On 27 July 2018, the nine-member expert committee headed by Justice B.N. Srikrishna submitted its Report along with a draft bill titled The Personal Data Protection Bill, 2018 (“the Bill”) to the Ministry of Information and Technology (MeitY). The Report and the Bill are a result of a process that began last year, including internal meetings and a public consultation by the expert committee through a whitepaper. We, along with many other stakeholders, submitted our comments to the whitepaper in January 2018.
The report and the Bill should be considered as a start and not the culmination of a process. It is a good start, but is far from perfect. As the largest democracy in the world, India should be striving to set the world standards on civil rights and civil liberties. The Bill provides much needed reforms such as purpose limitation, collection limitation, storage limitation, privacy by design, transparency, security safeguards and so on. However, instead of setting a new standard it falls short of meeting even the existing ones. Areas such as data localization, cross border data transfer, breach notification and right to erasure are regressive in the current Bill. Interception of communications, surveillance and direct marketing were tackled in even the leaked Privacy Bill of 2011, but these issues are entirely missing from the present Bill. There should be public consultations on the Bill and appropriate modifications should be made to enact a law that protects the privacy rights of citizens.
The Bill is applicable to activities relating to processing of personal data within the territory of India, by an Indian (State, citizen, or company incorporated in India), in connection with any business carried on in India, where goods or services are offered to people in India, or profiling of people present in India. Two new bodies would be created by the Bill: Data Protection Authority of India (DPAI) and a new Appellate Tribunal. The Bill vests excessive power on the Central Government. The Central Government has even got the power to issue directions to the DPAI.
The Bill draws a distinction between those who decide what is to be done with the data (“data fiduciary”) and those who process data (“data processor”) of a natural person (“data principal”). The terms data fiduciary and data processor include the State (government) in their ambit. However, the State has various exemptions and procedures to bypass many of the requirements imposed upon others under the Bill as mentioned further below. Another distinction has been drawn in the Bill between de-identification and anonymisation. De-identification under the Bill is similar to pseudoanonymisation under EU GDPR. This is a process of removing personal identification from certain data and replacing it with a unique non-personal identifier. If there is no identifier attached with the data and there is no method of re-identification, then the data is considered to be anonymised. The Data Protection Authority of India has the power to set the standards for when certain data may be considered to have been anonymised.
As of now, the only protection for data available under law in India exists in the form of protection for sensitive personal data under Section 43A of the Information Technology Act, 2000 and the rules made thereunder. Since this Bill seeks to create a new and comprehensive data protection framework, it also seeks to delete these existing provisions from the law. An amendment is also included for the Right to Information Act, 2005. It seeks to expand the scope of denial of RTI requests on the ground of the information relating to personal data which is likely to cause harm to a data principal.
The scope of sensitive personal data has been expanded under the Bill from the current meaning of the term under Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The new additions to sensitive personal data include: official identifier, sex life, transgender status, intersex status, caste or tribe, religious or political beliefs or affiliation, and any category of data specified by the Authority.
The requirement for a notice is quite detailed in the Bill. For consent to be considered valid, the Bill requires that the consent should be free, informed, specific, clear and capable of being withdrawn. The Bill assumes that consent would be informed if the data principal has been provided various minute details in a notice. Lay people and even most knowledgeable persons would shirk reading such a long notice. In our submission to the whitepaper released by the committee, we had suggested a minimal notice at the time of collection of data. Such a notice would contain (a) Purpose for which data will be taken; (b) Time period for which the data will be retained; (c) Processors/ Controllers with whom data can be shared with; (d) Rights to access and control data; (e) Grievance redressal mechanism. Additional information such as the details required in the current clause could be made available through a link at the bottom of a notice that reads 'More information' or other words to that effect. This requirement for a detailed notice would not solve the current issue of lack of meaningful and informed consent. Data principals have been granted a right to withdraw consent, but “all legal consequences for the effects of such withdrawal” are to be borne by the data principal themselves.
Regardless of the above, the principle of consent has been highly diluted in the Bill. A wide exception has been created for any processing of personal and sensitive personal data necessary for any function of Parliament or any State Legislature or any function of the State authorized under a law for provision of any certificate or benefit. An additional exception exists for processing of personal data for issuance of any certification, license or permit. Processing of personal and sensitive personal data can also be done for “any function of Parliament or any State Legislature” or “the exercise of any function of the State by law for the provision of any service or benefit to the data principal”. The Bill would grant DPAI the power to allow processing of personal data for certain purposes without consent, including: prevention and detection of unlawful activity including fraud, white blowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt and processing of publicly available data. Passwords, financial data, health data, official identifiers, genetic data, and biometric data can be processed without consent during a breakdown of public order.
Data principals have been granted certain rights in the Bill along the lines of the rights granted to data subjects in EU’s General Data Protection Regulation. Apart from confirmation of past or on-going data processing activity, being provided a summary of the personal data being processed or that has been processed, and the right to correction, data fiduciaries can charge data principals for the exercise of every other right available to them.
The right to access data is severely limited. Instead of requiring the data fiduciary and data processor to provide a complete copy of the data that is in the possession of the entity, the Bill requires them to provide only a summary of the personal data and a summary of processing activities. In a separate right to data portability, access to the data that a data principal has provided to the data fiduciary as well as the data that the data fiduciary has generated about the data principal has been made available. However, here too it is severely limited in that one cannot invoke the right to data portability in order to access one’s data if the data was processed for any function of the State or compliance with the law. An unreasonable exception exists where compliance with a data portability request “would reveal a trade secret of any data fiduciary or would not be technically feasible”. This provides a loophole for data fiduciaries to not build a data portability mechanism into their products and services, and later claim that the data portability request cannot be complied with due to reasons of technical infeasibility. Purpose limitation and collection limitation are meaningless in the absence of a strong right to access one's data.
Right to correction is available only “where necessary”. This term is not defined in the Bill. Data fiduciaries can reject an application for correction of data if they believe that correction is not necessary. We see no reason why fiduciaries should have the ability to reject an application for correction of personal data by the data principal. The right to be forgotten allows data principals to restrict disclosure of personal data after receiving a favourable order from an Adjudicating Officer.
The bill does not provide for a right to erasure and the right to be forgotten provides only limited relief to data principals that want to get their data deleted / erased.
Children have been granted some additional safeguards against the processing of their data, including provisions for age verification and parental consent. Data fiduciaries that target children would not be allowed to perform certain data processing activities.
Aadhaar finds a mention in the Bill in the definition of official identifier. Even here, the inclusion of the term is wholly unnecessary as the wide definition of official identifier in the Bill precludes the requirement to explicitly include the word in its ambit. The Unique Identity Authority of India does not find a mention anywhere in the Bill. This does not mean that UIDAI and Aadhaar are unaffected by the Bill. Data processing activities undertaken by UIDAI have been granted legitimisation under the Bill, while data disclosure has been prevented without explicitly mentioning Aadhaar.
The Central Government has the power to issue directions to DPAI "in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order" and "directions on questions of policy". The Central Government can exempt any data processing activities by data processors in India if they relate to data of data principals located outside the territory of India, in contract with data fiduciaries located outside the territory of India. The Central Government can prohibit processing of any biometric data, unless such processing is permitted by law.
Cross border transfer of data is allowed under certain conditions, but a copy of the personal data must be kept in India. Additionally, the Central Government (not the DPAI) can notify certain categories of personal data that be processed only in India. Cross border transfers can be made subject to standard contractual clauses, intra-group schemes, or to countries that have been approved by the Central Government in consultation with DPAI. Consent is necessary for cross border transfer of data. The data localisation requirements in the Bill do not help in protecting the privacy of users in any way. Data localisation will affect the smaller players in the market and could be a major problem for Indian startups if other jurisdictions also follow suit.
Most rights and obligations under the Bill are inapplicable if data is processed for security of State; prevention, detection, investigation and prosecution of contraventions of law; domestic purposes; journalistic purposes; or legal proceedings. The Authority has a power to create exemptions for research, archiving or statistical purposes. Compliance of a few provisions is also exempted for manual processing by small entities.
DPAI has the power to designate certain data fiduciaries or classes or data fiduciaries as significant data fiduciaries. DPAI also has the power to require compliance of any of these requirements by significant data fiduciaries: data audits, data protection officers, record keeping and data protection impact assessments. The Bill states that the auditor may assign a rating to the data fiduciary in the form of a data trust score. Data fiduciaries can display this data trust score on their services.
Data breach notifications are required to be made by data fiduciaries to DPAI if the breach is likely to cause harm to any data principal. The breach notification must include nature of personal data, number of data principals affected, possible consequences of the breach and measures being taken by the data fiduciary to remedy the breach. Thereafter, DPAI would determine whether data principals need to be informed about the data breach. There is no compulsion on the data fiduciaries to inform data principals about a breach unless they are directed to do so by the DPAI. Data fiduciaries do not need to inform data principals about a breach even if that breach is highly likely to cause severe harm to the data principal unless immediate remedial steps are taken by the data principal.
DPAI has powers to monitor and enforce the Bill, issue codes of practice and directions, conduct inquiries, issue warnings, mandate changes in business or activity, and impose penalties. Penalties range from INR 5,000/- per day of default to INR 15,00,00,000/- or 4% of the total worldwide turnover, whichever is higher. Compensation can be claimed by any data principal who has suffered harm due to violation of any provision by data processor or data fiduciary. Certain offences under the Bill would be punishable with imprisonment up to five years. All offences under the Bill are cognizable and non-bailable.
There would be three stages to the adjudication process under the Bill. The first stage is adjudication by an Adjudicating Officer. Unfortunately, the Bill recognizes a need to make the adjudicatory wing of the DPAI independent from the rest of the authority, but not from the Central Government itself. The Central Government has the power to decide the following regarding Adjudicating Officers: qualification, manner and term of appointment, jurisdiction, procedure for carrying out an adjudication and "such other requirements as the Central Government may deem fit". The first stage of the adjudicatory process is therefore, biased in favour of the Central Government. The second stage of the adjudicatory process takes appeals from the decisions of the Adjudicating Officer to a new Appellate Tribunal that would be established under the Bill. The Bill leaves the qualifications, appointment, term of office, salaries and allowances, resignation, removal and the other terms and conditions of service of the chairperson and other members of the Appellate Tribunal to be decided by the Central Government. Thus, even the second stage of the adjudicatory process is not free from bias. That leaves only the third and last stage of the adjudicatory process entirely free from bias: appeals from the Appellate Tribunal would lie at the Supreme Court of India. This, however, runs contrary to the decision of the Supreme Court of India in the case of L. Chandra Kumar Vs. Union of India (UOI) and Ors. [(1997)3 SCC 261] where it was held that: "... the power vested in the High Courts to exercise judicial superintendence over the decisions of all Courts and Tribunals within their respective jurisdictions is also part of the basic structure of the Constitution."
The penal provisions in the bill, all of which are non-bailable, could possibly lead to a scenario like that of arrests under Section 66A of the IT Act. The penal provisions could be restricted to instances of sale/offer to sale of personal/ sensitive personal data.
Our issue-wise analysis will follow soon.