OVERVIEW OF THE PERSONAL DATA
PROTECTION BILL
INTRODUCTION
With a growing
online footprint, one is at a higher risk of privacy breach than ever before.
Also, at this juncture employees and customers are increasingly becoming sensitive
about their privacy rights. So, legal framework was required to include
policies that support innovation, but which, simultaneously protects
individuals and entities from risks associated with data. Thus, data privacy
measures are both critical and can provide companies a real business advantage
if handled well.
The Ministry of IT,
Govt. of India (“MeitY”) constituted
a committee of experts chaired by Justice Sri Krishna for issues related to
data protection in India on July 31, 2017 (the “Sri Krishna Committee”). It submitted its report titled “Free and Fair Digital Economy, Protecting
Privacy and Empowering Indians” (“Report”)
and also the Personal Data Protection Bill, 2018 (“PDPB 2018”) on July 27, 2018.
The Report says
that legal regime must aspire to the common public good of both a ‘free’ and ‘fair’ digital economy. The Free
implies autonomy of the individual with regard to their personal data. And the Fairness pertains to developing a
regulatory framework where the existing inequalities in bargaining power
between individual and the entities that process such personal data is
mitigated.
In August 2017, the Supreme Court in K. S. Puttaswamy v. Union of India
(the “Judgement”) recognised right to privacy as a Fundamental Right. The
court stated that every person should have the right to control commercial use of their identity. The Judgement,
therefore, established that people (citizens and non-citizens) could assert
their individual rights against unlawful government invasions to their
privacy and it also imposed an obligation on the state to protect the
individual’s right to privacy by private entities.
Globally, the
enactment of the EU General Data
Protection Regulation (“GDPR”)
in 2016 which came into force in May, 2018 established a global norm in
personal data protection. The PDPB 2018 reflects principles contained in the
GDPR, while simultaneously attempting to bespoke the law to Indian needs.
Now, finally, the Government
has tabled a modified Personal Data
Protection Bill, 2019 (the “PDPB 2019”)
in the parliament on December 11, 2019. It has been sent to 20 members Joint
Parliamentary Committee for further deliberations. The Committee is expected to
submit its Report in the budget session (i.e., February, 2019).
HIGHLIGHTS
The PDPB 2019 applies to those who process personal data of natural persons. The natural
person whose data is being processed is referred to as a “Data
Principal”. And those who are collecting data are referred to as “Data Fiduciary”. A third actor is “Data Processor” who process data on
behalf of a Data Fiduciary.
Scope
and Applicability
It applies to any
'processing' of personal data;
1. within the territory of India. (Territorial)
2. by the Indian State, Indian companies, Indian citizens, any incorporate body. (Nationality)
3. by Data Fiduciaries (or Data Processors) not present within the territory of India if the personal data of individuals located in India is processed with respect to any business or activity that involves offering goods or services or the profiling of such individuals. (Extraterritorial)
2. by the Indian State, Indian companies, Indian citizens, any incorporate body. (Nationality)
3. by Data Fiduciaries (or Data Processors) not present within the territory of India if the personal data of individuals located in India is processed with respect to any business or activity that involves offering goods or services or the profiling of such individuals. (Extraterritorial)
[The PDPB 2019
exempts small entities who are carrying out manual processing from the
following requirements]
What
is processing?
Processing is an
operation or set of operations performed on data (here personal data). It has
an inclusive definition and may include collection, organization, storage,
alteration, retrieval, use, indexing, disclosure, etc. And it applies to
both manual and automated processing.
Categories
of Data
It categorises
data into Personal Data, Sensitive Personal Data and Critical Data. It does
not apply to anonymised and non-personal data.
Personal data is defined as data about or relating to a natural
person who is directly or indirectly
identifiable, having regard to any (or combination of) characteristic, trait, attribute, or any other feature of the identity
of such person.
[It would include
both online or offline data and for clarification it is emphasized that it
would include any inference drawn from such data for the purpose of profiling.]
Sensitive Personal
Data is a subset of
personal data and consists of specified types of data, such as financial data, health data, official
identifier, sex life, sexual orientation, biometric data, genetic data,
transgender status, intersex status, caste or tribe, religious or political
belief, etc. The Data Protection Authority of India (explained below) has
the power to declare further categories of data as Sensitive Personal Data.
[‘passwords’ in the previous PDPB 2018
was included as a sensitive personal data]
Anonymised data is when data is irreversibly converted in such a
way where data principal cannot be identified.
Non-Personal Data is not defined but imply, whatever is not
personal.
Critical Personal
Data is such data which
will be notified as such by the central government and can only be processed in
a server or data centre located in India.
Major Obligations
Consent
The Report recognised that often consent is uninformed, not meaningful, and operates in an all or nothing fashion. It wants to treat consent not a means to an end but as an end in itself. In the PDPB 2019 a test is devised for consent to be a ‘valid consent’ for personal data, i.e. consent which is free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, ‘explicit consent’ is required for which the terms ‘informed’, ‘clear and ‘specific’ need to meet a higher threshold.
Notice
The data fiduciary is obligated to provide a data principal with adequate notice prior to collection of personal data. This notice should be clear, concise and comprehensible and a notice may be issued in multiple languages whenever necessary.
Purpose Limitation
Data fiduciaries will only collect data that is necessary for the purposes of processing; and the processing may be done only for the purposes specified to the data principals, or for any other incidental purpose that the data principals would reasonably expect it to be used. So, using data for new purposes should therefore need fresh consent.
Data Limitation
Personal data may be retained only until the purpose of collection is completed. Data fiduciaries must have a data retention policy in place outlining the length of time they will hold on to the personal information of its users, as there is a positive obligation to delete such data in certain situations.
Data Quality
Personal data processed should be complete, accurate, not misleading and updated, having regard to the purpose for which it is processed. Data fiduciary is expected to understand the nature of the personal data like how likely is it to be used to make a decision about the data principle and accordingly segregate them into data based on facts from those based on opinions or personal assessment.
Children
Parental consent will be necessary for the processing of personal data of children below the age of eighteen years. Data fiduciaries who operate commercial websites/online services directed at children; or process large volumes have higher level of obligations.
Privacy by Design
The data fiduciaries will be required to implement managerial, organizational, business and technical systems, policies and measures to ensure that the user privacy of the user is protected. A privacy by design policy requirement exists for data fiduciaries which may be submitted to the DPA for certification.
Some of the standards of compliance that were earlier in PBPB 2018 subject to a “reasonable” standard have now been subjected to a “necessary” standard – such as, necessary security safeguards as opposed to reasonable security safeguard to be the standard for data fiduciaries and data processors in relation to activities such as de-identification and encryption, to prevent misuse, unauthorized access of personal data; necessary steps to ensure accuracy of personal data, etc.
Grounds
for Processing
The primary basis
for processing of personal data must be individual
consent.
Processing of
personal data can also be done without consent on these grounds i.e., 1. the
function of the state, 2. compliance with law, or any order of any court or
tribunal, 3. to respond to any medical emergency, 4. to undertake any measure
to ensure safety during any disaster or breakdown of public order, 5. for a
reasonable purpose.
And for purposes
related to employment but only those personal data which are not sensitive personal data.
Rights
of Data Principles
The Report says
that data principal is the one who legitimizes such data, therefore, they must continue to exercise clearly
delineated rights over such data. And data fiduciaries have to provision for
the exercise of these rights.
Right to Confirmation
and Access
The Law provides
detailed rights to the data principal to access and correct their data. With
regards to a right of review, the Law grants rights to: (a) a confirmation
about the fact of processing; (b) a brief summary of the personal data being
processed; and (c) a brief summary of processing activities. It additionally provides
the right to access in one place the
identities of all data fiduciaries with whom their personal data has been
shared.
Right to Correction
and Erasure
The right of
correction, completion, updating and erasure has been provided for inaccurate
or misleading, incomplete, out of date, no longer necessary personal data respectively
into a detailed step-wise process. Data Fiduciary can reject such application
with reasons.
Right to Data
Portability
Data principals may
seek from the data fiduciary, their personal data in a ‘structured, commonly used and machine-readable format’. It would
consist of: (i) data already provided by the Data Principal to the Data
Fiduciary; (ii) data which has been generated by the Data Fiduciary; (iii) data
which forms part of any profile on the Data Principal, or which the Data
Fiduciary has otherwise obtained. Data principal can
ask the data fiduciary to transfer such personal data to any other data fiduciary in the prescribed format.
Right to be
Forgotten
Data Principal can
request entities to remove their personal data from their storage and
processing. It can though be exercised only through an order of an adjudicating
authority on the basis of reasonability of the request.
Data
Localization
It allows free flow of personal data. It can be processed and transferred outside
India. This is departure from the earlier PDPA 2018 where a copy of personal
data was to be stored in India.
Nevertheless, for sensitive personal data at least one copy of all personal data should be stored on a server or a data centre located in India, unless specifically exempted from this requirement.
Nevertheless, for sensitive personal data at least one copy of all personal data should be stored on a server or a data centre located in India, unless specifically exempted from this requirement.
Certain critical personal data may be identified by the Government which should be processed only in servers / data centres in India.
Cross
Border Transfer of Data
The Report recognised
free flow of data essential but also observed that it can’t be unfettered. Also
delved into the fact that national interest might require local storage and
processing.
The PDPB 2019
proposes that personal data can be transferred outside India. It places conditions only on sensitive
personal data. A data fiduciary may only transfer such sensitive personal data
if it obtains the explicit consent of
the data principal. In addition to
obtaining explicit consent, the data fiduciary must additionally meet any of
the following conditions:
(i) if the transfer is made subject to a contract or intra-group schemes that have been approved by the DPA. In order to obtain approval, contracts and inter-group schemes under this provision are required to ensure protection of the rights of the data principal as well as liability of the data fiduciary for harm caused due to any non-compliance.
[This is a
deviation from the earlier PDPB 2018, which permitted transfers based on standard contractual clauses, in line
with global frameworks such as the GDPR.]
(ii) subject to an adequacy determination by the Central Government.
(iii) if the transfer of sensitive personal data or a class of sensitive personal data approved by the DPA for a specific purpose.
The PDP Bill also permits critical personal data to be transferred outside the country for certain limited purposes such as:
(i) for prompt
action including transfers to persons or entities engaged in health or
emergency services.
(ii) to a country,
an entity or a class of entity in a country or, an international organisation
under the adequacy determination. In addition, the Central Government must also
be satisfied that such a transfer would not prejudicially affect the security
and strategic interest of the nation.
Breach
Notification
If there is a
breach of personal data, the data fiduciary should notify the Data Protection
Authority of India (the “DPAI”) of such breach. The notifications should contain
certain particulars, either submitted to the DPAI together or in phases. Such
reporting is to be done as soon as possible. The DPAI, once set up, may
prescribe a certain time period for reporting
Data Protection Officer
All data fiduciary
notified or registered as significant data fiduciary has to appoint Data
Protection Officers (DPO). Those Data Fiduciaries who are situated outside
India must appoint a DPO located in India.
They would monitor
the data fiduciaries processing activities to ensure compliance with the Law,
advise the data fiduciary, assist and cooperate with the DPAI.
Grievance
Redressal
All data fiduciary
shall have effective procedure and mechanisms to redress the grievance of data
principal. A complaint made by data fiduciary has to be resolved expeditiously
not later than thirty days from the receipt of such complaint.
KEY PROVISIONS
Significant
Data Fiduciary
The DPAI is
empowered to notify certain data fiduciaries or entire classes of data fiduciaries
as ‘Significant Data Fiduciary’. It identifies and regulates entities that are
capable of causing significantly greater harm to data principals as a
consequence of their data processing activities. They would be
required to register themselves with the DPAI.
Those identified are prescribed greater levels of compliances. These would include inter alia carrying out data protection impact assessments, record keeping, data audits, and the appointment of a data protection officer.
Consent
Manager
The PDPB 2019
introduces the construct of consent managers, who are data fiduciaries (registered
with the DPA) that provide a data principal to gain, withdraw, review and manage their consent through an
accessible, transparent and interoperable platform.
Data principals may
provide their consent to these consent managers for the purpose of sharing
their information to various data fiduciaries and may even withdraw their consent
through these consent managers. This is a unique construct and appears to have
been introduced to support the Data Empowerment and Protection Architecture
(DEPA) for financial and telecom data that currently powers the Account
Aggregators licensed by the Reserve Bank of India (RBI).
Social
Media Intermediaries
The PDPB 2019
introduces the construct of social media intermediaries, which are entities
that primarily or solely enable online interactions between users and allow
them to exchange information between themselves. The Central
Government can notify those social media intermediaries that have a specified
number of users, and whose actions are likely to have a significant impact on
electoral democracy, security of state, public order, or the sovereignty of
India, as ‘significant data fiduciary’.
However, entities
that primarily enable commercial or business-oriented transactions, provide
access to the internet or are in the nature of search engines, email services
or online storage services are however not included within this definition. The definition aims
to target social media companies and exclude e- commerce companies, telecom
service providers and search engines.
All social media
intermediaries that are significant data fiduciaries are required to provide
their users the ability to voluntarily
verify their accounts and all such verified accounts are required to be
provided with a mark of verification which is publicly visible.
There is, at this
stage, no clarity on what documents will be accepted for the purpose of
verification and what consequences (if any) will follow from this verification.
Reasonable
Purpose Defined
One of the grounds for
processing of personal data without consent (as explained earlier) is those
activities which are for reasonable purpose. The PDPB 2019 (provides a non-exhaustive
list) includes; prevention and detection
of unlawful activity, whistle blowing, m&a, credit scoring, recovery of
debt, processing of publically available personal data, and the operation of
search engines.
Though what is
reasonable purpose has to be justified as ‘necessary’
first to qualify for such exemption.
Governmental Access to
Non-Personal and Anonymised Data.
Government can in
consultation with DPAI require any data fiduciary or data processor to provide
any anonymised data that it holds and provide this to the Government.
In addition, it
also allows for the Central Government to call for non-personal data from
fiduciaries and processors. This data is to be
used by the Central Government to enable better targeting of delivery of
services or formulation of evidence-based policies.
Sandbox
The DPAI may create
a sandbox for the purposes of encouraging innovation in artificial
intelligence, machine learning and other emerging technology in public
interest. Exemptions will be provided from specific compliances such as purpose
limitation, collection limitation and retention limitation, for a limited time,
for any data fiduciary operating within the sandbox.
Enforcement
Mechanism
The Report acknowledges
that enforcement is critical. And therefore suggest both internal and an
external element. It recognise that the enforcement should be an ex ante as opposed to post facto i.e., compliance by entities
with substantive and proactive obligation.
It contemplates the
creation of an independent Data Protection Authority of India (DPAI) which
hitherto did not exist in India. It has wide powers
which includes (i) monitoring and
enforcement of the PDPB 2019; (ii) legal affairs, policy and standard setting of the
framework; (iii) research and awareness of the bill; (iv) inquiry, grievance
handling and adjudication.
More particular ones include inter alia specifying
residual categories of sensitive personal data, specifying circumstances a DPIA
needs to be undertaken, registering SDFs and Data Auditors, etc.
Penalties
It specifies strict
penalties for the contravention of its provisions. The penalty from gross
violation can go upto INR 15 Crore or 4% of the global turnover, whichever is
higher. Minor violations can attract penalty upto INR 5 Crores or 2% of global
turnover, whichever is higher.
The penalties may
only be imposed after an inquiry has been conducted by an Adjudicating Officer
of the DPA and the data fiduciary has been provided with a reasonable opportunity
of being heard. An inquiry can only be initiated upon a complaint made by the
DPA.
Criminal Liability
It includes
criminal liability (upto 3 years of imprisonment or a fine which may extend to
INR 20,000) for intentionally and knowingly re-identification of de-identified
data.
Compensation
It allows the data principal
to apply to the adjudicating authority to seek compensation either from the
data processor or the data fiduciary, for harm
suffered as a result of any infringement of any provision. It also appears to
allow for the institution of class action
suit by data principals, who have suffered harm by the same data fiduciary
or data processor.
Compensation is
also decided by an Adjudicating Officer and may be sought by the data principal
by making an application to the Adjudicating Officer. The orders of the
Adjudicating Officer are appealable before the Appellate Tribunal. A data
processor will only be held liable to pay compensation if it is found to have
acted in a negligent manner or not
incorporated adequate security
safeguards or, if it has violated any provisions of the PDP B 2019.
Exemptions
It sets
out various exemptions to the applicability of the PDPB 2019. These exemptions are :
Any agency of the Government
If the Central
Government, by a written order, is satisfied that it is necessary in the
interest of or for preventing incitement to the commission of a cognisable
offence relating to the (i) sovereignty and integrity of India, (ii) security
of the State, (iii) friendly relations with foreign states, (iv) public order,
direct that the provisions of the Act will not apply to any agency of the
government for processing personal data.
For certain types of processing of personal
data
Certain specified
provisions will not apply where personal data is (i) processed in the interest
of prevention, detection, investigation and prosecution of any offence or any
other contravention of law, (ii) disclosed for inter alia enforcing a
legal right, (iii) processed by any court or tribunal, (iv) exempted by the
Central Government where processing of personal data of data principals not
within the territory of India, (v) processed by a natural person for any
personal or domestic purpose, (vi) processed for a journalistic purpose, (vii)
processed for research, archiving or statistical purposes, (viii) processed
manually by a small entity.
Conclusion
The PDPB 2019 is
all set to establish a full-fledged data protection framework in India. As also
noted in the Report it is envisaged that data protection officers and the courts
will develop these principals on case to case basis overtime.
It is estimated
that the business entities will be given at
least one year to make changes in their structure to adhere to the
provisions of the PDPB 2019 once it is notified.
No comments:
Post a Comment