitions.

This was happening against the backdrop of the various consultations on the data privacy and protection that were being carried out by 'The Expert Committee headed by Justice B.N. Srikrishna'. A report and a draft Bill were submitted to the Ministry of Electronics and Information Technology by the Expert Committee. After various consultations and studying the privacy laws globally for over a year, the draft bill, nonetheless, seems to be in line with the GDPR (General Data Protection Regulation) adopted by the European Union recently. The said Regulations itself are in their nascent stage and would be subject to a lot of modifications as per the current global technological and data privacy need. In such a scenario, the draft Bill which is quite similar to GDPR though positively drafted, there is little understanding of the technology, is quite ambiguous and unclear in certain areas. It would necessarily require a lot of fixations and revisions before the final draft can be cleared by the Ministry. Thus, further consultations and opinions of the general public, organizations, stakeholders, third parties or recipients of the data may be welcomed to have a fair understanding of the global technological advancements and the mass data shared before finalizing on the Bill.

Need of a data privacy law: Most of us would have noticed or felt our emails being read secretively by technological giants like Google. Say for example, if you plan a trip and intend to stay at some hotels with prior bookings online, you receive a mail confirming your itinerary. The technological advancement is so extensive that your very own google calendar reminds you of the date when you have to travel or check in.

It has been laid down by the Supreme Court in Puttaswamyv. UOI, that privacy is a fundamental right. By the country being in the path of becoming an absolute digital economy, the laws have to keep pace with the developing technology and thus it was imperative for a comprehensive data privacy and protection law to be passed.

The Bill is extra territorial and extends to any business, systematic activity or activity where the data fiduciaries or data processors are not present within the territory of India but the data processing and profiling is carried on within the territory of India. This is a welcome move where the scope of the forthcoming privacy Act would be extended.

Observations on the Draft Bill:

The current draft of the Bill is ambiguous and unclear in many areas and thus it would lead to a lot of confusions if the Bill is passed as it is without a much needed clarity.

a) Segregation of personal data & sensitive data: The draft Bill includes comprehensive definitions of personal data and sensitive data and separates these two. Personal data as per the said Bill means any data which can directly or indirectly identify the natural person whereas a list is being provided as being sensitive personal data which also includes intersex status, religious or political beliefs or affiliations.

The Bill doesn't talk about how the already existing mass volume of data of the data principal (natural person to whom the data relates) be segregated into personal and sensitive data. This is an added burden on the data fiduciaries (the one who alone or in conjunction with others determines the purpose and means of processing of personal data) and data processors (the one who processes the personal data on behalf of data fiduciary but doesn't include an employee of the data fiduciary).

Also, how such segregation would serve the purpose of privacy or protection from unrequited surveillance. Sensitive data, say for example religious beliefs, biometrics, political affiliations or health data can also be collected through google searches or a combinations of various other factors.

As reported in New York Times, a man walked into a Target company store demanding the reason of a mail with coupons for baby clothes and cribs being sent to his teen daughter. The manager was baffled and had no explanation. Conversely, it later came out to be that the man's daughter was in fact pregnant. The digital world knew way before her father could have an inkling of it. How eerily accurate Target was in data mining their shopping details and sending exact coupons to people knowing what they need and would make them happy. Such sensitive information is reached at through various other details.

b) Ownership of data: There have been a lot of debates as to who would be the owner or custodian of the data that is being collected, shared and processed in such a high volume. The draft Bill is silent on this issue. This is in stark contrast to the TRAI recommendations that find the users as the primary owners of the data and the rest being mere custodians.

c) Anonymisation: As per the Bill, personal data may be irreversibly processed converting it into a form in which the data principal cannot be identified. The Act doesn't apply to the processing of anonymised data and thus the provisions of the Act need not be complied with in case of anonymised data. The companies dealing with analytics or research where data mining takes places of huge volumes of data can process and analyze their anonymised data without fear of any repercussions. However the Bill clearly states that anonymisation has to meet the standards set by the Authority. How far it can remain anonymised where the source data is not deleted is a food for thought as the source data can be used to identify the anonymised data. The Bill doesn't talk about regular audits or reviews to check whether standards have been met for the data to be anonymised or whether the source still contains the personal data of the data principal.

d) Data Deletion: Sec 10 of the Bill states that the personal data which is no longer required for the purpose for which it was collected, must be deleted in a manner as may be specified unless such retention is explicitly mandated or necessary under law. Such data if not deleted regularly, would be at a huge risk of being misused. There's always a higher chance for the data to be not deleted and used for purposes for which the data principal hasn't given his consent. The Bill doesn't put a larger emphasis on this vital aspect involved in data protection.

e) Consent: It is specifically stated in the Bill that the data of a data principal cannot be processed without his consent given no later than at the commencement of the processing. Such consent has to be free, informed, specific, clear and capable of withdrawn. Also, once the data principal wishes to withdraw his consent, the Bill hasn't specified about what needs to be done with data that was collected prior for processing.

Children's data if collected has to have a parental consent after age verification as per the Bill. However, this has to be looked at as most of the social media sites have profiles of children created by them. The Bill is also silent about any retrospective action in such cases.

f) Data Auditors: The Bill gives the freedom to the data fiduciaries to have their own policies and conducts of their audits for compliance. The data auditor will evaluate the compliance. But, at the same time, the Bill also lays down that where the Authority is of the view that data processing is carried out by any data fiduciary in a way that it could cause harm to the data principal, order can be passed to conduct an audit by appointing an Auditor. As the new data privacy and protection regime plays out, timely planning/action will help organizations continue their business as usual and enhance their business reputation-NASSCOM. How mandatory the auditing process is, under what conditions do the companies need to get it done suo-moto, periodicity thereof, and what all would be checked/evaluated as part of the auditing process is not clearly laid out which we hope the final Act would.

g) Collection limitation and Purpose limitation: The data collected should be limited as per the requirement and used only for the purpose for which it was required. The data fiduciary is under an obligation as per the Bill to state the purposes for which the data is being collected. However, this is never the scene. Even if the companies do mention the purpose, the same is very high level and can include multiple actions, part of which may be allowed by the data principal and other may not be. Therefore, it should be mandated that the data fiduciary has to give in specific purpose for which the data would be used. Albeit, the Bill talks about periodical review of the data it is silent about the usage of data that would be considered to be redundant.

h) Privacy by Design: 29 talks about privacy by design and expects the data fiduciary to design their business, technical systems, innovations that it can anticipate, identify and avoid harm to the data principal. This is something which cannot be done as the data fiduciaries cannot be expected to bring about a change in their overall design and structure their business model once again.

i) Transparency: Sec 30 of the draft Bill discusses about transparency being an important requirement in the processing of the personal data. The Aadhar Act which lays down the laws relating to the biggest data repository in the country is required to be amended, as per the submitted Report by the committee. The Bill does not seem to mention its findings about the same. Transparency in data processing is one of the major provisions of the draft Bill, where Aadhar itself may fall short of. No one knows where the data collected through Aadhar has been processed or stored or where the servers are. However, by providing such exemptions to the State for its functions and for welfare in the Bill, Aadhar may escape from the clutches of the other provisions of the Data Protection Act.

j) Security Safeguards: The data fiduciary and the data processor shall have to implement security safeguards like encryption, de-identification or the steps to protect personal data they are processing. End-to end encryption is one of the strong ways to avoid data breach and for risk management in companies where the data at the source gets encoded with a key. This data when transferred to the destination can be decoded only with its correct/decryption key. De-identification, which is stated as another security safeguard, may not be as effective as encryption. One of the widely used social application, Whatsapp now claims end-to-end encryption which means no one in between can read the messages when transferred to the person we are communicating with, not even Whatsapp.

The Guardian and The New York Times had reported in March 2018, that 50 million facebook profiles were harvested for Cambridge Analytic a in what could be one of the biggest data scandals. It is alleged that such huge volume of data was collected through an app, this is your digital life, and of the friends in the facebook list of those who have signed up for the app. Facebook doesn't have an end-to-end encryption as the data of the users are being read and processed by its servers for data analysis. This is the reason why you see relevant ads or any of your recent searches appearing on your facebook.

k) Data Localizing/Mirroring: As per the Bill, personal data to which the Act applies also has to be stored on a server or data centre in India. An obligation has been laid down on the Central Government to notify certain categories data as critical personal data which can only be processed and stored in a server or data centre in India. Thus, there is still confusion as to which categories of data would fall under this clause. If location of a data principal is considered to be a critical personal data, then companies like Uber, Ola would probably not be able to operate in India or the data stays only in their servers or data centres in India.

Data mirroring is an added responsibility and would lead to extra expense and doubling-up the volume of data to be stored by the data fiduciaries. These data which is stored in servers or data centresin India along with the places out would have to be regularly backed up in tapes to prevent its safety and storage in India. The Report of the Committee tries to provide its reasons as to why at least one serving copy has to be stored in India. This is at variance with the global character of digitalization and connecting globally through technology.

One reason that attracts attention is data mirroring being required for the development of artificial intelligence (AI) which again would raise wide concerns over data privacy.

l) Offences: Industry perspectives may need to be looked into while finalizing the Bill. Currently, as we understand, all offences have been attached with a blanket criminality by making them cognizable and non-bailable. This may be a risky proposition as it can damage the reputation of a data fiduciary if the complaint is found to be false and frivolous, and may be a concerning obstacle to carry out business and for individuals. It may eventually create a lot of hullabaloo in the time to come if not reviewed and modified.

m) Government bodies exempted: The Bill seems to be in favor of the State and the Central Government. Wide exceptions are being given to them in terms of data collection, storage and processing. Though it has held the Government also accountable being one of the biggest stakeholders, the vast exemption frees them from their liability at the same time. The Bill lays down that the Government can process any personal data for any functions of the Government and can notify certain categories of personal data for which no data mirroring is required purely on the grounds of necessity and strategic interests of the State.

n) Accountability: The Bill as per Sec. 11 holds only the data fiduciary accountable for complying with all its obligations and be able to demonstrate that all of its data processing is in accordance, whereas not much accountability has been put on the data processors who would be equally or more involved in the process of handling mass data volume of the data principal.

o) RTI: The Report said that neither the right to privacy, nor the right to information is absolute and the two will have to be balanced against each other in certain circumstances. The Second Schedule in the draft Bill talks about the amendment to Section 8(j) of the RTI Act, 2005. With this amendment, no disclosure of personal data under RTI shall be made if the same is said to cause harm to the concerned individual. This amendment was not warranted as the RTI Act has properly evenhanded the privacy rights of the public servants and the public interest in disclosure of such an information. The amendment has increased the scope of rejection in disclosing personal information.

The aforesaid are some of the initial observations or concerns that have been raised with respect to the draft Bill. A detailed study has to be done also taking into consideration the industry perspectives so that these loopholes can be fixed. The Privacy Act or the Data Protection Act would always be subject to amendments as it has to keep pace with the ever changing and advancing technological expansion.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
 
Email Address
Company Name
Password
Confirm Password
Position
Industry
Mondaq Newsalert
Select Topics
Select Regions
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions