A. Introduction

The growth of the digital economy and rapid technological advancements have made it crucial to protect the personal data of individuals. The Personal Data Protection Bill, 2019 (the "Bill") is an endeavor in this direction, respecting the informational privacy of individuals and regulating the collection, usage, transfer and disclosure of personal data. The Bill has now been referred to a Joint Parliamentary Committee for examination.

B. Current legal data protection landscape in India

The Hon'ble Supreme Court of India in the landmark judgement in Puttuswamy vs. Union of India1 (the "Puttuswamy Judgment") held that privacy is a constitutionally protected right that emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution of India. It is the constitutional core of human dignity. However, like the other fundamental rights, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights.

The Supreme Court in the Puttuswamy Judgment further stated that informational privacy is a facet of the right to privacy and commended the Union Government for examining and putting into place a robust regime for data protection, striking a careful and sensitive balance between individual interests and legitimate concerns of the state.

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the "Sensitive Data Protection Rules") were made by the Central Government pursuant to Section 43A and Section 87(2)(ob) of the Information Technology Act, 2000 ("IT Act"). Section 43A of the IT Act provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

The Sensitive Data Protection Rules define sensitive personal data or information of a person as meaning such personal information which consists of information relating to passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information, any detail relating to the above as provided to the body corporate for providing a service, and any of the information received under above by the body corporate for processing stored or processed under a lawful contract or otherwise. The Sensitive Data Protection Rules require body corporates to publish a privacy policy for handling of or dealing in personal information including sensitive personal data or information. Collection, disclosure and transfer of sensitive personal data or information shall be with the consent of the provider of such information.

C. Background of the Personal Data Protection Bill, 2019

The Bill recognizes that right to privacy is a fundamental right and that it is necessary to protect personal data as an essential facet of informational privacy. It also recognizes the necessity to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation. The Bill seeks to omit Sections 43A and 87(2)(ob) of the IT Act and provides a legal framework to keep personal data secure and protected.

D. Applicability of the Bill

Personal data means any data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

The Bill applies to the following:

  • Processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India.
  • Processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law.
  • Processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is:
    • in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India, or
    • in connection with any activity which involves profiling of data principals within the territory of India

The Bill shall not apply to the processing of anonymized data, other than the personal data anonymized data as directed by the Central Government as per section 91 of the Bill.

E. Key terms under the Bill

Under the Bill, data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data2, data processor refers to any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary3 and data principal means the natural person to whom the personal data relates4.

The Bill also provides for significant data fiduciaries5, who are data fiduciaries or classes of data fiduciaries notified as such by the Data Protection Authority of India (the "Authority") having regard to the following factors:

  • volume of personal data processed
  • sensitivity of personal data processed
  • turnover of the data fiduciary
  • risk of harm by processing by the data fiduciary
  • use of new technologies for processing and
  • any other factor causing harm from such processing

A social media intermediary is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily, (a) enable commercial or business oriented transactions, (b) provide access to the internet, (c) in the nature of search-engines, on-line encyclopedias, e-mail services or on-line storage services6. Any social media intermediary:

  • with users above such threshold as may be notified by the Central Government, in consultation with the Authority.
  • whose actions have or are likely to have a significant impact on electoral democracy, security of the state, public order or the sovereignty and integrity of India.

shall be notified by the Central Government, in consultation with the Authority, as a significant data fiduciary, provided that different thresholds may be notified for different classes of social media intermediaries.

The Bill categorizes certain personal data as sensitive personal data7. This means all personal data, which may, reveal, be related to, or constitute (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorized as such by the Central Government, having regard to:

  • The risk of significant harm that may be caused to the data principal by the processing of such category of personal data
  • The expectation of confidentiality attached to such category of personal data
  • Whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of personal data
  • The adequacy of protection afforded by ordinary provisions applicable to personal data

The Bill also categorizes certain personal data as critical personal data. This refers to personal data as may be notified by the Central Government to be critical personal data8.

F. Data protection obligations under the Bill

The following are the data protection obligations under the Bill. The data fiduciary shall be responsible for complying with all the obligations set out in the Bill in respect of any processing undertaken by it or on its behalf9.

  • Personal data shall be processed in a fair and reasonable manner that respects the privacy of the data principal, and for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected10.
  • The data fiduciary shall not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor. Such data processor shall not engage, appoint, use, or involve another data processor in the processing on its behalf except with the authorization of the data fiduciary and unless permitted through the contract executed with the data fiduciary. The data processor shall only process personal data in accordance with the instructions of the data fiduciary and treat it as confidential11.
  • No personal data shall be processed by any person, except for any specific, clear and lawful purpose12.
  • Personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data13.
  • The data fiduciary is required to provide to the data principal a notice containing information such as the purpose of processing, nature and categories of personal data collected, contact details of data fiduciary, procedure for grievance redressal, in a manner that is clear, concise and easily comprehensible to a reasonable person, and in multiple languages (where necessary and practicable), at the time of data collection, or if the data is not collected from the data principal, as soon as is reasonably practicable14.
  • The data fiduciary is required to take reasonable steps to ensure that personal data processed is complete, accurate, is not misleading and updated, having regard to the purposes for which it is processed15.
  • The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing16.
  • While sensitive personal data may be transferred out of India (subject to certain conditions), it shall continue to be stored in India, and critical personal data shall only be processed in India17.

G. Grounds for processing of personal data and sensitive personal data

The grounds for processing personal data may be categorized into the following: (i) with consent; (ii) without consent.

Personal data can be processed on the basis of consent given by the data principal at the commencement of its processing such consent shall be valid only if it is free, informed, specific, clear and capable of being withdrawn. Further, consent of the data principal for processing sensitive personal data needs to be explicitly obtained. Provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on consent to processing of any personal data not necessary for that purpose18. Personal data maybe processed without consent on the following grounds:

  • If the processing of personal data is necessary for any function of the State authorized by law for the provision of any service or benefit to the data principal from the State; or the issuance of any certification, license or permit for any action or activity of the data principal by the State19.
  • If the processing of personal data is necessary under any law for the time being in force made by the Parliament or any state legislature20
  • If the processing of personal data is necessary for compliance with any order or judgment of any court or tribunal in India21
  • If the processing of personal data is necessary to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual22
  • If the processing of personal data is necessary to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health23
  • If the processing of personal data is necessary to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order24
  • If the processing of personal data, not being any sensitive personal data, is necessary for purposes related to employment25
  • If processing of personal data is necessary for reasonable purposes, including prevention and detection of any unlawful activity, recovery of debt26

Every data fiduciary shall process personal data of a child in such manner that protects the rights of, and is in the best interests of, the child, and before such processing, the data fiduciary shall verify his age and obtain the consent of his parent or guardian27.

H. Rights of the data principal

The Bill grants a data principal the following rights:

  • Right to obtain confirmation from the data fiduciary as to whether it is processing or has processed personal data of the data principal28
  • Right to obtain from the data fiduciary the data principal's personal data being processed or that has been processed by the data fiduciary or any summary thereof29
  • Right to obtain from the data fiduciary a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal;30
  • Right to access in one place the identities of the data fiduciaries with whom the personal data has been shared by any data fiduciary together with the categories of personal data shared with them31
  • Right to correct inaccurate or misleading personal data32
  • Right to complete the incomplete personal data33
  • Right to update out of date personal data34
  • Right to erase personal data which is no longer necessary for the purpose for which it was processed35
  • Right to receive and have transferred to any other data fiduciary the personal data, which such data principal has provided to the data fiduciary or which has been generated in the course of provision of services or use of goods by the data fiduciary or which forms part of any profile on the data principal or which the data fiduciary has otherwise obtained, if the processing has been carried out through automated means36
  • Right to restrict or prevent continuing disclosure of personal data by a data fiduciary where such disclosure has served the purpose for which it was made or is no longer necessary for the purpose, was made with the consent of the data principal and such consent has since been withdrawn, or was made contrary to the provisions of the Bill or any other law37

I. Data Protection Authority of India

The Bill provides for the establishment of an Authority, whose duty shall be to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Bill and promote awareness of data protection. The duties of the Authority shall include monitoring and enforcing application of the Bill, taking action in response to personal data breach, promoting awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data amongst data fiduciaries and data principals as well as receiving and inquiring complaints under the Bill.

Significant data fiduciaries shall be required to register themselves with the Authority38.

The data fiduciary is required to prepare a privacy by design policy containing:

  • The managerial, organizational and business practices as well as technical systems designed to anticipate, identify and avoid harm to the data principal.
  • The obligations of data fiduciaries.
  • The technology used in the processing of personal data that is in accordance with commercially accepted or certified standards.
  • The legitimate interests of businesses including any innovation achieved without compromising privacy interests.
  • The protection of privacy throughout processing from the point of collection to deletion of personal data.
  • The processing of personal data in a transparent manner.
  • The interest of the data principal that is accounted for at every stage of processing of personal data.

The data fiduciary should submit the privacy by design policy to the Authority for certification, and such certified policy should be published on the website of the data fiduciary and the Authority.

The data fiduciary shall notify the Authority of any breach of personal data processed by it, where such breach is likely to cause harm to any data principal39.

J. Penalties and compensation

The Authority shall appoint adjudicating officers for the purpose of adjudging penalties or awarding compensation40. The Bill imposes heavy penalties on the data fiduciary for contravention of its provisions, for instance, processing of personal data in violation of the Bill shall attract a penalty which may extend up to INR 15 crore or 4% of its total worldwide turnover of the preceding financial year, whichever is higher41. The penalty shall be imposed after conducting an inquiry42.

Any data principal who has suffered harm as a result of any violation of any provision of the Bill or rules or regulations made thereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from such data fiduciary or the data processor. A data processor shall be liable only where it has acted outside or contrary to the instructions of the data fiduciary, or where the data processor is found to have acted in a negligent manner, or where the data processor has not incorporated adequate security safeguards, or where it has violated any provisions of the Bill expressly applicable to it43.

The Bill also establishes an appellate tribunal, to which a person aggrieved by an order of the adjudicating officer may prefer an appeal44.

The Bill treats certain acts in contravention to its provisions as criminal offences. Any person who, knowingly or intentionally, re-identifies personal data which has been de-identified by a data fiduciary or a data processor, or reidentifies and processes such personal data without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to INR Two Lakhs or both45.

K. Analysis and conclusion

The existing legal framework does not sufficiently address the concerns arising from today's digital economy, where most transactions involve processing of personal data. In this regard, the main purpose of the Bill is to enhance technological progress while at the same time adopting personal data protection requirements to meet compliance.

The Bill intends to protect data principals against invasion of their privacy by State or non-State actors. It delineates the rights and obligations of the stakeholders in detail. This will serve not only to improve consumers' trust with companies, but it will also help India establish herself and build trust on the international landscape.

Footnotes

1. (2017) 10 SCC 1.

2. Section 3(13) of the Bill.

3. Section 2(15) of the Bill.

4. Section 2(14) of the Bill.

5. Section 26(1) of the Bill.

6. Section 26(4) of the Bill.

7. Sections 3(36) and 15 of the Bill.

8. Section 33 of the Bill.

9. Section 10 of the Bill.

10. Section 5 of the Bill.

11. Section 31 of the Bill.

12. Section 4 of the Bill.

13. Section 6 of the Bill.

14. Section 7 of the Bill.

15. Section 8 of the Bill.

16. Section 9 of the Bill.

17. Section 33 of the Bill.

18. Section 11 of the Bill.

19. Section 12(a) of the Bill.

20. Section 12(b) of the Bill.

21. Section 12(c) of the Bill.

22. Section 12(d) of the Bill.

23. Section 12(e) of the Bill.

24. Section 12(f) of the Bill.

25. Section 13 of the Bill.

26. Section 14 of the Bill.

27. Section 16 of the Bill.

28. Section 17(1)(a) of the Bill.

29. Section 17(1)(b) of the Bill.

30. Section 17(1)(c) of the Bill.

31. Section 17(3) of the Bill.

32. Section 18(1)(a) of the Bill.

33. Section 18(1)(b) of the Bill.

34. Section 18(1)(c) of the Bill.

35. Section 18(1)(d) of the Bill.

36. Section 19(1) of the Bill.

37. Section 20 of the Bill.

38. Section 26(2) of the Bill.

39. Section 22 of the Bill.

40. Section 62(1) of the Bill.

41. Section 57(2) of the Bill.

42. Section 63 of the Bill.

43. Section 64 of the Bill.

44. Section 67 of the Bill.

45. Section 82 of the Bill.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.