The Hon'ble Supreme Court of India in Justice K S Puttaswamy and Anr. Vs. Union of India and Ors.1, held that the right to privacy is a fundamental right and is granted protection under Article 21 of the Constitution. Subsequently, a committee headed by Justice B.N. Srikrishna was formed to dwell into the issues governing data protection in India. The committee submitted it report in 2018 to the Ministry of Electronics and Information along with a Draft Personal Data Protection Bill, 2018. The Personal Data Protection Bill, 2019 ('Bill') is based on the recommendations of the committee and various other stakeholders. The bill is currently being examined by the Joint Parliamentary Committee and is all set to be presented before the Parliament in the coming budget session of 2021.
Key Provisions of the bill
The bill seeks to revamp the India's current data protection scheme which is governed by the Information Technology Act, 2000. It proposes to regulate the processing of personal data of individuals which is processed by the Government, Companies registered in India and Foreign Companies. There are provisions which regulate the personal data of individuals. Some key provisions under the bill are as follows –
- Definition of Personal Data
Personal Data under the bill is defined2 as the data relating to a natural person with regard to the characteristic, trait, attribute or any other feature which helps in the identification of that person. The bill also distinguishes between Sensitive Personal Data and Critical Personal Data.
a. Sensitive personal3 data includes financial data, health data, sex life, sexual orientation, biometric data, transgender status, caste or tribe, religious and political affiliations etc.
b. Critical personal data4 means any such data which will be notified by the Central Government as critical personal data.
- Data Fiduciary
Data fiduciary5 means any entity or any individual which determines the purpose and means of processing personal data. The bill enumerates certain obligations relating to the Data fiduciary, some of them are as follows –
a. Personal Data should be processed only for clear and lawful purposes.
b. The privacy of Data Principal i.e. the person to whom the data belongs, should be ensured
c. The Data Fiduciary is required to furnish a notice6 to the Data Principal for the purposes of collecting personal data.
d. The bill imposes restriction7 on the Data Fiduciary with respect to the retention of the personal data collected.
e. The Data Fiduciary is also made accountable8 to comply with the provisions of the bill in relation to the processing of data.
- Data processing without consent
The bill provides provisions for processing of data after consent is obtained from the Data Principal, however data can also be processed without consent in the following circumstances –
a. For performance of any function of the state authorised by law9.
b. For compliance with any order or the judgement of the court10.
c. For employment or related purposes11.
d. For any other reasonable purposes12, the reasonable purposes include whistle blowing, prevention and detection of any unlawful activity, mergers and acquisition, credit scoring, recovery of debt etc.
- Rights of the Data Principal
The bill also provides for rights13 that can be exercised by a data principal such as the right to seek information regarding the manner or processing activities undertaken by the data fiduciary with respect of the personal data. The bill also gives an opportunity to the data principal to correct and erasure any personal data.
- Social Media Intermediaries
The bill defines14 Social Media intermediaries as intermediaries which allow 2 or more users to share, upload, disseminate, create information using its services. This will allow the government to notify them as data fiduciary subjecting them to comply with the provisions of the Bill.
- Data Protection Authority
The bill provides for the establishment of a Data Protection Authority15 to protect the interest of data principal, prevent misuse of personal data, ensure compliance and promote awareness regarding data protection. The authority will have the power to maintain a database on its website containing names of significant data fiduciaries with a rating in the form of a data trust score which will indicate the compliance to the provisions of the bill16.
- Transfer of Personal Data outside India
The bill imposes certain restrictions on the transfer of sensitive and critical personal data outside India. Sensitive personal data may be transferred outside India based on certain conditions17 such as –
a. The transfer is made pursuant to a contract or intra-group scheme which should be approved by the Data Protection Authority (Authority) .
b. The transfer is allowed by Central Government after consultation with the Authority.
- Regulatory Sandbox
The data protection authority is required to create a sandbox18 to promote and encourage artificial intelligence, machine learning or any other such emerging technology. The entities which will be included under the sandbox will be excluded from complying to the provisions of the Bill.
- Offences and Penalties
The bill imposes hefty penalties. A fine of INR 15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher is imposed for processing or transferring personal data which is in violation of the Bill19. In case, the data fiduciary fails to conduct data audit a fine amounting to INR 5 crores or equivalent to 2% of the annual turnover of the data fiduciary, whichever is higher is imposed20.
General Data Protection Regulation (GDPR) and Personal Data Protection Bill, 2019
GDPR was adopted by the European Commission and ensures protection of personal data in relation to individuals. The Personal Data Protection Bill, 2019 is modelled after the GDPR, however there are certain key difference present between the two. Some of them are-
a. The GDPR does not govern non-personal or anonymized data at all, however the under clause 91 of the bill, the government is permitted to ask data fiduciary and data principal to provide non-personal data for policy making decisions.
b. The definition of sensitive personal data under GDPR does not include financial information21 however the same is included in the definition of sensitive personal data under clause 2(36) of the bill. This makes the definition of sensitive personal data given under the bill broader than GDPR.
c. Under the GDPR there is no parallel provision for classification of 'critical personal data'. The central government is empowered to classify what will constitute as 'critical personal data' under the bill.
d. The GDPR provides for data to be kept in an identifiable form and the exception for increasing the storage period are provided22. The bill requires explicit 'consent' of the data principal in case data is to be retained for longer period23.
Conclusion
The Personal Data Protection Bill, 2019 is driven by the underlying objective to protect data relating to individuals. The bill broadly categorizes personal data into three categories which allows for greater accountability in relation to processing of data by data fiduciaries. The creation of a regulatory sandbox will help technology driven startups immensely in their initial stage since it will exempt them from the complex procedure and compliance of the provisions of the bill. The bill, when enacted, will have far reaching impact on the India-businesses and MNCs since they will have to ensure that the data processing done by them is in compliance with the provisions of the bill.
By:
Vijay Pal Dalmia, Advocate
Supreme Court of India & Delhi High Court
Email id: vpdalmia@vaishlaw.com
Mobile No.: +91 9810081079
Linkedin: https://www.linkedin.com/in/vpdalmia/
Facebook: https://www.facebook.com/vpdalmia
Twitter: @vpdalmia
AND
Sanjana Leekha
Email: sanjanaleekha60@gmail.com
Footnotes
1. Writ Petition (Civil) No 494 of 2012
2. Clause 2(28) of the Bill
3. Clause 2(36) of the Bill
4. Explanation to Clause 33(2) of the Bill
5. Clause 2(13) of the Bill.
6. Clause 7 of the Bill.
7. Clause 9 of the Bill.
8. Clause 10 of the Bill.
9. Clause 12 of the Bill.
10. Clause 12(c) of the Bill.
11. Clause 13 of the Bill.
12. Clause 14 of the Bill.
13. Chapter V of the Bill.
14. Explanation to Clause 26 (4) of the Bill.
15. Clause 41 of the Bill.
16. Clause 49 (2) of the Bill.
17. Clause 34 of the Bill.
18. Clause 40 of the Bill.
19. Clause 51(2) of the Bill.
20. Clause 52(3) of the Bill.
21. Article 9(1) of GDPR.
22. Article 39 of GDPR.
23. Clause 9(2) of the Bill.
© 2020, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy
Marg New Delhi-110001 (India).
The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.