The Personal Data Protection Bill, 2019 (the "2019 Bill") was introduced in the Lok Sabha on December 11, 2019 by the Ministry of Electronics and Information Technology. The 2019 Bill is proposed to be further examined and reviewed by a joint parliamentary committee before being tabled before the Lok Sabha.
The 2019 Bill is broadly based on the principles of the General Data Protection Regulation, 2016 (the "GDPR") and the landmark judgment of the Supreme Court of India: Justice K.S. Puttaswamy (Retd.) & Anr v Union of India,1 wherein right to privacy was upheld as a fundamental right under the Indian Constitution.
The 2019 Bill intends to protect the privacy rights of individuals with respect to their personal data and governs and regulates the organizations processing such personal data.
The 2019 Bill has been formulated largely in line with the provisions of the Draft Personal Data Protection Bill, 2018 (the "2018 Bill") which was released on July 27, 2018 along with the report by the Committee of Experts under the chairmanship of Justice B.N. Srikrishna (the "Report").2
The 2019 Bill has brought in certain crucial additions and revisions to the 2018 Bill, however there are still certain concerns that were highly debated and discussed under the 2018 Bill, which are yet to be addressed.
- KEY OBSERVATIONS
While we await the 2019 Bill to be tabled before the Parliament, we are examining its key provisions below:
2.1. Applicability of the Bill
Under the provisions of the Report, an exception based on the principles of territoriality had been recommended. The Report stated that any entity located in India and only processing personal data of foreign nationals not present in India may be exempted from the application of the Bill by the Central Government. This exception was not included under the 2018 Bill. The lack of such an exemption made the scope and applicability of the 2018 Bill more over-reaching than the GDPR.
The 2019 Bill allows the Central Government to exempt from the application of the 2019 Bill, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor incorporated under Indian law. However, till the time that the Central Government notifies such an exemption, the benefit of the same is not available.
This is a welcome addition from the draft 2018 Bill, given that it benefits the outsourcing industry and facilitates cross-border processing of data by group companies. This exemption from applicability is also in keeping with a similar notification issued by the Ministry of Communications & Information Technology, dated, April 24, 2011 under the current regulatory framework on data privacy, but was not available under the 2018 Bill; which had sparked discussions and queries by companies that have similar cross-border contractual arrangements.
Further, under the 2018 Bill, the term in connection with 'any business that is carried out in India' in relation to the exercise of jurisdiction over any data fiduciary or data processor not located within India, is vague in nature and lacks specificity. Even the 2019 Bill does not provide any clarity with respect to the above provision.3 Therefore, to tighten the scope of the 2019 Bill and bring in more specificity with respect to the applicability of the 2019 Bill, the above term should have been specifically defined or explanation with respect to the same should have been provided.
2.2. Definition of Personal Data
The definition of 'personal data' under the 2019 Bill has been considerably broadened to read as "personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include inference drawn from such data for the purpose of profiling."4 5
Under the 2018 Bill, personal data has bad been defined to mean "data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.6"
The expansion of the definition of personal data is undoubtedly a welcome measure as it broadens the ambit of the 2019 Bill, strengthening the privacy rights of data principals in return. Further, the definition also additionally covers any inference drawn from personal data for the purpose of profiling since such inference typically leads to indirect identification of a natural person.
This is important as certain entities using modern technologies carry on targeting online advertisement and use an individual's online activities and pattern to customize their advertisements. Although data gathered from one's online activities may not be capable of identifying a person individually, but when taken collectively or in combination with other characteristics, may result in identifying a person.
2.3. Amended Definition of Sensitive Personal Data
Although the definition of sensitive personal data has largely remained the same, a conscious decision to remove 'passwords' from that definition has been made under the 2019 Bill. This seems to be an effort on the part of the government to streamline the definition of sensitive personal data in line with international standards and legislations.
This was also the need of the hour since entities that may not be processing sensitive personal data per se, also needed to comply with a higher degree of compliance associated with such data, merely by virtue of password-enabling access to their services to afford enhanced data security to their users.
Foreign companies and multinational companies may now find it easier (in comparison with the onerous compliance requirements under the 2018 Bill with respect to sensitive personal data) to comply with the provisions of the 2019 Bill, as the stringent provisions pertaining to sensitive personal data will not be applicable on passwords.
Having said that, the 2019 Bill has retained financial data under the definition of sensitive personal data, which may still prove to be burdensome for foreign entities with respect to the stringent compliance requirements for sensitive personal data under the 2019 Bill.
Under the 2018 Bill, the Central Government had the sole and exclusive power to notify certain other types of personal data as sensitive personal data. Under the 2019 Bill, the Central Government
is now required to consult with the Authority7 before notifying certain other types of personal data as sensitive personal data8.
Another welcome change under the 2019 Bill is that, while the Central Government can specify categories of personal data as sensitive personal data, they cannot expand the grounds of processing, unlike the 2018 Bill. To serve the objective and intent of the 2019 Bill in prescribing different levels of obligations and compliance for personal data and sensitive personal data, it is important for the Central Government and the Authority to exercise caution while notifying any personal data as sensitive personal data.
2.4. Grounds of Processing of Personal Data
The 2018 Bill stated that personal data may be processed if such processing is necessary for any function of the Parliament or any state legislature. The 2019 Bill has deleted this provision and limited the processing of personal data, without consent of data principal, for provision of any service or benefit to the data principal from the State or for the issuance of any certification, license or permit for any action or activity of the data principal by the State, with respect to the functions of the state authorized by law9.
The 2018 Bill stated that personal data can be processed, without consent, for certain reasonable purposes as may be specified by the Authority. The Authority may specify the reasonable purposes which includes the prevention and detection of any unlawful activity including fraud, whistle blowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data.
The 2019 Bill has broadened the ambit of 'reasonable purposes' by adding 'operation of search engines' to the list, which subject to certain conditions may be notified as a reasonable purpose. Therefore, personal data may be processed without the consent of the data principal for the purpose of operations of search engines.
Although the extent and scope of permissible processing of personal data under this head will be dictated by the regulations, this will, in all likelihood, be seen as a welcome move by companies operating search engines who would have been otherwise unduly burdened by compliance requirements to obtain consent of data principals – that could hinder the efficiency of their service.
2.5. Additional Rights of Data Principal
The 2019 Bill provides the data principals with 2 (two) additional rights with respect to their personal data:
(a) The right to access in one place the identity details of the data fiduciaries with whom there data has been shared:10
Although this provision seems to have been enacted for the data principals to have information about and access to, the data fiduciaries with whom their personal data has been shared/stored, it is not clear as to who would have the details of all the data fiduciaries with whom the personal data of the data principals have been shared.
This becomes particularly relevant in arrangements where the data needs to be shared among multiple data processors at different points in time. Further, as of now there seems to be no clarity with respect to the manner in which this right shall be implemented under the 2019 Bill or who would take responsibility for the same.
(b) The right to data erasure. 11
Although this new right of erasure of personal data on request has explicitly found its way into the 2019 Bill, the 2018 Bill already imposed an obligation on the data fiduciaries to delete personal data once the purpose for which the same had been collected was achieved.
2.6. Privacy by Design Policy
(a) Managerial, organizational, business practices and technical systems are designed in a manner to anticipate, identify, and avoid harm to the data principal;
(b) The obligations of data fiduciaries;
(c) The technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
(d) The legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
(e) The protection of privacy throughout processing from the point of collection to deletion of personal data;
(f) The processing of data is in a transparent manner; and
(g) The interest of the data principal is accounted for at every stage of processing of personal data13.
2.7. New recognized categories of Data Fiduciaries
2.7.1. Consent Managers
The 2019 Bill has introduced the concept of 'consent managers' which are data fiduciaries enabling data principals to manage their consent given to other data fiduciaries ("Consent Managers"). Under the 2019 Bill the data principals can either give or withdraw their consent either by themselves or through these Consent Managers16.
The 2019 Bill states that the Consent Managers are required to register with the authority, however, does not provide any further clarity with respect to who is required or permitted to register as Consent Managers, or the manner in which consent of the data fiduciaries will be managed by such Consent Managers.
Further, since the 2019 Bill designates Consent Managers as data fiduciaries, the Consent Managers will also be required to comply with the provisions of the 2019 Bill. Additionally, the Consent Manager is expected to manage consents through an interoperable platform.
It is not clear on the manner in which such interoperability can be achieved, technically and operationally, specifically taking into account the informed, specific and clear consent requirement, without jeopardizing the ability of each independent data fiduciary to safeguard details of their business offering from other data fiduciaries (including their competitors registered as Consent Managers).
2.7.2. Social media intermediaries
The 2019 Bill also introduces the concept of 'social media intermediaries'. Social media intermediary has been defined under the 2019 Bill to include "an intermediary who primarily or solely enables online interaction between 2 (two) or more users and allows them to create, upload, share, disseminate, modify or access information using its services but shall not include intermediaries which primarily: (a) enable commercial or business oriented transactions, (b) provide access to the Internet, (c) in the nature of search engines, online encyclopedia, email services or online storage services".17
In light of the growing concerns surrounding the effect of social media platforms on free and fair elections reaching a fevered pitch, especially in the West, and the spread of fake news all over the world, the 2019 Bill gives the Central Government the power to notify any social media intermediary as a significant data fiduciary. Significant data fiduciaries are subjected to more onerous responsibilities, such as audits, maintenance of records, data protection impact assessments, and appointment of data protection officers.
Further, every significant data fiduciary shall enable users who register their service from India, or use their services in India, to voluntarily verify their accounts. The voluntary verification of accounts shall be provided with a demonstrable and visible mark of verification, which shall be visible to all users of service.
Although such profile verification may curb the spread of fake news, it may increase the operational cost for such social media intermediaries, as they would now be required to implement a mechanism that enables a user to verify his or her profile and can drive greater accountability. Further, there is no clarity on what documents will be accepted for the purpose of verification and what consequences (if any) will follow from this verification.
In light of the above provision, the Central Government should be cautious before notifying social media intermediaries as significant data fiduciary and should notify only those social media intermediaries as significant data fiduciaries that meet the relevant criteria prescribed under the 2019 Bill.
2.8. Restriction on Cross-Border Transfer of Personal Data
The 2019 Bill has done away with the requirement of data localization (that is, the requirement of every data fiduciary to store 1 (one) serving copy of the personal data on a server or data center that is located within the territory of India). While this is a welcome move in the interest of ease of doing business and permitting global companies to transfer and process personal data across different jurisdictions, the 2019 Bill still mandates storing a copy of sensitive personal data in India.
While the relaxation of the data localization norms with respect to personal data would mean a reduction in operational costs for quite a few organizations/companies that don't process sensitive personal data, the retention of localization requirements for sensitive personal data under the 2019 Bill18 is likely to draw criticism again from stakeholders.
This becomes particularly relevant, considering that the authority has the right to expand the scope of data that will be treated as sensitive personal data under the 2019 Bill (please refer above). The 2019 Bill has also laid down certain conditions based on which sensitive personal data can be transferred outside India.19
Further, with respect to the definition of 'critical personal data', the 2019 Bill remains silent as it was in the case of 2018 Bill. It is important that the 2019 Bill or accompanying regulations clearly define the term critical personal data or provide guiding principles of determination, to avoid confusion and misrepresentation. However, the 2019 Bill now allows 'critical personal data' to be transferred outside India (previously prohibited under the 2018 Bill) only where transfer is:
(a) To a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action; or
(b) To a country or any entity or class of entity in a country, or to an international organization, where the Central Government has deemed such transfer to be permissible, and where such transfer, in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State. 20
While the first ground on which transfer of critical personal data is allowed is commendable as it keeps society's best interests in mind. However, the transfer of critical personal data solely because the Central Government deems it permissible is too vague and seeks to grant unfettered powers to the Central Government, which was one of the primary reasons for the need to revise the existing regulatory framework relating to data privacy.
2.9. Exemption for Government agencies21
The 2019 Bill gives the power to the Central Government to exempt any governmental agency from complying with the provisions of the 2019 Bill wherein the same is deemed necessary or expedient in the interest of the sovereignty and integrity of India, security of the country, friendly relations with foreign states, public order, or in order to prevent the incitement of commission of any offence relating to any of the above.
The above power vested with the government is very broad leaving scope of mis-use and misinterpretation of the same.
2.10. Creation of a Sandbox22
The 2019 Bill requires the authority to create a sandbox for the purpose of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. Entities included in the sandbox will be exempted from complying with certain requirements of the 2019 Bill.
The term for which a qualifying data fiduciary seeks to utilize the Sandbox cannot exceed 12 (twelve) months and cannot be renewed more than twice, thus resulting in a maximum time frame of 36 (thirty-six) months cumulatively.
2.11. Selection Committee
The composition of the Selection Committee with respect to the recommending the appointment of the Authority has been considerably revised under the 2019 Bill. As per the provisions of the 2018 Bill, the Selection Committee was to comprise of (a) Chief Justice of India or a judge of the Supreme Court, (b) the Cabinet Secretary, and (c) and expert nominated by the Chief Justice of India or by the judge of the Supreme Court.
As per the provisions of the 2019 Bill, the judicial representation on the Selection Committee has been done away with and the Selection Committee only comprises of (a) Cabinet Secretary who shall be the chairperson, (b) the Secretary to the government of India in the Ministry or department dealing with legal affairs, (c) the Secretary to the government of India in the Ministry or Department dealing with electronics and information technology.23
2.12. Excessive Liability24
The 2018 Bill imposed excessive liability on the directors of a company or the officers in charge for the conduct of the business of the company at the time of commencement of the offence, which seemed to be a draconian measure as even most international data protection legislations such as GDPR do not provide for such stringent liability.
There was also a lack of clarity under the 2018 Bill with respect to (a) the quantum of fine that is to be imposed on directors and officers in charge (i.e. whether the same quantum of fine will be imposed on directors and officers in charge as may be imposed on the company) and (b) the nature of liability imposed inter se between a data fiduciary, data processor, or between multiple data processors in case of data breach.
The abovementioned lacunae remain unanswered and unclear even under the provisions of the 2019 Bill.
2.13. Code of Practice & Transitional Provisions
The 2018 Bill had certain additional provisions with respect to code of practice that have been eliminated from the 2019 Bill. Namely, it is no longer mandated for the Authority to issue codes of practice outlining good practices of data protection or for the Authority to make such codes of practice publicly available on its website.
The 2019 Bill has also done away with provisions allowing for the Authority or any court, tribunal or statutory body to look at non-compliance with a code of practice by any data fiduciary or processor while determining whether such data fiduciary or processor has violated the provisions of the 2019 Bill25.
Another important factor to note is that while the 2018 Bill had an entire chapter dedicated to 'transitional provisions' that provided for phased implementation of the provisions,26 the 2019 Bill has made a significant departure from this approach. This implies that the 2019 Bill will come into effect on such date(s) as notified. This may prove to be particularly burdensome given the limited time to effectively meet all the expectations and obligations set out under the 2019 Bill.
2.14. Government's use of anonymized data
A key addition to the 2019 Bill is that the Central Government may direct any data fiduciary or data processor to provide any personal data anonymized or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government27.
While the 2019 Bill has relaxed some of the stringent provisions found under the 2018 Bill such as the obligation of data localization, it also seems to dilute few of the salient features of the law that aims to protect the privacy rights of data principals.
Keeping in mind the growing need of the digital economy, having a regulatory sandbox in place may be the need of the hour, however, providing the government with unregulated and broad powers to exempt government agencies from the provisions of the 2019 Bill for certain circumstances may defeat the purpose of the 2019 Bill and jeopardize an individual's fundamental right to privacy.
As mentioned above, the 2019 Bill is still to be reviewed by the Joint Parliamentary Committee and the shortfalls will hopefully be addressed before the same is finalized and brought into effect. The 2019 Bill is expected to have a far-reaching impact on Indian businesses and multinational corporations doing business in India.
1 W.P. (Civil) No. 494 of 2012).
2 For more information on our detailed analysis of the Personal Data Protection Bill, 2018, please refer to our InfoAlert titled "THE PERSONAL DATA PROTECTION BILL, 2018 KEY FEATURES AND IMPLICATIONS" Available at: https://induslaw.com/app/webroot/publications/pdf/alerts-2018/Personal_Data_Protection_Bill_2018.pdf
3 Section 2 of the Personal Data Protection Bill, 2019.
4 Section 3 (28) of The Personal Data Protection Bill, 2019.
5 Section 3 (32) of The Personal Data Protection Bill, 2019 defines 'profiling' as "any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal."
6 Section 3 (29) of The Personal Data Protection Bill, 2018.
7 Section 3 (5) defines 'Authority' to mean the Data Protection Authority of India established under sub-section (1) of section 41 of The Personal Data Protection Bill, 2019.
8 Section 15 (1) of The Personal Data Protection Bill, 2019.
9 Section 12(a) (i) and (ii) of The Personal Data Protection Bill, 2019.
10 Section 17(3) of The Personal Data Protection Bill, 2019.
11 Section 18 of The Personal Data Protection Bill, 2019.
12 Section 22 of The Personal Data Protection Bill, 2019.
13 Section 22 of The Personal Data Protection Bill, 2019.
14 Section 22 of The Personal Data Protection Bill, 2019.
15 Section 22 of The Personal Data Protection Bill, 2019..
16 Section 23(3), (4), and (5) of the Personal Data Protection Bill, 2019.
17 Explanation to Section 26 (4) of the Personal Data Protection Bill, 2019.
18 Section 33 of the Personal Data Protection Bill, 2019.
19 As per Section 34 of The Personal Data Protection Bill, 2019, sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer and where, (a) the transfer is made pursuant to a contract or intra-group scheme approved by the Authority; (b) the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organization, or (c) the Authority has allowed transfer of any sensitive personal data or class of sensitive personal data for any purpose.
20 Section 34 of Personal Data Protection Bill, 2019.
21 Section 34 of Personal Data Protection Bill, 2019.
22 Section 40 of Personal Data Protection Bill, 2019.
23 Section 42 (2) of The Personal Data Protection Bill, 2019.
24 Section 84 of The Personal Data Protection Bill, 2019.
25 Section 61 (7), (8), and (10) of The Personal Data Protection Bill, 2018.
26 Chapter XIV of The Personal Data Protection Bill, 2018.
27 Section 91(2) of The Personal Data Protection Bill, 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.